Create response plans in Splunk Enterprise Security

Create response plans to help document your security operating procedures and standardize the tasks and phases that analysts complete while they respond to investigations in Splunk Enterprise Security. A response plan is a template of guidelines for analysts to follow so that they can provide a standardized response for investigations of the same type. You can use response plans provided by Splunk Enterprise Security, such as NIST 800-61 or Vulnerability Disclosure, import your own response plan by uploading a JSON file, or you can create a new custom response plan.

For more details on the response plans included with Splunk Enterprise Security, see Included response plans in Splunk Enterprise Security in the Use Splunk Enterprise Security manual.

To create your own response plans from your organization's Standard Operating Procedures (SOP) documentation, see Create response plans with the SOP agent.

Create response plans with the SOP agent

Quickly create response plans from your existing standards of practice documentation

Use the SOP agent to import an existing Standard Operation Procedure (SOP) in Splunk Enterprise Security and convert it into a response plan. Instead of keeping your SOPs open in a separate tab like sharepoint or confluence during an investigation, you can bring that procedure directly into Enterprise Security as a structured response plan.

The generated draft can include phases, tasks, SPL queries, and SOAR actions based on the content of your document and the actions available in your environment.

After you review and publish it, you can use the response plan the same way you use any other response plan in Enterprise Security. For example, you can associate it with investigation types or add it to an investigation.

Prerequisites

You must have the Enterprise Security AI Assistant enabled on your Enterprise Security deployment to use the SOP agent.

Individuals using the SOP agent must have view and edit response template capabilities.

Importing JSON is always available, regardless of Enterprise Security AI Assistant status. For details on importing JSON, see Import response plans.

Import an SOP document

To import an SOP document and create a response plan for it, follow these steps:

  1. In Splunk Enterprise Security, select Security content and then select Response plans.

  2. Select Import. If you do not see the AI sparkle icon, see the Prerequisites section earlier in this article.

  3. Use the Import and generate with AI side of the window to upload a file. After you specify the file to import, select Upload to start the import and generation. A message displays, letting you know the process has started successfully.

  4. The draft response plan displays at the top of the list of your organization's response plans. It is not final until you review and save it.

  5. Select the new response plan to review and edit it.

  6. Review each phase of your SOP plan, ensuring that any actions, playbooks, and SPL queries are correct. Make any needed updates.

  7. Select Save changes.

  8. Optionally set the Status to Published, so you can apply it to an investigation.

Considerations

Be aware of the following considerations and limitations when using the SOP agent:

  • Review before publishing: As with all AI, include a human in the loop. The output is a suggested starting point, not a finished plan. The SOP agent maps based on available apps and actions in your SOAR stack, but the mappings are not always correct. Review the generated SPL queries and SOAR mappings before use.

  • File types supported: DOCX, MD, PDF, TXT

  • File size limit: Files to import must be 50MB or smaller

  • No image support: The SOP agent cannot handle screenshots, diagrams, or embedded images. If you must use images, include text descriptions of the images.

  • Generation time: Average generation time is about one minute. Generation might take longer when working with complex documents or documents from environments with large SOAR stacks that contain many actions and playbooks. Generation times out after 10 minutes.

  • No cancellation: After you start generation, you cannot stop or cancel it; you must wait for generation to complete or reach the 10-minute timeout.

How it works

These are the basic steps that the SOP agent takes when you import a document:

  1. Parses the document text. As stated in the Considerations section, the SOP agent cannot parse images.

  2. Maps content to NIST IR lifecycle phases: Detection, Analysis, Containment, Eradication, Recovery, and Post-Incident.

  3. Extracts tasks within each phase.

  4. Queries your paired SOAR stack for available playbooks and actions, and maps tasks to matching playbooks and actions.

  5. Generates SPL (Splunk search) queries for relevant tasks.

  6. Returns a complete response plan JSON, which Splunk Enterprise Security saves as a draft. A user must review the file then publish it.

Create a response plan

Follow these steps to create a new response plan:

  1. In Splunk Enterprise Security, select Security content and then select Response plans.
  2. Select + Response plan.
  3. Enter a name for the response plan in the Title text box.

    Note: You can't enter a name with more than 250 characters for response plan titles, phases, or tasks. Additionally, you can't enter a description with more than 7,000 characters.
  4. (Optional) Enter a description for the response plan to describe what someone might use it for. For example, "Guide response to a ransomware infection".
  5. Select + Phase and enter a name for a phase of the response plan. For example, "Contain infection".
  6. Select + Task to add a task to the phase.
  7. Enter a name for the task. For example, "Quarantine the device".
  8. (Optional) Select an owner from the drop-down list to always assign this task to a specific person.
  9. (Optional) Select the check box to require a note upon task completion.
  10. Select the down arrow to expand the task and add details.
  11. (Optional) Enter a description for the task. You can use Markdown syntax to format the text in the description and add tables, links, and other useful information to help an analyst complete the task.

    Note: Markdown doesn't support adding links with HTML. You must use the [title](https://www.example.com) syntax to create a link. See the "Cheat Sheet" on the Markdown Guide website for more details.
  12. (Optional) Expand the Actions or Playbooks section and select + Action or + Playbook to set up an action or playbook to run with the task.
  13. (Optional) Expand the Searches section and select + Search to embed a search in the task.
  14. (Optional) Select + Phase to add another phase to the response plan.
  15. Continue adding phases and tasks until your response plan is complete.
  16. Toggle the Status switch to Published and select Save Changes to publish the response plan.

    Note: You can only add published response plans to investigations.

Import response plans

If you or your organization has an existing response plan, you can upload it as a JSON file to use in Splunk Enterprise Security. You can also export response plans from Splunk Enterprise Security.

To upload other Standard Operating Procedure (SOP) documents, see Create response plans with the SOP agent.

  1. In Splunk Enterprise Security, select Security content and then Response plans.
  2. Select Import.
  3. Upload a file. Only JSON files are supported.
  4. Enter a name for the response plan.
  5. Select Import.
After you import a file, you can find it listed on the Response plans page.

Manage response plans

Use the response plans in Splunk Enterprise Security to view all of your drafted and published response plans. You can find default response plans included with Splunk Enterprise Security in the Splunk response plans tab, and any response plans that you created in the My organization's response plans tab. You can manage your response plans by modifying and sorting them.

Modify response plans

You can edit, copy, export, and delete response plans that you create.

Changes that you make to your organization's response plans are not versioned. Splunk response plans, however, are versioned so that Splunk can update these plans over time. With version control, you can easily see what's changed, what's new in each release, and when updates were made. You can select which version to view in the Version column in the Splunk response plans tab.

The response plans included with Splunk Enterprise Security are read-only. You can export or make a copy of a Splunk response plan to customize it, but you can't edit or delete it directly. See Make a copy of a Splunk response plan.

Follow these steps to modify a response plan:

  1. In Splunk Enterprise Security, select Security content and then select Response plans.
  2. Locate the response plan you want to modify.
  3. To edit the response plan, select the name of the response plan that you want to modify.
    1. Make the changes you want to the phases and tasks.
    2. If your response plan is not published, toggle the Status switch to Published and select Save changes to publish the response plan and make it available for analysts to use.
    3. If your response plan is already published, select Save changes.
  4. To delete the response plan, select the more icon ( more ).
    1. Select Delete.
    2. Confirm that you want to delete the response plan by selecting Delete.

      Note: After you delete a response plan, you can no longer assign it to an investigation. However, if you previously assigned the response plan to an investigation, the investigation preserves the response plan.
  5. To copy the response plan, select the more icon ( more ).
    1. Select Copy.
    2. Enter a new name for the copied response plan, or keep the default copy name.
    3. Select Save.

  6. To export the response plan, select the more icon ( more ).

    1. Select Export.

Sort response plans

You can sort the response plan table to search for a particular response plan.

Follow these steps to sort response plans:

  1. In Splunk Enterprise Security, select Security content and then select Response plans to find the response plan table.
  2. Select the column heading with the value you want to sort by. You can see which value the table is sorted by based on which column heading the arrow icon ( up arrow ) appears next to.
  3. (Optional) Select the column heading again to reverse the order.

Embed new and existing searches in response plan tasks

You can embed a new or existing search in a response plan task to help an analyst complete that task. Embedding searches in tasks can help advance investigations, especially for use cases with complex searches or for users who are unfamiliar with the Search Processing Language (SPL). After you embed a search in a response plan task, you can run the search directly from an investigation in Splunk Enterprise Security. You can embed a search in a task by editing an existing response plan or by creating a new one.

Follow these steps to embed searches in response plan tasks:

  1. In Splunk Enterprise Security, select Security content and then select Response plans.
  2. Open an existing response plan, or create a new one.
  3. Expand the phase you want to edit, or select + Phase.
  4. Expand the task you want to add a search to, or select + Task.
  5. In the task you want to embed a search in, expand the Searches section.
  6. Select + Searches. You can embed either a new search or an existing one.
  7. To embed a new search, complete the following steps:
    1. Create a new search by giving your search a name and description.

      Note: You can't enter more than 250 characters for the name of your search, and you can't enter more than 7,000 characters for the description of your search.
    2. Enter a Splunk search in the Search syntax field. For example, to detect excessive failed login attempts, enter the following search:
      PYTHON 
      | from datamodel: "Authentication"."Failed_Authentication" | stats values("tag") as "tag", dc("user") as "user_count", dc("dest") as "dest_count", count by "app", "src" | where 'count'>=6
    3. (Optional) To add a token to your search, enter the token name anywhere in the Search syntax field using the $token_name$ syntax.
  8. To embed an existing search, complete the following steps:
    1. Select Browse saved searches.
    2. Choose an existing search and select Submit to automatically populate the Search syntax field with a saved search.

      Note: You can't edit the name, description, or search syntax of a saved search.
  9. Toggle the Status switch to Published. You must publish your response plan to locate the response plan task, and therefore your embedded search, from an investigation.
  10. Select Save changes.