Splunk® Enterprise Security

Administer Splunk Enterprise Security

Download manual as PDF

Download topic as PDF

Set up an adaptive response relay from a Splunk Cloud Enterprise Security search head to an on-premises device

Splunk Cloud customers can utilize adaptive response actions in Splunk Enterprise Security (ES) without exposing infrastructure controls and administration to the open internet. Adaptive response relay allows adaptive response actions to queue on the Splunk Cloud ES search head. These queued actions store metadata and search results that allow a separate proxy component to execute those adaptive response actions from within the on-premises environment.

You need to perform the following steps to set up adaptive response actions:

  1. Install the technology add-on for adaptive response on your heavy forwarder.
  2. Configure your Splunk Cloud ES search head with an API key.
  3. Configure your on-premises heavy forwarder with an API key.
  4. Configure your on-premises heavy forwarder with a modular action relay.
  5. Configure your Splunk Cloud ES search head with a modular action worker.
  6. Configure adaptive response actions for your Splunk Cloud ES search head.

Install the technology add-on for adaptive response on your heavy forwarder

For an on-premises heavy forwarder to perform adaptive response actions, you must install the actions on both the Splunk Cloud ES search head and the heavy forwarder. These actions are installed by default with ES in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence, but you need to install them manually on your heavy forwarder.

  1. From the Splunk ES menu bar of the Splunk Cloud ES search head, select Configure > General > Distributed Configuration Management.
  2. Click Splunk_TA_AROnPrem to download the app.
  3. Install the app on the heavy forwarder.

Configure your Splunk Cloud ES search head with an API key

The API key allows you to authenticate from the KV Store collection and CAM queue. You must create and manage your own API key. The API key follows a specific format, and it does not support two-factor authentication. For a Splunk Cloud environment that requires two-factor authentication, turn off this feature by not setting an API key.

  1. Retrieve the heavy forwarder's serverName value by running the following search on the heavy forwarder:

    | rest /services/server/info | table serverName

    Take note of this name because you will need it when you set up your heavy forwarder. In this example the serverName value is hf1.
  2. Install the Common Information Model version 4.12 or higher on the Splunk Cloud ES search head, if you haven't done so already.
  3. Generate an API key on the Splunk Cloud ES search head.
    1. From the Splunk ES menu bar, select Configure > CIM Setup, and then click Manage API Key.
    2. In the Key Name field, type the serverName value that you retrieved: in this case, hf1.
    3. To generate the API key value, type the following URI into a browser window of your Splunk Cloud ES search head: https://<yoursplunkserver>/en-US/splunkd/__raw/alerts/modaction_queue/key
      This will return a random 128-character string in the valid format.
    4. Copy and paste the string into the API Key field.
      Take note of this string because you will use it when you configure your heavy forwarder.

Configure your on-premises heavy forwarder with an API key

An API key allows the heavy forwarder to authenticate against the Splunk Cloud ES search head. The API key on the heavy forwarder must match the API key on the Splunk Cloud ES search head.

  1. Install the Common Information Model version 4.12 or higher on the heavy forwarder, if you haven't done so already.
  2. From the Splunk ES menu bar, select Configure > CIM Setup, and then click Manage API Key
    1. On the key management page, in the Key Name field, type the serverName value that you took note of in the Configure your Splunk Cloud ES search head with an API key section.
    2. On the key management page, in the API Key field, paste the string that you took note of in the Configure your Splunk Cloud ES search head with an API key section.

Configure your on-premises heavy forwarder with a modular action relay

The modular action relay is where you set the heavy forwarder to retrieve queued search results from a Splunk Cloud correlation search so that it can execute adaptive response actions on premises.

  1. From the Splunk ES menu bar, select Settings > Data inputs.
  2. Scroll down to Modular Action Relay and click + Add new.
    1. Type a Name for the relay, such as relay1.
    2. Type the Remote Search Head URI in the format of protocol://servername:port, such as: https://10.224.62.249:8089.
      8089 is the default port for Splunk Cloud.
    3. Type a Description for the relay, such as remote search head.
    4. Type the Api Key Name (the serverName value that you took note of in the Configure your Splunk Cloud ES search head with an API key section), such as hf1.
    5. Type True in the Verify field to verify the certificates between the worker and the Splunk Cloud ES search head.
    6. (Optional) If your ES search head is using a privately signed SSL certificate, add your root CA certificate chain file to the Splunk_SA_CIM/auth directory on the heavy forwarder and provide its file name to this input in the Client Certificate field. If your search head is in Splunk Cloud, this is not an issue.

Configure your Splunk Cloud ES search head with a modular action worker

The modular action worker is where you specify the serverName value of the heavy forwarder that the Splunk Cloud ES search head will queue search results for.

  1. From the Splunk ES menu bar of the Splunk Cloud ES search head, select Configure > Content > Content Management.
  2. Type Modular Action Workers in the search filter.
  3. Click the name of the Modular Action Workers lookup.
  4. Add a worker set and the name of the worker. The worker_set value is used when running adaptive response actions from ES. The cam_worker is the actual name of the heavy forwarder that will execute the actions.
    1. Leave the row with local as-is because it allows for local execution of actions on the Splunk Cloud ES search head.
    2. In the worker_set column, type a descriptive name for the heavy forwarder: onprem.
    3. In the cam_workers column, type the serverName value that you took note of in the Configure your Splunk Cloud ES search head with an API key section, such as "["hf1"]".
      The format requires array-style notation of "["nameofworker"]" with each worker name in quotes and separated with commas in CSV encoded JSON. An example of multiple workers is "[""hf1"",""hf2""]".

Configure adaptive response actions for your Splunk Cloud ES search head

See Configure adaptive response actions for a correlation search in Splunk Enterprise Security for information about configuring adaptive response actions in general.

The Worker Set drop-down menu is specific to adaptive response actions on a Splunk Cloud ES search head. After completing the in the Configure your Splunk Cloud ES search head with a modular action worker section, when you create or edit a correlation search to add an adaptive response action, the drop-down menu includes the worker_set that you created.

Select the worker_set to use for executing those adaptive response actions from within the on-premises environment.

The results of adaptive response actions, ping for example, are found in "index=main source=ping".

Troubleshoot adaptive response relay from Splunk Cloud ES search head to an on-premises device

The adaptive response modular input runs on a default interval of 2 minutes. You can adjust this based on your needs. A more frequent execution time will place additional load on the Splunk Cloud ES search head. To avoid performance problems with the CAM queue, adjust the interval to run less frequently, and do not set it below 10 seconds.

Ensure that your heavy forwarder is configured to forward its data to your indexers. This includes forwarding data from the relayed modular actions. You can run a search similar to the following search on your ES search head to verify that data is forwarding, where hf1 is the name of your heavy forwarder:

index="cim_modactions" host=hf1

If this search never returns results, then your heavy forwarder is experiencing issues connecting to the ES search head.

PREVIOUS
Set up adaptive response actions in Splunk Enterprise Security
  NEXT
Configure adaptive response actions for a correlation search in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0


Comments

Hi @Pongmerck. Thanks for the doc feedback! I made the format change that you recommended. And yes, heavy forwarder ES menu bar is where to find the Settings > Data inputs.

Lkutch splunk, Splunker
August 26, 2019

The section "Configure your on-premises heavy forwarder with a modular action relay" may be incorrect as step 1 says to perform the step against the "ES menu bar"? Think this should be done against the local HF?

Pongmerck
August 26, 2019

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters