Automate incident response with playbooks and actions in Splunk Mission Control
Splunk Mission Control uses security orchestration and automation functionality provided by Splunk SOAR (Cloud). You can automate your security workflows in Splunk Mission Control by running actions and playbooks that you created in Splunk SOAR (Cloud). To customize playbook action workflows, you can also respond to prompts.
When you're investigating an incident in Splunk Mission Control, you can use the Automation tab to review the results of actions and playbooks set to run automatically on incidents. You can also run playbooks and actions manually and review the results.
Use automation in Splunk Mission Control to complete the following tasks:
- Run playbooks. See Run a playbook.
- Run actions. See Run an action.
- Review playbook and action results. See Review playbook and action results.
- Delegate or respond to prompts. See Delegate or respond to a prompt.
When an incident is created in Splunk Mission Control with summary data, all active playbooks that operate on the incident type for that incident are triggered to run automatically. To learn more about incident types, see Create incident types.
Run a playbook
When you're investigating an incident in Splunk Mission Control, you can use the Automation tab to run a playbook that you created in Splunk SOAR (Cloud) or a playbook included with Splunk Mission Control. For more information on playbooks, see Use playbooks to automate analyst workflows in Splunk SOAR (Cloud) in the Splunk SOAR (Cloud) Build Playbooks with the Playbook Editor manual.
Prerequisite
Before you can run a playbook on an incident, you must first create a playbook in Splunk SOAR (Cloud). See Create a new playbook in Splunk SOAR (Cloud) in the Splunk SOAR (Cloud) Build Playbooks with the Playbook Editor manual. For more information on creating a playbook that uses Splunk Mission Control data, see Use Splunk Mission Control data in Splunk SOAR (Cloud) playbooks.
If you are creating a playbook that uses Splunk Mission Control data from incidents, use the Mission Control block. If your data doesn't come from Splunk Mission Control, use the Utility block. For more information on the Utility block, see Add functionality to your playbook in Splunk SOAR (Cloud) using the Utility block in the Splunk SOAR (Cloud) Build Playbooks with the Playbook Editor manual.
Steps
- Select an incident from the Incident review page in Splunk Mission Control.
- Select the Automation tab.
- Select Run playbook.
- Locate and select the playbook that you want to run from the list.
- Set the Scope to decide which events to process in the playbook run. To process only new events since the last run of this playbook, select New Events. To process all events in the playbook run, select All Events.
- Select Run playbook.
After you run a playbook, you can view the details by selecting the entry in Automation history.
Run an action
When you're investigating an incident in Splunk Mission Control, you can use the Automation tab to run an action. With the SOAR Community Edition license, you can run up to 100 actions per day in Splunk Mission Control. To upgrade to unlimited actions, contact your account manager.
Prerequisite
Before you can run actions on an incident, you must configure connectors in Splunk SOAR (Cloud). See Add and configure apps and assets to provide actions in Splunk SOAR (Cloud) in the Administer Splunk SOAR (Cloud) manual.
Steps
- Select an incident from the Incident review page in Splunk Mission Control.
- Select the Automation tab.
- Select Run Action.
- Run an action by following these steps in any order:
- Select the Connector that you want to use to run the action.
- Select the Action that you want to run from the list.
- Add the required information for your connector and action to configure the action.
- Select Run Action.
After you run an action, you can view its details by selecting the entry in Automation history.
Review playbook and action results
After a playbook or action runs, you can view the results in the Automation history section of an incident. Each entry represents a connector with actions run on the incident. Select an entry to view more details about the action or playbook run.
- Select an incident from the Incident review page in Splunk Mission Control.
- Select the Automation tab.
- If you're investigating an incident that's part of a parent-child relationship, select which incident you want to view automation history data for using the drop-down list in the Incident field.
- From the Automation history section, select an action or playbook run that you want to learn more about. You can search for a particular playbook or action run by name, filter runs with the Show drop-down list, and sort runs with the Sort drop-down list.
- (Optional) Some entries default to a table view while others default to a map view. You can view the action or playbook run details by the default visual format, or you can switch to a JSON format. To switch from either a map or a table view to a JSON format view, select the JSON source code icon ( ).
You can only review failed action and playbook runs with the JSON format view.
- (Optional) Select the download icon ( ) to download the JSON output for the action or playbook run.
- (Optional) For playbook runs, select Open Playbook to view the associated playbook in Splunk SOAR (Cloud). To learn more about playbooks, see Use playbooks to automate analyst workflows in Splunk SOAR (Cloud) in the Splunk SOAR (Cloud) Build Playbooks with the Playbook Editor manual.
- (Optional) Some entries default to a table view while others default to a map view. You can view the action or playbook run details by the default visual format, or you can switch to a JSON format. To switch from either a map or a table view to a JSON format view, select the JSON source code icon ( ).
Set up actions and playbooks to run with response template tasks
You can automate your incident response by setting up actions and playbooks to run with a specific response template task in Splunk Mission Control. Setting up an action or playbook to run on a task might be helpful for analysts who prefer to add tasks or response templates as they undergo their investigation. For example, if you want a response template to automatically add a new phase at the completion of a task, you can set up a playbook to run with that response template task.
To set up an action or playbook to run with a response template task, complete the following steps:
- In Splunk Mission Control, select Content, then select Response Templates.
- Open an existing response template, or create a new one. See Create response templates.
- Expand the phase you want to edit, or select + Phase.
- Expand the task you want to edit, or select + Task.
- To set up an action to run with a response template task, complete the following steps:
- Expand the Actions section.
- Select + Action.
- Select the Connector that you want to use to run the action.
- Select the Action that you want to run from the list.
- Add the required information for your connector and action to configure the action.
- Select Submit.
- To set up a playbook to run with a response template task, complete the following steps:
- Expand the Playbooks section.
- Select + Playbook.
- Locate and select the playbook that you want to run from the list.
- Set the Playbook scope to process particular events from the playbook run. Selecting New events processes new events from the last playbook run, and selecting All events processes all events from the playbook run.
- Select Submit.
- (Optional) To remove an action or playbook run from a response template task, select the remove icon ( ) next to the respective action or playbook.
- Toggle the Status switch to Published, and select Save changes to publish the response template. You can only add published response templates to incidents.
After you set up an action or playbook to run with a response template task, you can find the status of the action or playbook, such as Failed
or Completed
, by selecting the task in the Response tab of an incident.
Delegate or respond to a prompt
A prompt is a checkpoint that determines a playbook action workflow based on a user's response in Splunk Mission Control. Respond to a prompt to change or confirm the next playbook action, or delegate the prompt to another user.
For example, if a playbook locks an account for suspicious login attempts, a prompt block can pose the question "Do you want to lock this user's account?" to an analyst before running the action. To delegate or respond to a prompt, complete the following steps:
- Select an incident from the Incident review page in Splunk Mission Control.
- Select the Automation tab.
- Select Prompts. The badge represents the number of prompts assigned to you that you haven't responded to yet.
- Find the prompt you want to delegate or respond to and select View.
You can only view a prompt if you are the owner of that prompt.
- Review the prompt details such as the deadline, the associated playbook, and the message.
- If you want to respond to the prompt, select an answer to the question.
- If you want to assign the prompt to another user, select the Delegate check box.
- Select a user or role from the drop-down list to delegate the prompt to.
- Enter a reason for delegating the prompt so that the receiving user understands why you're assigning it to them.
- Select Submit.
After you delegate or respond to a prompt, the status and response for that prompt updates. If the status is Approved
, for example, the playbook runs the succeeding action. If the status is Delegated
, the reason for delegation appears as the response.
Troubleshoot Splunk SOAR functionality in Splunk Mission Control
Splunk Mission Control establishes a connection with Splunk SOAR by adding the SOAR IP address to the Splunk Cloud Platform API allow list. Users can modify the Splunk Cloud Platform API allow list, including adding and removing the SOAR IP address. Removing the SOAR IP address from the list causes the connection between Splunk Mission Control and Splunk SOAR to fail. To use automation functionality in Splunk Mission Control, including running actions and playbooks, you must add the Splunk SOAR IP address back into the Splunk Cloud Platform API allow list.
If the Splunk SOAR IP address is missing from the Splunk Cloud Platform IP allow list, add the IP address back in using the Admin Config Service (ACS) API. For more details, see Configure IP allow lists for Splunk Cloud Platform in the Admin Config Service Manual.
Associate an incident type with a response template in Splunk Mission Control | Use Splunk Mission Control data in Splunk SOAR (Cloud) playbooks |
This documentation applies to the following versions of Splunk® Mission Control: Current
Feedback submitted, thanks!