Set up adaptive response actions in Splunk Enterprise Security
Adaptive response actions allow you to gather information or take other action in response to the results of a correlation search or the details of a notable event. Splunk Enterprise Security includes several adaptive response actions. See Included adaptive response actions.
You can add adaptive response actions and alert actions to correlation searches, or run adaptive response actions from notable events on the Incident Review dashboard. Collect information before you start your investigation to save time at triage by adding adaptive response actions to correlation searches. Take action at triage time by running adaptive response actions from the Incident Review dashboard.
The adaptive response actions that ship out of the box for ping, nbtstat, and nslookup are modified to support Splunk Cloud. Additional setup is required before configuring adaptive response actions from Splunk Cloud to on-premises infrastructure and services. See Set up an adaptive response relay from Splunk Cloud to an on-premises device.
Add new adaptive response actions
To add new adaptive response actions, you can install add-ons with adaptive response actions or create your own adaptive response actions. See Create an adaptive response action on the Splunk developer portal for information on creating adaptive response actions. See Deploy add-ons included with Splunk Enterprise Security in the Install and Upgrade Manual.
Audit adaptive response actions
Audit all adaptive response actions on the Adaptive Response Action Center.
Configure permissions for adaptive response actions
Restrict certain adaptive response actions to certain roles by adjusting the permissions for adaptive response actions in the alert actions manager. You can find information about the alert actions manager in the Splunk platform documentation.
- For Splunk Enterprise, see Using the alert actions manager in the Splunk Enterprise Alerting Manual.
- For Splunk Cloud, see Using the alert actions manager in the Splunk Cloud Alerting Manual.
In order to run adaptive response actions from the Incident Review dashboard that have credentials stored in the credential manager, you must have the appropriate capability.
- For Splunk platform version 6.5.0 and later,
- For earlier Splunk platform versions,
Add an adaptive response action to a correlation search
- On the Splunk Enterprise Security menu bar, click Configure > Content > Content Management.
- Click an existing correlation search, or click Create New > Correlation Search.
- Click Add New Response Action and select the response action you want to add.
- Complete the fields for the action. If you want, add another response action.
- Click Save to save all changes to the correlation search.
For instructions on configuring each of the adaptive response actions included with Splunk Enterprise Security, see Configure adaptive response actions for a correlation search in Splunk Enterprise Security. For instructions on configuring a custom adaptive response action, see the documentation for the app or add-on that supplied the adaptive response action.
Troubleshoot why an adaptive response action is not available to select
If an adaptive response action is not available to select on the correlation search editor or Incident Review, several things could be the cause.
- Your role may not have permissions to view and use the adaptive response action. See Using the alert actions manager in the Alerting Manual.
- Check the alert actions manager to determine if the adaptive response actions exist in Splunk platform. See Using the alert actions manager in the Alerting Manual.
- If the adaptive response actions from an add-on do not appear in Splunk Enterprise Security, but do appear in the alert actions manager, make sure that the add-on is being exported globally. See Make Splunk knowledge objects globally available in the Splunk Enterprise Admin Manual.
- If you can select the adaptive response action on the correlation search editor, but not on Incident Review, the adaptive response action might be an ordinary alert action, or the response action does not support ad hoc invocation. See Determine whether your action supports ad hoc invocation on the Splunk developer portal.
Create sequence templates in Splunk Enterprise Security
Set up an adaptive response relay from a Splunk Cloud Enterprise Security search head to an on-premises device
This documentation applies to the following versions of Splunk® Enterprise Security: 5.3.0, 5.3.1, 6.0.0