Add and manage responses in Splunk Asset and Risk Intelligence

Take action on findings related to assets, identities, or the operational health of Splunk Asset and Risk Intelligence using the Response Management page. Follow these steps to add a new response.

  1. In Splunk Asset and Risk Intelligence, select Response and then Response management.
  2. Select Add response.
  3. From the drop-down menu, select a response category. You can choose to add an asset, identity, or operational response.
  4. Enter a name for your response.
  5. Select a Response type. The type is the kind of condition that must be met in order to trigger the response. For example, you can use metrics or risk to trigger your response.
  6. Select a Filter based on the response type you selected. For example, if you selected the asset metric response type, then you'll see a list of metrics you've already created in the filter options.
  7. (Optional) Modify the cron schedule. By default responses run once per day.
  8. (Optional) Customize the response filter even more by modifying the existing fields. For some response types, you can also customize the filter using SPL in the Additional logic section.
  9. Select the toggle switch to activate the response. You can activate the response later, but a response must be active in order to run.
  10. Select Add response.
Add response actions for your response. See Add or edit a response action.