Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you run a correlation search as an adaptive response or can you run a correlation search from a python script?

j4adam
Communicator
‎02-20-2018 02:06 PM

Hi all,

I have created an adaptive response collects information from a host and indexes it.

I have attached this adaptive response to a correlation search.

I would now like to have the collected information be available in the "Additional Fields" portion of the Incident Review page. This is an issue because that menu is populated by the events returned from the initial search.

The solution I've come to is to have two correlation searches, one to trigger my adaptive response and a second to search for both data and trigger only when the collected data has been found as well. The issue with that is suddenly I need two nearly identical searches which is doubling the search load.

So, finally: Is there a way to streamline this without having to run two correlation searches in parallel? Is there an addon that someone made that I don't know about that allows us to trigger another correlation search "ad hoc" as an adaptive response? Is there a way to run a correlation search via a python script (which is an adaptive response)?

This isn't a one off, I have plenty of searches I need to make this adjustment to so doubling them up is out of the picture, unfortunately.

0 Karma
Reply

starcher
SplunkTrust
SplunkTrust
‎03-03-2018 04:18 AM

This might help answer the spirit of what you are trying to do.

http://www.georgestarcher.com/splunk-enterprise-security-enhancing-incident-review/

The gist of it is. Add a field to incident review settings. Have that field be returned by a lookup based on a field in your notable. Shim the lookup into incident review. Have your adaptive response code go get data and either index it and maintain the lookup off that or update the lookup directly rather than indexing if its a kvstore lookup.

0 Karma
Reply
Get Updates on the Splunk Community!

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...