Splunk SOAR: Introduction to the HUD Space
By David Burns, Soar Engineer
Security Analysts Score with SOAR
Are you familiar with the HUD (Heads Up Display) within Splunk SOAR? It’s part of the out of the box capabilities Splunk provides which are great for highlighting information that the Security Analysts (SAs) feel is important. If not, this overview article is for you.
Build your Heads Up Display
You can find the HUD on any container view in the upper left-hand corner.
When expanded, it might look like this:
You can see above the default options for the HUD as either cards (the top three items) or data values (bottom three values). Cards can be a choice of three colours: grey, blue, or red.
To change the information being presented, click on the write icon on a card or the ellipse for the lines of data.
Pins can be added, or characteristics modified, by clicking on the gear in the upper right-hand corner. Clicking the gear will bring up a window like this:
This interface allows SAs to add cards, change colors, and even change the order in which they are displayed. You can toggle displaying the data table here as well.
To create a simple pin, click + Hud Card.
Message is the string that will be displayed above the value. Clicking save creates the card, but you will have to update the values as mentioned above.
The great thing about pinning things to the HUD is that you can do it programmatically as well from within a playbook. This way you can bring something to your SA’s attention immediately as needed during playbook execution. The ability to add a pin is is found under the utility option, and below is a simple playbook that was used to create the pins in Figure 2 above.
The underlying code for this call is the phantom.pin function. While not documented on the Container API page, here is some potential documentation as of SOAR 6.0.0:
Success, message, pin_id = phantom.pin(container=container, data="600", message="Card Hud 3", name="example", pin_style="red", pin_type="data")
The pin_id is then can be referenced for the update_pin or delete_pin function.
There are a couple of caveats to be aware when using the playbook utility function:
- When selecting the data pin type, pin colour is ignored.
- Card pins will be added at the end
- Users will need the Edit Events permission to add/modify any pins on the container.
The phantom.pin function is obviously a wrapper for the container_pin REST call, but it doesn’t allow for access to all the different capabilities that a POST command can do. Look for XXX about how to create more complicated HUD pins to boost your SOAR’s capabilities.
We hope this has helped you create an awesome heads up display, and that it makes your Splunk SOAR capabilities shine. Contact us if you have any additional questions: