Splunk® Enterprise Security

Use Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Included adaptive response actions with

includes several adaptive response actions that you can run on a notable event from Incident Review.

Note: ES administrators can configure these and additional adaptive response actions to be triggered by correlation searches. See Configure adaptive response actions for a correlation search in Splunk Enterprise Security in Administer Splunk Enterprise Security.

Search commands and adaptive response actions such as ping, nbtstat, and nslookup can no longer send results to customized indexes. Results from search commands and adaptive response actions such as ping, nbtstat, and nslookup are written to the default index.

Analyze the risk from assets and identities

Analyze the risk posed by assets and identities by adding adaptive response actions to correlation searches. You can assign risk as an adaptive response action by adding a risk message, modifying risk scores, and assigning potential sources of threat.

  1. Click Add New Response Action and select Risk Analysis.
  2. Type a Risk Message. For example: Flag users based on command line usage.
  3. Add risk modifiers to the notable by assigning values for the following fields:
    Field Description Example
    Risk score Positive or negative integer or a decimal number to assign a value to the risk object, which is any asset or identity. 10
    Risk Object Field Name of a field that exists in the correlation search so that the risk score can be applied to that field. dest (destination) or src (source)
    Risk Object Type `risk_object_types` macro. system, user, other
  4. Click + to add additional risk modifiers.
  5. Add values for objects that may be potential sources of threat. For example, if you want to flag users based on their command line usage, enter command line for Threat Object Field and Command for Threat Object Type.
  6. Click Save.

Modify a risk score with a risk modifier

Modify a risk score as a result of a correlation search or in response to notable event details with the Risk Analysis adaptive response action. The risk adaptive response action creates a risk modifier event. You can view the risk modifier events on the Risk Analysis dashboard in Enterprise Security.

  1. Click Add New Response Action and select Risk Analysis.
  2. Type the score to assign to the risk object.
  3. Select a field from the notable event to apply the risk score to for the Risk Object Field.
  4. Select the Risk Object Type to apply the risk score to.


Run a script

Run a script stored in $SPLUNK_HOME/bin/scripts.

  1. Click Add New Response Action and select Run a script.
  2. Type the filename of the script.

More information about scripted alerts can be found in the Splunk platform documentation.

Start a stream capture with Splunk Stream

Start a Stream capture to capture packets on the IP addresses of the selected protocols over the time period that you select. You can view the results of the capture session on the Protocol Intelligence dashboards.

A stream capture will not work unless you integrate Splunk Stream with . See Splunk Stream integration.

  1. Click Add New Response Action and select Stream Capture to start a packet capture in response to a correlation search match.
  2. Type a Description to describe the stream created in response to the correlation search match.
  3. Type a Category to define the type of stream capture. You can view streams by category in Splunk Stream.
  4. Type the comma-separated event fields to search for IP addresses for the Stream capture. The first non-null field is used for the capture.
  5. Type the comma-separated list of protocols to capture.
  6. Select a Capture duration to define the length of the packet capture.
  7. Type a Stream capture limit to limit the number of stream captures started by the correlation search.

Ping a host

Determine whether a host is still active on the network by pinging the host.

  1. Click Add New Response Action and select Ping.
  2. Select the field that contains the host that you want to ping in the Host Field.
  3. Type the number of maximum results that the ping returns. Defaults to 1.

Run nbtstat

Learn more about a host and the services that the host runs by running nbtstat. You must have nbtstat installed on the search head for this to run successfully.

  1. Click Add New Response Action and select Nbtstat.
  2. Select the field that contains the host that you want to run the nbtstat for in the Host Field.
  3. Type the number of maximum results that the nbtstat returns. Defaults to 1.

Run nslookup

Look up the domain name of an IP address, or the IP address of a domain name, by running nslookup. You must have nslookup installed on the search head for this to run.

  1. Click Add New Response Action and select Nslookup.
  2. Select the field that contains the host that you want to run the nslookup for in the Host Field.
  3. Type the number of maximum results that the nslookup returns. Defaults to 1.


Add threat intelligence

Create threat artifacts in a threat collection.

  1. Click Add New Response Action and select Add Threat Intelligence.
  2. Select the Threat Group to attribute this artifact to.
  3. Select the Threat Collection to add the threat artifact to.
  4. Select the Field from event that contains the value to add as a threat artifact to the threat intelligence collection.
  5. Type a Description for the threat artifact.
  6. Type a Weight associated with the threat list. Defaults to 1.
  7. Type a number of Max Results to specify the number of results to process as threat artifacts. Each unique search field value counts as a result. Defaults to 100.
Last modified on 01 June, 2022
Take action on a notable on Incident Review in Splunk Enterprise Security   How urgency is assigned to notable events in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters