Threat Hunting • Room 2

Adaptive Response Actions

Once a threat is confirmed, speed is critical. Adaptive Response Actions in Splunk ES allow analysts to trigger automated containment steps directly from Incident Review.

Examples include: pinging a host to verify it's alive, running a script to isolate the endpoint from the network, or sending the malicious hash to an EDR for a global block.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

❤️❤️❤️

Question 1 of 1

You discover a malicious IP address beaconing from a compromised host. What is the appropriate use of an Adaptive Response Action?

ATo permanently delete the user's account.

BTo trigger an automated containment action, such as executing a script to isolate the host or blocking the IP on the perimeter firewall.

CTo send an email to the attacker asking them to stop.

DTo reboot the Splunk Search Head.