Configure adaptive response action relays in Splunk Enterprise Security
You can use adaptive response actions in Splunk Enterprise Security without exposing infrastructure controls and administration to the open internet if you are on the Splunk Cloud Platform. Adaptive response action relays allow adaptive response actions to queue on the Splunk Cloud Platform search head with the Splunk Enterprise Security instance. These queued actions store metadata and search results that allow a separate proxy component to run those adaptive response actions from within the on-premises environment.
You must install Splunk Enterprise Security on the heavy forwarder prior to configuring it for adaptive response actions.
Perform the following steps to set up adaptive response action relays:
- Install the technology add-on for Adaptive Response on your heavy forwarder.
- Configure your Splunk Cloud Platform ES search head with an API key.
- Configure your on-premises heavy forwarder with an API key.
- Configure your on-premises heavy forwarder with a modular action relay.
- Configure your Splunk Cloud Platform ES search head with a modular action worker.
- Configure adaptive response actions for your Splunk Cloud Platform ES search head.
Install the technology add-on for adaptive response actions on your heavy forwarder
For an on-premises heavy forwarder to perform adaptive response actions, you must install the actions on both the Splunk Cloud Platform search head with the Splunk Enterprise Security instance and the heavy forwarder. These actions are installed by default with Splunk Enterprise Security in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence
, but you must install them manually on your heavy forwarder.
Follow these steps to install the technology add-on for adaptive response actions on your heavy forwarder:
- From the Splunk Enterprise Security menu bar of the Splunk Cloud Platform ES search head, select Configure.
- Select General settings.
- Locate Distributed configuration management.
- Select Splunk_TA_AROnPrem to download the app.
- Install the app on the heavy forwarder.
Configure your Splunk Cloud Platform ES search head with an API key
The API key allows you to authenticate from the KV Store collection and Common Action Model (CAM) queue. You must create and manage your own API key. The API key follows a specific format, and it does not support two-factor authentication. For a Splunk Cloud Platform environment that requires two-factor authentication, turn off this feature by not setting an API key.
Follow these steps to configure your Splunk Cloud Platform ES search head with an API key:
- Retrieve the heavy forwarder's
serverName
value by running the following search on the heavy forwarder:
Take note of this name because you will need it when you set up your heavy forwarder. In this example the| rest /services/server/info | table serverName
serverName
value ishf1
. - Install the Common Information Model version 4.12 or higher on the Splunk Cloud Platform Enterprise Security search head, if you haven't done so already.
- Generate an API key on the Splunk Cloud Platform Enterprise Security search head.
- From the Apps drop-down menu, select Manage apps and search for Splunk Common Information Model.
- Select Setup and then select the Adaptive Response tab.
- Under Manage API Keys do the following steps:
- In the Key Name field, enter the
serverName
value that you retrieved: in this case,hf1
. - To generate the API key value, enter the following URI into a browser window of your Splunk Cloud Platform Enterprise Security search head:
https://<yoursplunkserver>/en-US/splunkd/__raw/alerts/modaction_queue/key
This returns a random 128-character string in the valid format. - Copy and paste the string into the API Key field.
Take note of this string because you must use it when you configure your heavy forwarder.
- In the Key Name field, enter the
Configure your on-premises heavy forwarder with an API key
An API key allows the heavy forwarder to authenticate against the Splunk Cloud Platform Enterprise Security search head. The API key on the heavy forwarder must match the API key on the Splunk Cloud Platform Enterprise Security search head.
Follow these steps to configure your on-premises heavy forwarder with an API key:
- Install the Common Information Model version 4.12 or higher on the heavy forwarder, if you haven't done so already.
- From the Splunk Enterprise Security menu bar, select Configure.
- Select CIM Setup, and then select the Adaptive response tab.
- Under Manage API Keys do the following steps:
- On the key management page, in the Key Name field, enter the
serverName
value that you noted. See the Configure your Splunk Cloud Platform Enterprise Security search head with an API key section. - On the key management page, in the API Key field, paste the string that you noted. See the Configure your Splunk Cloud Platform Enterprise Security search head with an API key section.
- On the key management page, in the Key Name field, enter the
Configure your on-premises heavy forwarder with a modular action relay
The modular action relay is where you set the heavy forwarder to retrieve queued search results from a Splunk Cloud Platform correlation search so that it can execute adaptive response actions on premises.
Follow these steps to configure your on-premises heavy forwarder with a modular action relay:
- From the Splunk Enterprise Security menu bar, select Settings.
- Select Data inputs.
- Go to Modular Action Relay and select + Add new.
- Enter a Name for the relay, such as
relay1
. - Enter the Remote Search Head URI in the format of
protocol://servername:port
, such as:https://10.224.62.249:8089
.
8089 is the default port for Splunk Cloud Platform. However, port 8089 is not open for communication from the designated heavy forwarder. You must create a Splunk Cloud Platform Operations request to open the 8089 port from an approved IP list so that the heavy forwarder can communicate with the Splunk Enterprise Security search head. - Enter a Description for the relay, such as
remote search head
. - Enter the Api Key Name (the
serverName
value that you noted such ashf1
. See Configure your Splunk Cloud Platform Enterprise Security search head with an API key section. - Enter
True
in the Verify field to verify the certificates between the worker and the Splunk Cloud Platform Enterprise Security search head. - (Optional) If your Splunk Enterprise Security search head is using a privately signed SSL certificate, add your root CA certificate chain file to the
Splunk_SA_CIM/auth
directory on the heavy forwarder and provide its file name to this input in the Client Certificate field. If your search head is in Splunk Cloud Platform, this is not an issue.
- Enter a Name for the relay, such as
Configure your Splunk Cloud Platform Enterprise Security search head with a modular action worker
The modular action worker is where you specify the serverName
value of the heavy forwarder that the Splunk Cloud Platform Enterprise Security search head will queue search results for.
Follow these steps to configure your Splunk Cloud Platform Enterprise Security search head with a modular action worker:
- From the Splunk Enterprise Security menu bar of the Splunk Cloud Platform Enterprise Security search head, select Configure > Content > Content Management.
- Enter
Modular Action Workers
in the search filter. - Enter the name of the Modular Action Workers lookup.
- Add a worker set and the name of the worker. The
worker_set
value is used when running Adaptive Response actions from ES. Thecam_worker
is the actual name of the heavy forwarder that will execute the actions.- Leave the row with local as-is because it allows for local execution of actions on the Splunk Cloud Platform Enterprise Security search head.
- In the worker_set column, enter a descriptive name for the heavy forwarder:
onprem
. - In the cam_workers column, enter the
serverName
value that you took note of in the Configure your Splunk Cloud Platform Enterprise Security search head with an API key section, such as["hf1"]
.
The format requires array-style notation of"["nameofworker"]"
with each worker name in quotes and separated with commas in CSV encoded JSON. An example of multiple workers is"["hf1","hf2"]"
.
Configure adaptive response actions for your Splunk Cloud Platform Enterprise Security search head
The Worker Set drop-down menu is specific to adaptive response actions on a Splunk Cloud Platform Enterprise Security search head. After completing the in the Configure your Splunk Cloud Platform ES search head with a modular action worker section, when you create or edit a detection to add an adaptive response action, the drop-down menu includes the worker_set
that you created.
Select the worker_set
to use for executing those adaptive response actions from within the on-premises environment.
The results of adaptive response actions, ping for example, are found in "index=main source=ping"
.
See also
For more information on distributed adaptive response actions in Splunk Enterprise Security, see the product documentation:
- See Adaptive response framework in Splunk Enterprise Security on the Splunk Developer Portal.
- See Create an adaptive response action on the Splunk Developer Portal.
- See Example distributed adaptive response action on the Splunk Developer Portal.
- See Create an adaptive response action for Splunk Enterprise Security in the Splunk Add-on Builder User Guide.
Configure adaptive response actions for detections in Splunk Enterprise Security | Run adaptive response actions in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!