적응형 응답

The Adaptive Response action provided by the app allows for enriching IOCs with information from Recorded Future. This is similar to the enrichment based on the Recorded Future but for a few differences:

위험 목록 강화	적응형 응답
Enrichment is based upon what information is present in the risklist.	Enrichment is done real-time towards the Recorded Future API
Information may not be fully up-to-date due to refresh cycles of the risklists.	정보는 항상 최신 상태로 유지됩니다.
위험 목록에 있는 IOC만 강화됩니다(참고 참조).	알려진 모든 IOC가 보강됩니다.
인텐시티는 API 크레딧을 사용하지 않습니다.	The enrichment uses one API credit per successfully enriched IOC.

Note: Typically list only contain IOCs with a risk score above some threshold. This is done to keep the lists to a manageable size.

Setup Adaptive Response

The normal way to use an Adaptive Response is to add it to the list of Adaptive Responses of a Correlation Search which gathers events that should be investigated.

Once this has been setup the Adaptive Response is executed for each event found by the search.

An example of such a search is "Threat Activity Detected" which detects all network events that matches threats known to Splunk's Threat Intelligence framework.

It is possible to use the same Adaptive Response on multiple Correlation Searches.

Adding an Adaptive Response action

해당 상관관계 검색에 적응형 응답을 추가하는 방법은 다음과 같습니다:

1. Splunk Enterprise Security에서 구성->콘텐츠 관리로 이동합니다.
2. "위협 활동 감지됨" 을 찾아 이름을 클릭합니다.
3. Near the bottom of the page is the section "Adaptive Response Action". Click on "+ Add New Response Action".
4. 드롭다운 목록에서 "기록된 미래로 풍요롭게 만들기를 클릭합니다."
   
5. In most cases no changes are necessary - just click on Save. If the Correlation Search uses another field than "threat_match_value" to indicate which IOC it has detected that field name must be entered as the field value.
   

경고: 강화되는 각 IOC는 하나의 API 크레딧을 사용할 수 있습니다. 상관관계 검색에 사용된 이벤트 수가 지나치게 많지 않은지 확인하세요.

Removing the Adaptive Response action

If at some point the Adaptive Response action needs to be removed from a Correlation Search this is very straight forward.

1. Splunk Enterprise Security에서 구성->콘텐츠 관리로 이동합니다.
2. 상관관계 검색을 찾아 선택합니다.
3. 페이지 하단에는 "적응형 대응 조치" 섹션이 있습니다.
4. 작업 옆의 X를 클릭하고 저장합니다.
   

Ad-hoc use of the Adaptive Response

It is possible to make ad-hoc calls to the Adaptive Response, for example from with the Incident Review panel.

1. When reviewing a notable event in the Incident Review panel, click on event actions.
2. "적응형 응답 실행" 을 선택합니다.
   
3. "녹화된 미래" 를 선택하고 실행합니다. 팝업을 닫습니다.
   
4. Click on the reload symbol just above the "Adaptive Responses" section of the panel.
   
5. When the Check mark and "success" is visible in the Status column the enrichment is done. Clicking on the "Enrich with Recorded Future" will open an enrichment view (in a separate view) with the information returned by the enrichment.