適応応答

The Adaptive Response action provided by the app allows for enriching IOCs with information from Recorded Future. This is similar to the enrichment based on the Recorded Future but for a few differences:

リスクリストのエンリッチメント 適応応答
Enrichment is based upon what information is present in the risklist. Enrichment is done real-time towards the Recorded Future API
Information may not be fully up-to-date due to refresh cycles of the risklists. 情報は常に最新の状態に保たれています
リスクリストに存在する IOC のみが強化されます(注を参照)。 既知の IOC は強化されます。
エンリッチメントでは API クレジットは使用されません。 The enrichment uses one API credit per successfully enriched IOC.

Note: Typically list only contain IOCs with a risk score above some threshold. This is done to keep the lists to a manageable size.

Setup Adaptive Response

The normal way to use an Adaptive Response is to add it to the list of Adaptive Responses of a Correlation Search which gathers events that should be investigated.

Once this has been setup the Adaptive Response is executed for each event found by the search.

An example of such a search is "Threat Activity Detected" which detects all network events that matches threats known to Splunk's Threat Intelligence framework.

It is possible to use the same Adaptive Response on multiple Correlation Searches.

Adding an Adaptive Response action

次に、その相関検索に適応応答を追加する方法を示します。

  1. Splunk Enterprise Securityで、[Configure]-[Content Management]>に移動します。
  2. 「脅威アクティビティが検出されました」を見つけて、名前をクリックします。
  3. Near the bottom of the page is the section "Adaptive Response Action". Click on "+ Add New Response Action".
  4. ドロップダウンリストから、「Enrich with Recorded Future」をクリックします。
    Add New Response Action
  5. In most cases no changes are necessary - just click on Save. If the Correlation Search uses another field than "threat_match_value" to indicate which IOC it has detected that field name must be entered as the field value.
    Configure the Adaptive Response

警告: エンリッチメントされた各 IOC は、1 つの API クレジットを消費する可能性があります。 使用する相関検索で、過剰な数のイベントが発生しないことを確認します。

Removing the Adaptive Response action

If at some point the Adaptive Response action needs to be removed from a Correlation Search this is very straight forward.

  1. Splunk Enterprise Securityで、[Configure]-[Content Management]>に移動します。
  2. 相関検索を見つけて選択します。
  3. ページの下部には、「適応型応答アクション」セクションがあります。
  4. アクションの横にある [X] をクリックして保存します。
    Remove an Adaptive Response

Ad-hoc use of the Adaptive Response

It is possible to make ad-hoc calls to the Adaptive Response, for example from with the Incident Review panel.

  1. When reviewing a notable event in the Incident Review panel, click on event actions.
  2. 「Adaptive Responseの実行」を選択します。
    Launch Ad-hocAdaptive Response
  3. 「Recorded Future」を選択して実行します。 ポップアップを閉じます。
    Add New Response Action
  4. Click on the reload symbol just above the "Adaptive Responses" section of the panel.
    Reload Response Action
  5. When the Check mark and "success" is visible in the Status column the enrichment is done. Clicking on the "Enrich with Recorded Future" will open an enrichment view (in a separate view) with the information returned by the enrichment.
    Adaptive Response view