Splunk® Enterprise Security

Administer Splunk Enterprise Security

Configure adaptive response action relays in Splunk Enterprise Security

You can use adaptive response actions in Splunk Enterprise Security without exposing infrastructure controls and administration to the open internet if you are on the Splunk Cloud Platform. Adaptive response action relays allow adaptive response actions to queue on the Splunk Cloud Platform search head with the Splunk Enterprise Security instance. These queued actions store metadata and search results that allow a separate proxy component to run those adaptive response actions from within the on-premises environment.

You must install Splunk Enterprise Security on the heavy forwarder prior to configuring it for adaptive response actions.

Perform the following steps to set up adaptive response action relays:

  1. Install the technology add-on for Adaptive Response on your heavy forwarder.
  2. Configure your Splunk Cloud Platform ES search head with an API key.
  3. Configure your on-premises heavy forwarder with an API key.
  4. Configure your on-premises heavy forwarder with a modular action relay.
  5. Configure your Splunk Cloud Platform ES search head with a modular action worker.
  6. Configure adaptive response actions for your Splunk Cloud Platform ES search head.

Install the technology add-on for adaptive response actions on your heavy forwarder

For an on-premises heavy forwarder to perform adaptive response actions, you must install the actions on both the Splunk Cloud Platform search head with the Splunk Enterprise Security instance and the heavy forwarder. These actions are installed by default with Splunk Enterprise Security in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence, but you must install them manually on your heavy forwarder.

Follow these steps to install the technology add-on for adaptive response actions on your heavy forwarder:

  1. From the Splunk Enterprise Security menu bar of the Splunk Cloud Platform ES search head, select Configure.
  2. Select General settings.
  3. Locate Distributed configuration management.
  4. Select Splunk_TA_AROnPrem to download the app.
  5. Install the app on the heavy forwarder.

Configure your Splunk Cloud Platform ES search head with an API key

The API key allows you to authenticate from the KV Store collection and Common Action Model (CAM) queue. You must create and manage your own API key. The API key follows a specific format, and it does not support two-factor authentication. For a Splunk Cloud Platform environment that requires two-factor authentication, turn off this feature by not setting an API key.

Follow these steps to configure your Splunk Cloud Platform ES search head with an API key:

  1. Retrieve the heavy forwarder's serverName value by running the following search on the heavy forwarder:

    | rest /services/server/info | table serverName

    Take note of this name because you will need it when you set up your heavy forwarder. In this example the serverName value is hf1.
  2. Install the Common Information Model version 4.12 or higher on the Splunk Cloud Platform Enterprise Security search head, if you haven't done so already.
  3. Generate an API key on the Splunk Cloud Platform Enterprise Security search head.
    1. From the Apps drop-down menu, select Manage apps and search for Splunk Common Information Model.
    2. Select Setup and then select the Adaptive Response tab.
    3. Under Manage API Keys do the following steps:
      1. In the Key Name field, enter the serverName value that you retrieved: in this case, hf1.
      2. To generate the API key value, enter the following URI into a browser window of your Splunk Cloud Platform Enterprise Security search head: https://<yoursplunkserver>/en-US/splunkd/__raw/alerts/modaction_queue/key
        This returns a random 128-character string in the valid format.
      3. Copy and paste the string into the API Key field.
        Take note of this string because you must use it when you configure your heavy forwarder.

Configure your on-premises heavy forwarder with an API key

An API key allows the heavy forwarder to authenticate against the Splunk Cloud Platform Enterprise Security search head. The API key on the heavy forwarder must match the API key on the Splunk Cloud Platform Enterprise Security search head.

Follow these steps to configure your on-premises heavy forwarder with an API key:

  1. Install the Common Information Model version 4.12 or higher on the heavy forwarder, if you haven't done so already.
  2. From the Splunk Enterprise Security menu bar, select Configure.
  3. Select CIM Setup, and then select the Adaptive response tab.
  4. Under Manage API Keys do the following steps:
    1. On the key management page, in the Key Name field, enter the serverName value that you noted. See the Configure your Splunk Cloud Platform Enterprise Security search head with an API key section.
    2. On the key management page, in the API Key field, paste the string that you noted. See the Configure your Splunk Cloud Platform Enterprise Security search head with an API key section.

Configure your on-premises heavy forwarder with a modular action relay

The modular action relay is where you set the heavy forwarder to retrieve queued search results from a Splunk Cloud Platform correlation search so that it can execute adaptive response actions on premises.

Follow these steps to configure your on-premises heavy forwarder with a modular action relay:

  1. From the Splunk Enterprise Security menu bar, select Settings.
  2. Select Data inputs.
  3. Go to Modular Action Relay and select + Add new.
    1. Enter a Name for the relay, such as relay1.
    2. Enter the Remote Search Head URI in the format of protocol://servername:port, such as: https://10.224.62.249:8089.
      8089 is the default port for Splunk Cloud Platform. However, port 8089 is not open for communication from the designated heavy forwarder. You must create a Splunk Cloud Platform Operations request to open the 8089 port from an approved IP list so that the heavy forwarder can communicate with the Splunk Enterprise Security search head.
    3. Enter a Description for the relay, such as remote search head.
    4. Enter the Api Key Name (the serverName value that you noted such as hf1. See Configure your Splunk Cloud Platform Enterprise Security search head with an API key section.
    5. Enter True in the Verify field to verify the certificates between the worker and the Splunk Cloud Platform Enterprise Security search head.
    6. (Optional) If your Splunk Enterprise Security search head is using a privately signed SSL certificate, add your root CA certificate chain file to the Splunk_SA_CIM/auth directory on the heavy forwarder and provide its file name to this input in the Client Certificate field. If your search head is in Splunk Cloud Platform, this is not an issue.

Configure your Splunk Cloud Platform Enterprise Security search head with a modular action worker

The modular action worker is where you specify the serverName value of the heavy forwarder that the Splunk Cloud Platform Enterprise Security search head will queue search results for.

Follow these steps to configure your Splunk Cloud Platform Enterprise Security search head with a modular action worker:

  1. From the Splunk Enterprise Security menu bar of the Splunk Cloud Platform Enterprise Security search head, select Configure > Content > Content Management.
  2. Enter Modular Action Workers in the search filter.
  3. Enter the name of the Modular Action Workers lookup.
  4. Add a worker set and the name of the worker. The worker_set value is used when running Adaptive Response actions from ES. The cam_worker is the actual name of the heavy forwarder that will execute the actions.
    1. Leave the row with local as-is because it allows for local execution of actions on the Splunk Cloud Platform Enterprise Security search head.
    2. In the worker_set column, enter a descriptive name for the heavy forwarder: onprem.
    3. In the cam_workers column, enter the serverName value that you took note of in the Configure your Splunk Cloud Platform Enterprise Security search head with an API key section, such as ["hf1"].
      The format requires array-style notation of "["nameofworker"]" with each worker name in quotes and separated with commas in CSV encoded JSON. An example of multiple workers is "["hf1","hf2"]".

Configure adaptive response actions for your Splunk Cloud Platform Enterprise Security search head

The Worker Set drop-down menu is specific to adaptive response actions on a Splunk Cloud Platform Enterprise Security search head. After completing the in the Configure your Splunk Cloud Platform ES search head with a modular action worker section, when you create or edit a detection to add an adaptive response action, the drop-down menu includes the worker_set that you created.

Select the worker_set to use for executing those adaptive response actions from within the on-premises environment.

The results of adaptive response actions, ping for example, are found in "index=main source=ping".


See also

For more information on distributed adaptive response actions in Splunk Enterprise Security, see the product documentation:

Last modified on 04 October, 2024
Configure adaptive response actions for detections in Splunk Enterprise Security   Run adaptive response actions in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters