Splunk Enterprise Security

Can you run a correlation search as an adaptive response or can you run a correlation search from a python script?


Hi all,

I have created an adaptive response collects information from a host and indexes it.

I have attached this adaptive response to a correlation search.

I would now like to have the collected information be available in the "Additional Fields" portion of the Incident Review page. This is an issue because that menu is populated by the events returned from the initial search.

The solution I've come to is to have two correlation searches, one to trigger my adaptive response and a second to search for both data and trigger only when the collected data has been found as well. The issue with that is suddenly I need two nearly identical searches which is doubling the search load.

So, finally: Is there a way to streamline this without having to run two correlation searches in parallel? Is there an addon that someone made that I don't know about that allows us to trigger another correlation search "ad hoc" as an adaptive response? Is there a way to run a correlation search via a python script (which is an adaptive response)?

This isn't a one off, I have plenty of searches I need to make this adjustment to so doubling them up is out of the picture, unfortunately.

0 Karma


This might help answer the spirit of what you are trying to do.


The gist of it is. Add a field to incident review settings. Have that field be returned by a lookup based on a field in your notable. Shim the lookup into incident review. Have your adaptive response code go get data and either index it and maintain the lookup off that or update the lookup directly rather than indexing if its a kvstore lookup.

0 Karma
Get Updates on the Splunk Community!

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...