Adaptives Ansprechen

The Adaptive Response action provided by the app allows for enriching IOCs with information from Recorded Future. This is similar to the enrichment based on the Recorded Future but for a few differences:

Anreicherung der Risikoliste Adaptives Ansprechen
Enrichment is based upon what information is present in the risklist. Enrichment is done real-time towards the Recorded Future API
Information may not be fully up-to-date due to refresh cycles of the risklists. Die Informationen sind immer auf dem neuesten Stand
Nur IOCs, die in den Risikolisten enthalten sind, werden angereichert (siehe Hinweis). Jedes bekannte IOC wird angereichert.
Für die Anreicherung wird kein API-Guthaben verwendet. The enrichment uses one API credit per successfully enriched IOC.

Note: Typically list only contain IOCs with a risk score above some threshold. This is done to keep the lists to a manageable size.

Setup Adaptive Response

The normal way to use an Adaptive Response is to add it to the list of Adaptive Responses of a Correlation Search which gathers events that should be investigated.

Once this has been setup the Adaptive Response is executed for each event found by the search.

An example of such a search is "Threat Activity Detected" which detects all network events that matches threats known to Splunk's Threat Intelligence framework.

It is possible to use the same Adaptive Response on multiple Correlation Searches.

Adding an Adaptive Response action

Hier sehen Sie, wie Sie die adaptive Antwort zu dieser Korrelationssuche hinzufügen würden:

  1. Navigieren Sie in Splunk Enterprise Security zu Configure->Content Management.
  2. Suchen Sie nach "Bedrohungsaktivität erkannt" und klicken Sie auf den Namen.
  3. Near the bottom of the page is the section "Adaptive Response Action". Click on "+ Add New Response Action".
  4. Klicken Sie in der Dropdown-Liste auf "Mit Recorded Future anreichern".
    Add New Response Action
  5. In most cases no changes are necessary - just click on Save. If the Correlation Search uses another field than "threat_match_value" to indicate which IOC it has detected that field name must be entered as the field value.
    Configure the Adaptive Response

Warnung: Jedes IOC, das angereichert wird, kann ein API-Guthaben verbrauchen. Stellen Sie sicher, dass die verwendete Korrelationssuche keine übermäßige Anzahl von Ereignissen ergibt.

Removing the Adaptive Response action

If at some point the Adaptive Response action needs to be removed from a Correlation Search this is very straight forward.

  1. Navigieren Sie in Splunk Enterprise Security zu Configure->Content Management.
  2. Suchen Sie die Korrelationssuche, und wählen Sie sie aus.
  3. Am unteren Rand der Seite befindet sich der Abschnitt "Adaptive Response Action".
  4. Klicken Sie auf das X neben der Aktion und speichern Sie.
    Remove an Adaptive Response

Ad-hoc use of the Adaptive Response

It is possible to make ad-hoc calls to the Adaptive Response, for example from with the Incident Review panel.

  1. When reviewing a notable event in the Incident Review panel, click on event actions.
  2. Wählen Sie "Adaptive Antwort ausführen" aus.
    Launch Ad-hocAdaptive Response
  3. Wählen Sie "Aufgezeichnete Zukunft" und führen Sie es aus. Schließen Sie das Pop-up.
    Add New Response Action
  4. Click on the reload symbol just above the "Adaptive Responses" section of the panel.
    Reload Response Action
  5. When the Check mark and "success" is visible in the Status column the enrichment is done. Clicking on the "Enrich with Recorded Future" will open an enrichment view (in a separate view) with the information returned by the enrichment.
    Adaptive Response view