Create response plans in Splunk Enterprise Security

Create response plans to help document your security operating procedures and standardize the tasks and phases that analysts complete while they respond to investigations in Splunk Enterprise Security. A response plan is a template of guidelines for analysts to follow so that they can provide a standardized response for investigations of the same type. You can use response plans provided by Splunk Enterprise Security, such as NIST 800-61 or Vulnerability Disclosure, or you can create your own custom response plan.

For more details on the response plans included with Splunk Enterprise Security, see Included response plans in Splunk Enterprise Security in the Use Splunk Enterprise Security manual.

Create a response plan

You can use response plans that are included with Splunk Enterprise Security, or you can create your own.

Follow these steps to create a response plan:

1. In Splunk Enterprise Security, select Security content and then select Response plans.
2. Select + Response plan.
3. Enter a name for the response plan in the Title text box.

   You can't enter a name with more than 250 characters for response plan titles, phases, or tasks. Additionally, you can't enter a description with more than 7,000 characters.

4. (Optional) Enter a description for the response plan to describe what someone might use it for. For example, "Guide response to a ransomware infection".
5. Select + Phase and enter a name for a phase of the response plan. For example, "Contain infection".
6. Select + Task to add a task to the phase.
7. Enter a name for the task. For example, "Quarantine the device".
8. (Optional) Select an owner from the drop-down list to always assign this task to a specific person.
9. (Optional) Select the check box to require a note upon task completion.
10. Select the down arrow to expand the task and add details.
11. (Optional) Enter a description for the task. You can use Markdown syntax to format the text in the description and add tables, links, and other useful information to help an analyst complete the task.

    Markdown doesn't support adding links with HTML. You must use the [title](https://www.example.com) syntax to create a link. See the "Cheat Sheet" on the Markdown Guide website for more details.

12. (Optional) Expand the Actions or Playbooks section and select + Action or + Playbook to set up an action or playbook to run with the task.
13. (Optional) Expand the Searches section and select + Search to embed a search in the task.
14. (Optional) Select + Phase to add another phase to the response plan.
15. Continue adding phases and tasks until your response plan is complete.
16. Toggle the Status switch to Published and select Save Changes to publish the response plan.

    You can only add published response plans to investigations.

Manage response plans

Use the response plan table in Splunk Enterprise Security to view all of your drafted and published response plans. The response plan table includes default response plans that are included with Splunk Enterprise Security and any response plans that you created. You can manage your response plans by modifying and sorting them.

Modify response plans

You can edit, copy, and delete response plans that you created. Changes that you make to response plans are not versioned. If you edit an already-published response plan, it stays published and does not revert to a draft.

The response plans included with Splunk Enterprise Security are read-only. You can copy them, but you can't edit or delete them.

Follow these steps to modify a response plan:

1. In Splunk Enterprise Security, select Security content and then select Response plans.
2. Locate the response plan you want to modify.
3. To edit the response plan, select the name of the response plan that you want to modify.
   1. Make the changes you want to the phases and tasks.
   2. If your response plan is not published, toggle the Status switch to Published and select Save changes to publish the response plan and make it available for analysts to use.
   3. If your response plan is already published, select Save changes.
4. To delete the response plan, select the more icon ( ).
   1. Select Delete.
   2. Confirm that you want to delete the response plan by selecting Delete.

      After you delete a response plan, you can no longer assign it to an investigation. However, if you previously assigned the response plan to an investigation, the investigation preserves the response plan.

5. To copy the response plan, select the more icon ( ).
   1. Select Copy.
   2. Enter a new name for the copied response plan, or keep the default copy name.
   3. Select Save.

Sort response plans

You can sort the response plan table to search for a particular response plan.

Follow these steps to sort response plans:

1. In Splunk Enterprise Security, select Security content and then select Response plans to find the response plan table.
2. Select the column heading with the value you want to sort by. You can see which value the table is sorted by based on which column heading the arrow icon ( ) appears next to.
3. (Optional) Select the column heading again to reverse the order.

Embed new and existing searches in response plan tasks

You can embed a new or existing search in a response plan task to help an analyst complete that task. Embedding searches in tasks can help advance investigations, especially for use cases with complex searches or for users who are unfamiliar with the Search Processing Language (SPL). After you embed a search in a response plan task, you can run the search directly from an investigation in Splunk Enterprise Security. You can embed a search in a task by editing an existing response plan or by creating a new one.

Follow these steps to embed searches in response plan tasks:

1. In Splunk Enterprise Security, select Security content and then select Response plans.
2. Open an existing response plan, or create a new one.
3. Expand the phase you want to edit, or select + Phase.
4. Expand the task you want to add a search to, or select + Task.
5. In the task you want to embed a search in, expand the Searches section.
6. Select + Searches. You can embed either a new search or an existing one.
7. To embed a new search, complete the following steps:
   1. Create a new search by giving your search a name and description.

      You can't enter more than 250 characters for the name of your search, and you can't enter more than 7,000 characters for the description of your search.

   2. Enter a Splunk search in the Search syntax field. For example, to detect excessive failed login attempts, enter the following search:
      

      | from datamodel: "Authentication"."Failed_Authentication" | stats values("tag") as "tag", dc("user") as "user_count", dc("dest") as "dest_count", count by "app", "src" | where 'count'>=6

   3. (Optional) To add a token to your search, enter the token name anywhere in the Search syntax field using the $token_name$ syntax.
8. To embed an existing search, complete the following steps:
   1. Select Browse saved searches.
   2. Choose an existing search and select Submit to automatically populate the Search syntax field with a saved search.

      You can't edit the name, description, or search syntax of a saved search.

9. Toggle the Status switch to Published. You must publish your response plan to locate the response plan task, and therefore your embedded search, from an investigation.
10. Select Save changes.

See also

For more information on response plans, see the product documentation:

• Set up actions and playbooks to run with response plan tasks in Splunk Enterprise Security
• Add a response plan to an investigation in Splunk Enterprise Security
• Included response plans in Splunk Enterprise Security
• Add tokens in response plans in Splunk Enterprise Security