Configure adaptive response actions for detections in Splunk Enterprise Security
Specify the adaptive response actions in response to the results of a detection. Using adaptive response actions, you can collect information and initiate other actions even before you start your investigation, which saves time at triage.
As a Splunk Enterprise Security administrator, you can configure which adaptive response actions get triggered for detections so that you can automate tasks such as creating findings, modifying risk scores, sending emails, running scripts, starting a screen capture, pinging a host, running Nbtstat, running Nslookup, adding threat intelligence, and creating a Splunk Web message. Splunk Enterprise Security includes several adaptive response actions, and you can obtain additional ones from add-ons available on Splunkbase.
You can also view adaptive response invocations while investigating a finding.
You can trigger adaptive response actions by configuring them in the detection editor or on an ad hoc basis when examining a finding on the Mission Control page in Splunk Enterprise Security. You can also create a custom adaptive response action with the Splunk Add-on Builder or by leveraging the cim_actions.py
library available in the Common Information Model Add-on.
Configure permissions for adaptive response actions
Restrict certain adaptive response actions to specific roles by adjusting the permissions using the alert actions manager. To run adaptive response actions from the Mission Control page, you must have the following capabilities:
list_storage_passwords
.admin_all_objects
.
Add an adaptive response action to a detection
Prerequisite Ensure that you have the required permissions to configure the adaptive response actions:
Steps
- In the Splunk Enterprise Security app, select Configure.
- Select Content, then select Content management.
- In the Content management page, locate the detection to which you want to add an adaptive response action. Alternatively, you can create a new detection and add an adaptive response action to that detection.
- Select the detection and open the detection in the Edit finding-based detection editor.
- Go to Adaptive response actions.
- Select +Add new adaptive response action.
- Select the adaptive response action that you want to add.
Included adaptive response actions
Splunk Enterprise Security lets you add the following adaptive response actions.
- Send an email
- Log an event
- Start a stream capture with Splunk Stream
- Run Nbstat
- Run Nslookup
- Create a Splunk Web message
- Output results to telemetry endpoint
- Ping a host
- Run a script
- Send to Splunk Mobile
- Add threat intelligence
- Create a finding
The adaptive response actions that ship out of the box for ping, nbtstat, and nslookup are modified to support Splunk Cloud Platform. Additional setup is required before configuring adaptive response actions from the Splunk Cloud Platform to on-premises infrastructure and services.
If you have multiple apps installed in your environment along with Splunk Enterprise Security, you might see additional adaptive response actions available in those apps.
You can also add new adaptive response actions in addition to the ones available in Splunk Enterprise Security. To add new adaptive response actions, you can install add-ons with adaptive response actions or create your own adaptive response actions.
Send an email as an adaptive response action
Send an email as a result of a detection search match.
Prerequisite
Make sure that the mail server is configured in the Splunk platform before setting up this response action.
- For Splunk Enterprise, see Configure email notification settings in the Splunk Enterprise Alerting Manual.
- For Splunk Cloud Platform, see Configure email notification settings in the Splunk Cloud Platform Alerting Manual.
Steps Follow these steps to send an email as an adaptive response action:
- Select +Add new adaptive response action and select Send email.
- In the To field, type a comma-separated list of email addresses to send the email to.
- (Optional) Change the priority of the email. Defaults to Lowest.
- Enter a subject for the email. The email subject defaults to "Splunk Alert: $name$", where $name$ is the detection Search Name.
- Enter a message to include as the body of the email. Defaults to "The scheduled report '$name$' has run."
- Select the check boxes of the information you want the email message to include.
- Select whether to send a plain-text or HTML and plain-text email message.
If you're using the Override Email Alert Action in the General Settings, the subject="$action.email.subject$"
is passed explicitly. The default useNSSubject
for use in local savedsearches $action.email.subject.alert$
and $action.email.subject.report$
is ignored. See Configure general settings for Splunk Enterprise Security.
When using '''Send email''' as an adaptive response action, token replacement is not supported based on event fields. For example, you cannot use an email subject such as "Splunk Alert: $name$", where $name$ is the detection name. Since this is an ad-hoc adaptive response action rather than a scheduled saved search, the $name$ token does not apply. Token replacement is supported from the adaptive response actions through the detection editor.
Log an event as an adaptive response action
Follow these steps to log an event as an adaptive response action:
- Select +Add new adaptive response action and select Log event.
- In the Event field, specify event text for the logged event.
- In the Source field, enter the source of the alert. For example, alert:$name$
- In the Sourcetype field, enter the source type of the alert. For example, generic_single_line.
- In the Host field, enter the host value.
- In the Index field, indicate a destination index for the logged event. Ensure that the destination matches an existing index. For example, main
- Select Save.
Start a stream capture with Splunk Stream as an adaptive response action
Start a stream capture to capture packets on the IP addresses of the selected protocols over the time period that you select. You can view the results of the stream capture session on the Protocol Intelligence dashboards.
A stream capture won't work unless you integrate Splunk Stream with Splunk Enterprise Security. See Integrate Splunk Stream with Splunk Enterprise Security.
Follow these steps to start a stream capture:
- Select + Add New Response Action and select Stream Capture to start a packet capture in response to a detection search match.
- Enter a Description to describe the stream created in response to the detection search match.
- Enter a Category to define the type of stream capture. You can view streams by category in Splunk Stream.
- Enter the comma-separated event fields to search for IP addresses for the Stream capture. The first non-null field is used for the capture.
- Enter the comma-separated list of protocols to capture.
- Select a Capture duration to define the length of the packet capture.
- Enter a Stream capture limit to limit the number of stream captures started by the detection.
Run Nbstat as an adaptive response action
You can learn more about a host and the services that the host runs by running nbtstat as an adaptive response action, which might help to troubleshoot a NetBios name resolution problem. For more information on Microsoft's nbtstat
command, see nbstat.
Follow these steps to run nbstat as an adaptive response action:
- Select +Add New Response Action and select Nbtstat.
- Enter the event field that contains the host that you want to run the nbtstat for in the Host Field.
- Enter the number of maximum results that the nbtstat returns. The default value is 1.
- (Optional) Select an index from the drop-down list to save the results to an existing index or a custom index. The default value is main.
- (Optional) Select a worker set from the drop-down list to use for executing adaptive response actions on a Splunk Cloud Platform search head with the Splunk Enterprise Security instance.
Custom indexes are configurable for the adaptive response actions of ping, nbtstat, and nslookup so that you can separate those out from the main index for access restrictions, retention policies, or search purposes. See Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
The worker set drop-down menu is specific to adaptive response actions on a Splunk Cloud Platform search head with a Splunk Enterprise Security instance.
Run Nslookup as an adaptive response action
Run nslookup to identify the domain name of an IP address, or the IP address of a domain name.
Follow these steps to run nslookup as an adaptive response action:
- Select +Add New Response Action and select Nslookup.
- Enter the event field that contains the host that you want to run the nslookup for in the Host Field.
- Enter the number of maximum results that the nslookup returns. The default value is 1.
- (Optional) Select an index from the drop-down list to save the results to an existing index or a custom index. The default value is main.
- (Optional) Select a worker set from the drop-down list to use for executing adaptive response actions on a Splunk Cloud Platform search head with the Splunk Enterprise Security instance.
Custom indexes are configurable for the adaptive response actions of ping, nbtstat, and nslookup so that you can separate those out from the main index for access restrictions, retention policies, or search purposes. See Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
The worker set drop-down menu is specific to adaptive response actions on a Splunk Cloud Platform search head with the Splunk Enterprise Security instance.
Create a Splunk Web message as an adaptive response action
Follow these steps to create messages in Splunk Web as an adaptive response action:
- Select + Add new adaptive response action and then select Create Splunk messages.
- From the Name drop-down, select a name for the message. For example, ADDINFO:INVALID_OUTPUT_FORMAT_S or DISK_MON:INSUFFICIENT_DISK_SPACE_ERROR.
- (optional) In the Message ID field, enter a message ID. For example, insufficient_diskspace.
- (optional) If a message uses field substitution, enter the names of the fields to be used in message argument substitution In Fields. Use comma to separate the field names. The fields used for argument substitution must be returned in the search results to be included in the message. Enter the fields in the order that they must be substituted in the message. For example, for a message Host %s has free disk space %d, below the minimum 5GB., enter the fields src,FreeMBytes.
- Select Yes or No to specify whether to keep only the latest message produced by the search, based on the message ID. Selecting Yes helps to reduce the number of messages. For example, if the host has low disk space for three days, rather than get daily messages for three days, select Yes for this setting to only see one message.
- Select Save.
Output results to telemetry endpoint as an adaptive response action
Follow these steps to output the results of a detection to a telemetry endpoint as an adaptive response action:
- Select +Add new adaptive response action.
- Select Output results to telemetry endpoint.
- In the Name field, enter the component name from which telemetry results are collected.
- In Inpur field, enter the field name form which telemetry results are collected.
- In Data type, select whether you want to collect the telemetry results as events or as an aggregate.
- In the Categories field, select the type of telemetry data you want to collect from one of the following options:
- Anonymized usage data
- Support usage data
- License usage data
- In the Required opt-in field, select the Splunk Enterprise Security version form which you want to collect telemetry.
Ping a host as an adaptive response action
Determine whether a host is still active on the network by pinging the host.
Follow these steps to ping a host:
- Select Add New Response Action and select Ping.
- Enter the event field that contains the host that you want to ping in the Host Field.
- Enter the number of maximum results that the ping returns. Defaults to 1.
- (Optional) Select an index from the drop-down list to save the results to an existing index or a custom index. Defaults to main.
- (Optional) Select a worker set from the drop-down list to use for executing adaptive response actions on a Splunk Cloud Platform ES search head.
Custom indexes are configurable for the adaptive response actions of ping, nbtstat, and nslookup so that you can separate those out from the main index for access restrictions, retention policies, or search purposes. See Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
The worker set drop-down menu is specific to adaptive response actions on a Splunk Cloud Platform ES search head. See Set up an adaptive response relay from a Splunk Cloud Platform Enterprise Security search head to an on-premises device in the Administer Splunk Enterprise Security manual.
Run a script as an adaptive response action
Follow these steps to run a script stored in $SPLUNK_HOME/bin/scripts
.
- Select + Add New Response Action and select Run a script.
- Enter the file name of the script.
For more information on scripted alerts, see the product documentation:
- For Splunk Enterprise, see Configure scripted alerts in the Splunk Enterprise Alerting Manual.
- For Splunk Cloud Platform, see Configure scripted alerts in the Splunk Cloud Platform Alerting Manual.
Send to UBA as an adaptive response action
Follow these steps to send findings to UBA as an adaptive response action:
- Select +Add new adaptive response action.
- Select Send to UBA.
- From the Category drop-down, select the type of findings to send to UBA. For example, DOS, Exfiltrations, Insider threat, and so on
- In the Severity field, enter a value to specify the severity level of the findings that must be sent to UBA.
- Select Save.
Send findings to Splunk Mobile as an adaptive response action
Follow these steps to send findings to Splunk Mobile as an adaptive response action:
- Select +Add new adaptive response action.
- Select Send to Splunk Mobile.
- In the To drop-down, select the role that receives the finding in Splunk Mobile. For example,
ess_analyst
,ess_admin
- In the Severity field, select the severity level of the findings to send to Splunk Mobile. For example, Critical, High
- Enter a Title.
- (optional) Enter a description.
- Select a supported dashboard to display the findings data. For example, Access Anomalies
- (optional)If your dashboard supports input tokens, you can specify a token name and a corresponding token value using the result field name.
- Specify a label and URL to open when the action label is tapped.
- Select Save.
Add threat intelligence as an adaptive response action
Follow these steps to create threat artifacts in a threat collection as an adaptive response action:
- Select Add New Response Action and select Add Threat Intelligence.
- Select the Threat Group to attribute this artifact to.
- Select the Threat Collection to insert the threat artifact into.
- Enter the Search Field that contains the value to insert into the threat artifact.
- Enter a Description for the threat artifact.
- Enter a Weight associated with the threat list. The default value is 1.
- Enter a number of Max Results to specify the number of results to process as threat artifacts. Each unique search field value counts as a result. The default value is 100.
Create a finding as an adaptive response action
Follow these steps to create a finding when the conditions of a detection are met:
- Select + Add New Response Action and select Finding to add a finding as an adaptive response action to the detection.
- Enter a Title for the finding. Supports variable substitution from the fields in the matching event.
- Enter a Description of the finding. Supports variable substitution from the fields in the matching event.
- Select the Security Domain for the finding from the drop-down list.
- Select the Severity for the finding from the drop-down list. The severity is used to calculate the Urgency of a finding.
- (Optional) Change the default owner of the finding from the system default, unassigned.
- (Optional) Change the default status of the finding from the system default, New.
- Enter a drill-down search for the Contributing Events link in the finding.
You can add multiple drill down searches by selecting + Drilldown. You can also expand and collapse specific drilldowns using the > symbol to focus on specific parts of the detection. - Enter a drill-down search for the Contributing Events link in the finding.
- In the Drill-down earliest offset field, enter the amount of time before the time of the triggering event to look for related events for the Contributing Events link in the finding.
For example 2h to look for contributing events 2 hours before the triggering event. - In the Drill-down latest offset field, enter the amount of time after the time of the triggering event to look for related events for the Contributing Events link in the finding.
For example, 1h to look for contributing events 1 hour after the triggering event. - (Optional) Add Investigation Profiles that apply to the finding.
For example, add an investigation profile that fits a use case of "Malware" to malware-related notable events. - (Optional) Add fields that contain assets in Asset Extraction to extract the field values as artifacts when the finding is added to an investigation.
- (Optional) Add fields that contain identities in Identity Extraction to extract the field values as an artifact when the finding is added to an investigation.
- Enter Next Steps for an analyst to take after triaging a finding. Enter text or select Insert Adaptive Response Action to reference a response action in the text of the next steps. You can only enter plain text and links to response actions in the Next steps field. Use next steps if you want to recommend adaptive response actions that must be taken in a specific order.
For example, ping a host to determine if it is active on the network. If the host is active, increase the risk score by 100, otherwise, increase the risk score by 50. - Select Recommended Actions to complement the next steps. From the list of all adaptive response actions, select the name of an action that you recommend as a triage or investigation step for this finding to add it to the list of recommended actions that analysts can take for this finding. You can add as many recommended actions as you like. Use recommended actions to recommend response actions that do not need to be taken in a specific order.
For example, increase the risk score on a host and perform an nslookup on a domain name.
View adaptive response actions during investigations
Follow these steps to view adaptive response actions while investigating findings during an investigation:
- In the Splunk Enterprise Security app, go to the Mission Control page.
- Select any finding to open the finding details in the side panel.
- Go to View adaptive response invocations to drill down on the underlying events for the finding.
Turn on detections in Splunk Enterprise Security | Configure adaptive response action relays in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!