RedSeal and Splunk Adaptive Response

Use your SIEM to identify IOCs and RedSeal to show access paths

The goal of Incident Response is to address and manage a security breach in a way that limits damage and reduces recovery time and costs. Your SIEM solution can identify an Indicator of Compromise (IOC) by analyzing and correlating the massive streams of machine data generated by your IT systems and technology infrastructure.

Through a seamless integration with the Splunk Adaptive Response framework, the combination of RedSeal and Splunk can result in a significant increase in network situational awareness and full visibility of network access paths to/from an IOC to critical assets and contain downstream risk, within minutes.


RedSeal helps in accelerating Incident Response in two ways – providing insights for correlation to identify IOCs as well as providing immediate answers to the following questions:

  1. What is the compromised device?
  2. Where is it located both physically and logically?
  3. Where can the attacker traverse to? Can it reach my critical assets via a network access path?
  4. What containment options are available to me?

RedSeal provides three Adaptive Response actions to quickly answer the above questions:

Display Source Details

Get the device’s OS, applications, L2 information, policy group, etc.

List Top Reachable Groups, Launch RedSeal Incident Response

Identify all downstream assets that the compromised device can access, prioritized by the business value and the exposure

Launch RedSeal Incident Response to get more details in a separate browser window, including the L2 information on each of the reachable targets

View Detailed Network Access Path

Display network access path(s) from the source to the target, listing all the connected devices in-between, with details on the firewall(s) and the configuration rules permitting access


RedSeal’s model presents an accurate, up-to-date map of your network as it really is – including your cloud and virtual networks, and your physical and wireless infrastructure.

RedSeal’s model calculates all network access paths – intended, not intended, active and potential – between any two points on your network. With this network visualization, you can see all the individual devices between one point and another, and pinpoint the exact rules you need to change to affect access on each device.


Quickly locate IOC – including its physical location and other data

View all potential network access paths an intruder can take from IOC

List downstream assets prioritized by risk, with access paths for each

Locate firewall(s) and the rules to help block pathway


RedSeal 8.3

Splunk Enterprise 4.5.X


Solution Brief – RedSeal and Splunk Adaptive Response