Included response plans in Splunk Enterprise Security
You can use the curated response plans included in Splunk Enterprise Security, or you can create your own. Splunk response plans are built-in, ready-to-use responses with Splunk SOAR automation recommendations.
Splunk Enterprise Security includes the following response plans:
| Response plan name | Details | When to use |
|---|---|---|
| Account Compromise | Outlines phases and tasks relevant to potential compromise of system or application accounts. | When investigating a likely account compromise. |
| Data Breach | Outlines response to a data breach by contacting affected system owners and containing data exfiltration. | When investigating a likely data breach. |
| Network Indicator Enrichment | Gathers and analyzes contextual information about URLs, host names, top level domain names, IP addresses, TLS certificates, and MAC addresses. | To gather information about artifacts involved in the investigation. |
| NIST 800-61 | Outlines response phases and tasks based on the NIST Computer Security Incident Handling Guide, SP 800-61. | To standardize responses for all investigations. |
| Generic Incident Response | Outlines response phases and tasks for basic investigation response: detect, analyze, contain, eradicate, recover, and review. | To standardize responses for all investigations, especially malware infection. |
| Self-Replicating Malware | Outlines response phases and tasks relevant to containing and remediating a self-replicating malware infection. | When investigating self-replicating malware infections, especially those infecting network services or shared resources. |
| Suspicious Email | Outlines response phases and tasks for a suspicious email campaign, including external investigations, internal hunting activities, enforcement, and increased monitoring. | When investigating suspicious emails. |
| Vulnerability Disclosure | Outlines response phases and tasks for a vulnerability disclosure, such as a critical CVE. | To determine the impact of a vulnerability disclosure on your environment. |
Make a copy of a Splunk response plan
You can clone a Splunk response plan with all of its built-in tasks and phases, and then customize it to fit your needs.
To clone a Splunk response plan, follow these steps:
-
Select Security content and then Response plans.
-
Select Splunk response plans.
-
Locate the response plan you want to clone.
-
Select the three-dot icon and then select Clone.
-
Edit the name of the copied response plan.
-
Select Submit.