Running Enterprise Security on Splunk Cloud, how can I get an adaptive response such as a ping to run on a local HF/UF/SH?
This has been solved for a few versions now.
https://docs.splunk.com/Documentation/ES/7.0.1/Admin/Adaptiveresponserelay
This has been solved for a few versions now.
https://docs.splunk.com/Documentation/ES/7.0.1/Admin/Adaptiveresponserelay
Currently there is no direct fix for this. Splunk Cloud customers can currently run AR on other cloud based services, or you can create your own AR that would connect back to your onpremise deployment.
The later option does require a vetting process, and does have to adhere to guidelines as outlined here : http://dev.splunk.com/view/app-cert/SP-CAAAE85
One of the key take aways here, is that any type of outbound communication from Splunk Cloud has to be over SSL, and any credentials use for authentication cannot be stored in clear text.
I'd recommend building your integration via the Splunk Addon Builder (TA Builder) : https://splunkbase.splunk.com/app/2962/
Cheers
ES adaptive responses run on the ES search head. Not remotely executed on other systems.
How does a Splunk Cloud customer, run adaptive responses on their internal network?