Set up an Adaptive Response relay from a Splunk Cloud Enterprise Security search head to an on-premises device
Splunk Cloud customers can utilize Adaptive Response actions in Splunk Enterprise Security (ES) without exposing infrastructure controls and administration to the open internet. Adaptive response relay allows adaptive response actions to queue on the Splunk Cloud ES search head. These queued actions store metadata and search results that allow a separate proxy component to execute those adaptive response actions from within the on-premises environment.
You need to perform the following steps to set up Adaptive Response actions:
- Install the technology add-on for Adaptive Response on your heavy forwarder.
- Configure your Splunk Cloud ES search head with an API key.
- Configure your on-premises heavy forwarder with an API key.
- Configure your on-premises heavy forwarder with a modular action relay.
- Configure your Splunk Cloud ES search head with a modular action worker.
- Configure adaptive response actions for your Splunk Cloud ES search head.
Install the technology add-on for Adaptive Response on your heavy forwarder
For an on-premises heavy forwarder to perform Adaptive Response actions, you must install the actions on both the Splunk Cloud ES search head and the heavy forwarder. These actions are installed by default with ES in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence
, but you need to install them manually on your heavy forwarder.
- From the Splunk ES menu bar of the Splunk Cloud ES search head, select Configure > General > General Settings.
- Locate the Distributed Configuration Management item.
- Click Splunk_TA_AROnPrem to download the app.
- Install the app on the heavy forwarder.
Configure your Splunk Cloud ES search head with an API key
The API key allows you to authenticate from the KV Store collection and CAM queue. You must create and manage your own API key. The API key follows a specific format, and it does not support two-factor authentication. For a Splunk Cloud environment that requires two-factor authentication, turn off this feature by not setting an API key.
- Retrieve the heavy forwarder's
serverName
value by running the following search on the heavy forwarder:
Take note of this name because you will need it when you set up your heavy forwarder. In this example the| rest /services/server/info | table serverName
serverName
value ishf1
. - Install the Common Information Model version 4.12 or higher on the Splunk Cloud ES search head, if you haven't done so already.
- Generate an API key on the Splunk Cloud ES search head.
- From the Splunk ES menu bar, select Configure > CIM Setup, and then click Manage API Key.
- In the Key Name field, type the
serverName
value that you retrieved: in this case,hf1
. - To generate the API key value, type the following URI into a browser window of your Splunk Cloud ES search head:
https://<yoursplunkserver>/en-US/splunkd/__raw/alerts/modaction_queue/key
This will return a random 128-character string in the valid format. - Copy and paste the string into the API Key field.
Take note of this string because you will use it when you configure your heavy forwarder.
Configure your on-premises heavy forwarder with an API key
An API key allows the heavy forwarder to authenticate against the Splunk Cloud ES search head. The API key on the heavy forwarder must match the API key on the Splunk Cloud ES search head.
- Install the Common Information Model version 4.12 or higher on the heavy forwarder, if you haven't done so already.
- From the Splunk ES menu bar, select Configure > CIM Setup, and then click Manage API Key
- On the key management page, in the Key Name field, type the
serverName
value that you took note of in the Configure your Splunk Cloud ES search head with an API key section. - On the key management page, in the API Key field, paste the string that you took note of in the Configure your Splunk Cloud ES search head with an API key section.
- On the key management page, in the Key Name field, type the
Configure your on-premises heavy forwarder with a modular action relay
The modular action relay is where you set the heavy forwarder to retrieve queued search results from a Splunk Cloud correlation search so that it can execute adaptive response actions on premises.
- From the Splunk ES menu bar, select Settings > Data inputs.
- Scroll down to Modular Action Relay and click + Add new.
- Type a Name for the relay, such as
relay1
. - Type the Remote Search Head URI in the format of
protocol://servername:port
, such as:https://10.224.62.249:8089
.
8089 is the default port for Splunk Cloud. - Type a Description for the relay, such as
remote search head
. - Type the Api Key Name (the
serverName
value that you took note of in the Configure your Splunk Cloud ES search head with an API key section), such ashf1
. - Type
True
in the Verify field to verify the certificates between the worker and the Splunk Cloud ES search head. - (Optional) If your ES search head is using a privately signed SSL certificate, add your root CA certificate chain file to the
Splunk_SA_CIM/auth
directory on the heavy forwarder and provide its file name to this input in the Client Certificate field. If your search head is in Splunk Cloud, this is not an issue.
- Type a Name for the relay, such as
Configure your Splunk Cloud ES search head with a modular action worker
The modular action worker is where you specify the serverName
value of the heavy forwarder that the Splunk Cloud ES search head will queue search results for.
- From the Splunk ES menu bar of the Splunk Cloud ES search head, select Configure > Content > Content Management.
- Type
Modular Action Workers
in the search filter. - Click the name of the Modular Action Workers lookup.
- Add a worker set and the name of the worker. The
worker_set
value is used when running Adaptive Response actions from ES. Thecam_worker
is the actual name of the heavy forwarder that will execute the actions.- Leave the row with local as-is because it allows for local execution of actions on the Splunk Cloud ES search head.
- In the worker_set column, type a descriptive name for the heavy forwarder:
onprem
. - In the cam_workers column, type the
serverName
value that you took note of in the Configure your Splunk Cloud ES search head with an API key section, such as"["hf1"]"
.
The format requires array-style notation of"["nameofworker"]"
with each worker name in quotes and separated with commas in CSV encoded JSON. An example of multiple workers is"[""hf1"",""hf2""]"
.
Configure Adaptive Response actions for your Splunk Cloud ES search head
See Configure Adaptive Response actions for a correlation search in Splunk Enterprise Security for information about configuring Adaptive Response actions in general.
The Worker Set drop-down menu is specific to Adaptive Response actions on a Splunk Cloud ES search head. After completing the in the Configure your Splunk Cloud ES search head with a modular action worker section, when you create or edit a correlation search to add an Adaptive Response action, the drop-down menu includes the worker_set
that you created.
Select the worker_set
to use for executing those Adaptive Response actions from within the on-premises environment.
The results of Adaptive Response actions, ping for example, are found in "index=main source=ping"
.
Troubleshoot Adaptive Response relay from Splunk Cloud ES search head to an on-premises device
The Adaptive Response modular input runs on a default interval of 2 minutes. You can adjust this based on your needs. A more frequent execution time will place additional load on the Splunk Cloud ES search head. To avoid performance problems with the CAM queue, adjust the interval to run less frequently, and do not set it below 10 seconds.
Ensure that your heavy forwarder is configured to forward its data to your indexers. This includes forwarding data from the relayed modular actions. You can run a search similar to the following search on your ES search head to verify that data is forwarding, where hf1
is the name of your heavy forwarder:
index="cim_modactions" host=hf1
If this search never returns results, then your heavy forwarder is experiencing issues connecting to the ES search head.
Related information about distributed Adaptive Response actions
See the following related information about distributed Adaptive Response actions.
- See Adaptive Response framework in Splunk ES on the Splunk Developer Portal.
- See Create an Adaptive Response action on the Splunk Developer Portal.
- See Example distributed Adaptive Response action on the Splunk Developer Portal.
- See Create an Adaptive Response action for Enterprise Security in the Splunk Add-on Builder User Guide.
Set up Adaptive Response actions in Splunk Enterprise Security | Configure adaptive response actions for a correlation search in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1
Feedback submitted, thanks!