Splunk® Enterprise Security

Administer Splunk Enterprise Security

Download manual as PDF

Download topic as PDF

Set up adaptive response actions in Splunk Enterprise Security

Adaptive response actions allow you to gather information or take other action in response to the results of a correlation search or the details of a notable event. Splunk Enterprise Security includes several adaptive response actions. See Included adaptive response actions.

You can add adaptive response actions and alert actions to correlation searches, or run adaptive response actions from notable events on the Incident Review dashboard. Collect information before you start your investigation to save time at triage by adding adaptive response actions to correlation searches. Take action at triage time by running adaptive response actions from the Incident Review dashboard.

The adaptive response actions that ship out of the box for ping, nbtstat, and nslookup are modified to support Splunk Cloud. Additional setup is required before configuring adaptive response actions from Splunk Cloud to on-premises infrastructure and services. See Set up an adaptive response relay from Splunk Cloud to an on-premises device.

Add new adaptive response actions

To add new adaptive response actions, you can install add-ons with adaptive response actions or create your own adaptive response actions. See Create an adaptive response action on the Splunk developer portal for information on creating adaptive response actions. See Deploy add-ons included with Splunk Enterprise Security in the Install and Upgrade Manual.

Audit adaptive response actions

Audit all adaptive response actions on the Adaptive Response Action Center.

Configure permissions for adaptive response actions

Restrict certain adaptive response actions to certain roles by adjusting the permissions for adaptive response actions in the alert actions manager. You can find information about the alert actions manager in the Splunk platform documentation.

In order to run adaptive response actions from the Incident Review dashboard that have credentials stored in the credential manager, you must have the appropriate capability.

  • For Splunk platform version 6.5.0 and later, list_storage_passwords.
  • For earlier Splunk platform versions, admin_all_objects.

Add an adaptive response action to a correlation search

  1. On the Splunk Enterprise Security menu bar, click Configure > Content > Content Management.
  2. Click an existing correlation search, or click Create New > Correlation Search.
  3. Click Add New Response Action and select the response action you want to add.
  4. Complete the fields for the action. If you want, add another response action.
  5. Click Save to save all changes to the correlation search.

For instructions on configuring each of the adaptive response actions included with Splunk Enterprise Security, see Configure adaptive response actions for a correlation search in Splunk Enterprise Security. For instructions on configuring a custom adaptive response action, see the documentation for the app or add-on that supplied the adaptive response action.

Troubleshoot why an adaptive response action is not available to select

If an adaptive response action is not available to select on the correlation search editor or Incident Review, several things could be the cause.

  • Your role may not have permissions to view and use the adaptive response action. See Using the alert actions manager in the Alerting Manual.
  • Check the alert actions manager to determine if the adaptive response actions exist in Splunk platform. See Using the alert actions manager in the Alerting Manual.
  • If the adaptive response actions from an add-on do not appear in Splunk Enterprise Security, but do appear in the alert actions manager, make sure that the add-on is being exported globally. See Make Splunk knowledge objects globally available in the Splunk Enterprise Admin Manual.
  • If you can select the adaptive response action on the correlation search editor, but not on Incident Review, the adaptive response action might be an ordinary alert action, or the response action does not support ad hoc invocation. See Determine whether your action supports ad hoc invocation on the Splunk developer portal.
PREVIOUS
Create sequence templates in Splunk Enterprise Security
  NEXT
Set up an adaptive response relay from a Splunk Cloud Enterprise Security search head to an on-premises device

This documentation applies to the following versions of Splunk® Enterprise Security: 5.3.0, 5.3.1, 6.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters