Workflow Actions are a powerful tool provided by the base Splunk platform that allows for interactions between events in Splunk and external systems. AME can be extended with these workflow actions, to allow analysts to click on events within AME and drill into key fields into an external system.
Everything about setting up workflow actions can be find in the Knowledge Manager manual: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/CreateworkflowactionsinSplunkWeb
In short workflow actions between fields in Splunk and external web based resources. They can be used for a number of use cases:
- Lookup up data for an IP address in an external system
- Return information for a device from the CMDB
- Create an incident in an external ticketing system
Workflow actions can also be used to trigger a search within Splunk, allowing you to further drill into information within the Splunk platform itself.
In today’s tutorial we will show how workflow actions can be used to extend the AME interface. We will be demonstrating how to pivot to an external data source to obtain more information about a threat.
In our AME instance, we will drill into an inbound port scan event. We would like to know more about the specific src_ip that is associated with this detection and we would would like to lookup this IP address in a Threat Intelligence Platform
It is pertinent to note that Workflow Actions operate predominantly on fields. In this example, we will be navigating to Workflow Actions under Field Settings and add a new Workflow Action.
For our example we will enable an integration with VirusTotal. Once the action has been saved, reload the event within AME.
This can also be used to pivot to your CMDB system to lookup asset information, or to peruse change information in your change management system.
.png)
