Included adaptive response actions with Splunk Enterprise Security
Splunk Enterprise Security includes several adaptive response actions.
- Create a notable event.
- Modify a risk score by creating a risk modifier.
- Send an email.
- Start a stream capture with Splunk Stream.
- Ping a host.
- Run Nbtstat to, for example, troubleshoot a NetBios name resolution problem.
- Run Nslookup to look up the domain name of an IP address, or the IP address of a domain name.
Create a notable event
Create a notable event when the conditions of a correlation search are met.
- On the Splunk Enterprise Security menu bar, click Configure > Content Management.
- Click an existing correlation search, or click Create New > Correlation Search.
- Click Add New Response Action and select Notable to add a notable event.
- Type a Title of the notable event on the Incident Review dashboard. Supports variable substitution from the fields in the matching event.
- Type a Description of the notable event. Supports variable substitution from the fields in the matching event
- Select the Security Domain of the notable event from the drop-down list.
- Select the Severity of the notable event from the drop-down list. The severity is used to calculate the Urgency of a notable event.
- (Optional) Change the default owner of the notable event from the system default, unassigned.
- (Optional) Change the default status of the notable event from the system default, New.
- Type a drill-down name for the Contributing Events link in the notable event.
- Type a drill-down search for the Contributing Events link in the notable event.
- In the Drill-down earliest offset field, type the amount of time before the time of the triggering event to look for related events for the Contributing Events link in the notable event.
For example 2h to look for contributing events 2 hours before the triggering event.
- In the Drill-down latest offset field, type the amount of time after the time of the triggering event to look for related events for the Contributing Events link in the notable event.
For example, 1h to look for contributing events 1 hour after the triggering event.
- Type Next Steps for an analyst to take after triaging a notable event. Type text or click Insert Adaptive Response Action to reference a response action in the text of the next steps. You can only type plain text and links to response actions in the next steps field. Use next steps if you want to recommend response actions that should be taken in a specific order.
For example, ping a host to determine if it is active on the network. If the host is active, increase the risk score by 100, otherwise, increase the risk score by 50.
- Select Recommended Actions to complement the next steps. From the list of all adaptive response actions, click the name of an action that you recommend as a triage or investigation step for this notable event to add it to the list of recommended actions that analysts can take for this notable event. You can add as many recommended actions as you like. Use recommended actions to recommend response actions that do not need to be taken in a specific order.
For example, increase the risk score on a host and perform an nslookup on a domain name.
Modify a risk score with a risk modifier
Modify a risk score as a result of a correlation search or in response to notable event details with the Risk Analysis adaptive response action. The risk adaptive response action creates a risk modifier event. You can view the risk modifier events on the Risk Analysis dashboard in Enterprise Security.
- Click Add New Response Action and select Risk Analysis.
- Type the score to assign to the risk object.
- Type a field in the search to apply the risk score to for the Risk Object Field.
For example, type "src" to specify the source field.
- Select the Risk Object Type to apply the risk score to.
Send an email
Send an email as a result of a correlation search match. Make sure that the mail server is configured in Splunk platform before setting up this response action. See Configure email notification settings in the Alerting Manual.
- Click Add New Response Action and select Send email.
- In the To field, type a comma-separated list of email addresses to send the email to.
- (Optional) Change the priority of the email. Defaults to Lowest.
- Type a subject for the email. The email subject defaults to "Splunk Alert: $name$", where $name$ is the correlation search Search Name.
- Type a message to include as the body of the email. Defaults to "The scheduled report '$name$' has run."
- Select the check boxes of the information you want the email message to include.
- Select whether to send a plain-text or HTML and plain-text email message.
Run a script
Run a script stored in
$SPLUNK_HOME/bin/scripts. See Configure scripted alerts in the Alerting Manual.
- Click Add New Response Action and select Run a script.
- Type the filename of the script.
Start a Stream capture
Start a Stream capture to capture packets on the IP addresses of the selected protocols over the time period that you select. You can view the results of the capture session on the Protocol Intelligence dashboards.
A Stream capture will not work unless you integrate Splunk Stream with Splunk Enterprise Security. See Splunk Stream integration.
- Click Add New Response Action and select Stream Capture to start a packet capture in response to a correlation search match.
- Type a Description to describe the stream created in response to the correlation search match.
- Type a Category to define the type of stream capture. You can view streams by category in Splunk Stream.
- Type the comma-separated event fields to search for IP addresses for the Stream capture. The first non-null field is used for the capture.
- Type the comma-separated list of protocols to capture.
- Select a Capture duration to define the length of the packet capture.
- Type a Stream capture limit to limit the number of stream captures started by the correlation search.
Ping a host
Determine whether a host is still active on the network by pinging the host.
- Click Add New Response Action and select Ping.
- Type the event field that contains the host that you want to ping in the Host Field.
- Type the number of maximum results that the ping returns. Defaults to 1.
Learn more about a host and the services that the host runs by running nbtstat.
- Click Add New Response Action and select Nbtstat.
- Type the event field that contains the host that you want to run the nbtstat for in the Host Field.
- Type the number of maximum results that the nbtstat returns. Defaults to 1.
Look up the domain name of an IP address, or the IP address of a domain name, by running nslookup.
- Click Add New Response Action and select Nslookup.
- Type the event field that contains the host that you want to run the nslookup for in the Host Field.
- Type the number of maximum results that the nslookup returns. Defaults to 1.
Set up adaptive response actions in Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3