Charles Leaver – Here Is Why The Ziften And Splunk Active Response Framework Was Created

Written By Charles Leaver CEO Ziften



We were the sponsor in Las Vegas for a fantastic Splunk.conf2014 program, we returned stimulated and raring to go to push on even more forward with our solution here at Ziften. A talk that was of specific interest was by the Security Solutions Architect for Splunk, Jose Hernandez. “Using Splunk to Automatically Alleviate Threats” was the name of his presentation. If you want to see his slides and a recording of the talk then please go to

Making use of Splunk to assist with mitigation, or as I like to refer to it as “Active Response” is a great concept. Having all your intelligence data flowing into Splunk is extremely effective, and it can be endpoint data, outside risk feeds etc, and then you will be able to act on this data actually finishes the loop. At Ziften we have our powerful continuous monitoring on the endpoint system, and being wed to Splunk is something that we are actually extremely proud of. It is a really strong move in the right direction to have real time information analysis paired with the capability to react and act against incidents.

Ziften have actually created a mitigation action which utilizes the offered Active Response code. There is a demonstration video included in this blog below. Here we had the ability to produce a mitigation action within our Ziften App for Splunk as proof of concept. After the action is produced, results within Splunk ES (Enterprise Security) can be observed and tracked. This actually is a major addition and now users will be able to monitor and track mitigations within Splunk ES, which offers you with the major benefit of being able to complete the loop and develop a history of your actions.

The fact that Splunk is driving such an initiative thrills us, this is highly likely to progress and we are committed to constantly support it and make additional development with it. It is really exciting at the moment in the Endpoint Detection and Response space and the Active Response Framework integrated into Splunk being included will certainly promote a high degree of interest in my opinion.

For any questions concerning the Ziften App for Splunk, please send out an e-mail to