Splunk Enterprise Security

Can you run a correlation search as an adaptive response or can you run a correlation search from a python script?


Hi all,

I have created an adaptive response collects information from a host and indexes it.

I have attached this adaptive response to a correlation search.

I would now like to have the collected information be available in the "Additional Fields" portion of the Incident Review page. This is an issue because that menu is populated by the events returned from the initial search.

The solution I've come to is to have two correlation searches, one to trigger my adaptive response and a second to search for both data and trigger only when the collected data has been found as well. The issue with that is suddenly I need two nearly identical searches which is doubling the search load.

So, finally: Is there a way to streamline this without having to run two correlation searches in parallel? Is there an addon that someone made that I don't know about that allows us to trigger another correlation search "ad hoc" as an adaptive response? Is there a way to run a correlation search via a python script (which is an adaptive response)?

This isn't a one off, I have plenty of searches I need to make this adjustment to so doubling them up is out of the picture, unfortunately.

0 Karma


This might help answer the spirit of what you are trying to do.


The gist of it is. Add a field to incident review settings. Have that field be returned by a lookup based on a field in your notable. Shim the lookup into incident review. Have your adaptive response code go get data and either index it and maintain the lookup off that or update the lookup directly rather than indexing if its a kvstore lookup.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...