Splunk Enterprise Security

Can you run a correlation search as an adaptive response or can you run a correlation search from a python script?

Communicator

Hi all,

I have created an adaptive response collects information from a host and indexes it.

I have attached this adaptive response to a correlation search.

I would now like to have the collected information be available in the "Additional Fields" portion of the Incident Review page. This is an issue because that menu is populated by the events returned from the initial search.

The solution I've come to is to have two correlation searches, one to trigger my adaptive response and a second to search for both data and trigger only when the collected data has been found as well. The issue with that is suddenly I need two nearly identical searches which is doubling the search load.


So, finally: Is there a way to streamline this without having to run two correlation searches in parallel? Is there an addon that someone made that I don't know about that allows us to trigger another correlation search "ad hoc" as an adaptive response? Is there a way to run a correlation search via a python script (which is an adaptive response)?

This isn't a one off, I have plenty of searches I need to make this adjustment to so doubling them up is out of the picture, unfortunately.

0 Karma

SplunkTrust
SplunkTrust

This might help answer the spirit of what you are trying to do.

http://www.georgestarcher.com/splunk-enterprise-security-enhancing-incident-review/

The gist of it is. Add a field to incident review settings. Have that field be returned by a lookup based on a field in your notable. Shim the lookup into incident review. Have your adaptive response code go get data and either index it and maintain the lookup off that or update the lookup directly rather than indexing if its a kvstore lookup.

0 Karma