Splunk® Mission Control

Investigate and Respond to Threats in Splunk Mission Control

Associate an incident type with a response template in Splunk Mission Control

You can associate one or more incidents with specific response templates based on incident type. After you create an incident type and associate it with a response template, any new incident ingested or created with that incident type applies the response template you selected.

Prerequisites

Before you can associate an incident type with a response template, complete the following:

Steps

  1. Navigate to Settings.
  2. Select Incident Settings then Incident Types.
  3. Either create a new incident type, or select an existing incident type from the table. For example, you can create or select an incident type with the name "Phishing".
  4. Navigate to the Incident Type Associations section and select + Response Template.
  5. Select the response template that you want to apply to the incident type of "Phishing". Only published response templates appear in this list.
  6. (Optional) Select + Response Template to associate an additional response template with "Phishing". You can drag and drop the response templates to change the order. The response template listed first is the default response template for the incident type.
  7. Select Save Changes.

After you associate the incident type with a response template, any new incident ingested or created with the incident type "Phishing" becomes associated with the response templates you selected. You can see your response plans on the Response tab of the incident. For more information on selecting an incident type at the incident level, see Triage incidents using incident review in Splunk Mission Control.

If you add any additional response templates to an incident type after you save it for the first time, only newly created or ingested incidents apply the response template.

Last modified on 02 June, 2023
Apply response templates to standardize response to incidents in Splunk Mission Control   Automate incident response with playbooks and actions in Splunk Mission Control

This documentation applies to the following versions of Splunk® Mission Control: Current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters