Splunk® Enterprise Security

Use Splunk Enterprise Security

Respond to investigations with response plans in Splunk Enterprise Security

A response plan is a template of standardized guidelines for responding to an investigation in Splunk Enterprise Security. A response plan includes tasks and phases for security analysts to complete while investigating and responding to security incidents. You can use response plans provided by Splunk Enterprise Security, such as NIST 800-61 or Vulnerability Disclosure, or you can create your own custom response plan.

You can apply a response plan to a particular investigation as you're working on it, or you can assign a response plan to an investigation type. After you create an investigation type and assign it to a response plan, the response plan you selected applies to any new investigation ingested or started in Splunk Enterprise Security.

Example: Response workflow

After you add a response plan to an investigation, use the phases and tasks to guide your investigation in Splunk Enterprise Security.

  1. In Splunk Enterprise Security, select Mission Control.
  2. Select the name of the investigation you want to respond to from the analyst queue.
  3. Select View details.
  4. From the Response tab of the investigation, review the current phase.
  5. Review the phase details, such as the number of tasks.
  6. Select a task to assign it to someone.
  7. Select Start to start the work, or use the Owner drop-down list to assign the task to someone else. When you start a task, the task is automatically assigned to you.
  8. Expand the Respond section to browse response options.
    1. If there's a search embedded in the response plan task, open the search in the Search tab by selecting the search icon ( Search icon ). You can edit the search, or you can run the search as is. By default, the search runs over the last 24 hours, but you can specify a custom time using the drop-down list.
    2. To run an action or playbook set up with the task, select the run icon ( run icon ). Then select View results to see the action or playbook results associated with the investigation.
  9. If the response plan requires a note, add a note to the task by expanding the Notes section. By default, the title of the note is the task name and number. If you have multiple notes, the number corresponds to the order you created the note in.

    You can't use more than 250 characters in the note title. Additionally, you can't use more than 10,000 characters in the note description.

  10. Expand the Files section to add a file to the task.
  11. When you complete the task, select End.
  12. Review and complete all the tasks in a phase to end a phase.
  13. Review and complete all the phases to finish your response to the investigation.
  14. To review additional response plans for the investigation, select the down arrow next to the current response plan name. From the drop-down list, select the name of another applied response plan.

If you want to share a phase or a task with someone without assigning it to them, you can copy the URL of the investigation while viewing the phase or task and send it to the other person. If you want to reopen a task, select the checkmark icon.

Included response plans in Splunk Enterprise Security

You can use the response plans included in Splunk Enterprise Security, or you can create your own. Splunk Enterprise Security includes the following response plans:

Response plan name Details When to use
Account Compromise Outlines phases and tasks relevant to potential compromise of system or application accounts. When investigating a likely account compromise.
Data Breach Outlines response to a data breach by contacting affected system owners and containing data exfiltration. When investigating a likely data breach.
Network Indicator Enrichment Gathers and analyzes contextual information about URLs, host names, top level domain names, IP addresses, TLS certificates, and MAC addresses. To gather information about artifacts involved in the investigation.
NIST 800-61 Outlines response phases and tasks based on the NIST Computer Security Incident Handling Guide, SP 800-61. To standardize responses for all investigations.
Generic Incident Response Outlines response phases and tasks for basic investigation response: detect, analyze, contain, eradicate, recover, and review. To standardize responses for all investigations, especially malware infection.
Self-Replicating Malware Outlines response phases and tasks relevant to containing and remediating a self-replicating malware infection. When investigating self-replicating malware infections, especially those infecting network services or shared resources.
Suspicious Email Outlines response phases and tasks for a suspicious email campaign, including external investigations, internal hunting activities, enforcement, and increased monitoring. When investigating suspicious emails.
Vulnerability Disclosure Outlines response phases and tasks for a vulnerability disclosure, such as a critical CVE. To determine the impact of a vulnerability disclosure on your environment.

See also

For more details on response plans in Splunk Enterprise Security, see the product documentation:

Last modified on 18 September, 2024
Start investigations in Splunk Enterprise Security   Add events to an investigation in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters