Splunk® Mission Control

Investigate and Respond to Threats in Splunk Mission Control

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Investigate an incident in Splunk Mission Control

After you triage an incident on the Incident review page of Splunk Mission Control, select the incident or select Preview then View details to start investigating it. To find a particular incident to investigate, you can search for it on the incident review page using the incident ID with the MC-XXXXX syntax.

You can find the summary fields and custom fields listed in the Overview tab, and you can find the incident fields in the side panel.

If you're investigating an incident that's part of a parent-child relationship, select which incident you want to view using the drop-down list in the Incident field. You can also select the check box to distinguish which summary field values belong to child incidents. If you select this option, you can see the values that belong to child incidents marked with the child incident icon ( child incident icon ), or the icon for both child and parent incidents ( both icon ). Hover over the icon to see which child incidents the value originated from.

Create a summary field for an incident

Use summary fields to document metadata that isn't automatically provided for an incident in Splunk Mission Control. Unlike custom fields, summary fields apply only to the incidents for which you create them. See Create a custom field for more information about custom fields.

When you create a summary field, you must specify its name and one or more values. For example, if you want to document the IP address associated with a particular incident, you can create a summary field named IP with a value of 20.20.20.20. You can view and edit summary field values for an incident in the Overview tab.

To create a summary field for an existing incident, follow these steps:

  1. Select an incident from the Incident review page of Splunk Mission Control.
  2. In the Summary section of the Overview tab, select +.
  3. Enter a name and value for the summary field.
    1. (Optional) To add a value to your summary field, select + next to the field.
    2. (Optional) To delete a value from your summary field, select × next to the value.
    3. (Optional) To delete your summary field entirely, select × next to the field. Your field must have only one value for you to delete it.
  4. (Optional) To create an additional field, select + Summary field, then follow the instructions in the previous step.
  5. Select Submit.

Edit field values for an incident

When you're investigating an incident in Splunk Mission Control, you can edit and automatically save changes to the following incident field values in the Info section of the side panel:

  • Owner
  • Status
  • Urgency
  • Sensitivity
  • Incident type
  • Disposition

In the Overview tab, you can edit summary field values, including any values for custom fields you created, by selecting the edit icon ( edit icon ) and then following the steps in this table for each type of action:

Action Steps
Add field value Select + next to the field to which you want to add a value.
Edit field value Select the field value you want to edit. You can add or remove text from the value.
Delete field value Select × next to the value you want to delete. If the field has only one value, deleting the value deletes the field entirely.
Delete field If the field you want to delete has multiple values, hover over the field and select the trash can icon ( trash can icon ). If the field has only one value, select × next to the value.

After you edit the field values, select Save. To discard the changes, select ×.

You can't add or edit summary fields in the aggregate view for parent and child incidents. To create or edit summary fields for an incident, switch the view by selecting the parent or child incident in the Summary section.

View incident information

To view details and dates associated with an incident, see the Info section of the side panel. The details reveal field-value pairs that are valuable to your investigation. For example, you can find the source and destination involved in a malware infection on an endpoint incident, and you can find the reference ID, which is the incident's globally unique identifier.

Follow the steps in this table to view other types of incident information:

Information Description
Recent activity for a notable event If an incident was ingested from Splunk Enterprise Security (ES), you can select View all recent activity for this Notable Event. You are taken to the search page where you can see the activity of the incident for the time period you select.
Contributing events You can further investigate an incident by opening a contributing search. A contributing search identifies which events contributed to the generation of the incident. Select View contributing events to open the search. To learn more about events, see Add events to an incident in Splunk Mission Control.
SOAR container Each incident in Splunk Mission Control is associated with a container in Splunk SOAR. Select View container to open Splunk SOAR and see the container associated with the incident.
ES notable Some incidents in Splunk Mission Control are associated with a notable event in ES. If applicable, select View notable event to open ES and see the notable event from which the incident originated.

Manage notes and files for an incident

You can access, sort, and search for notes and files across multiple response plans all from the side panel of an incident investigation. Notes and files that are not associated with a particular response task are called general notes and files. You can add general notes and files to the incident in the side panel of your incident investigation while simultaneously viewing incident data.

To manage notes and files, complete the following steps:

  1. After you triage an incident on the Incident review page of Splunk Mission Control, select the incident or select Preview and then View details.
  2. In the side panel, expand the section you want to view.
  3. If you're investigating an incident that's part of a parent-child relationship, select which incident you want to view notes or files for using the drop-down list in the Incident field.
  4. Add the first file or note, or select the add icon ( add icon ) to contribute to the thread. You can't use more than 250 characters in the note title, and you can't use more than 10,000 characters in the note description.
    1. (Optional) Use Markdown syntax to format the text in the note and add tables, links, and other useful information about the incident.

      Markdown doesn't support adding links with HTML. You must use the [title](https://www.example.com) syntax to create a link. See the "Cheat Sheet" on the Markdown Guide website for more details.

    2. Select Save to publish a new note.
  5. To search notes or files, select the search icon ( search icon ) to view the search bar, and then enter your search. You can search note titles, note content, and file names.
  6. To sort notes or files by time added or modified, select the arrow icon. The up arrow icon ( up arrow icon for sorting ) sorts items from newest at the top to oldest at the bottom, and the down arrow icon ( down arrow icon for sorting ) sorts items in the reverse order.
  7. To filter notes or files, select the drop-down list. You can filter by General or Response. Response files and notes include files and notes added to a particular response task. General files and notes include files and notes added directly to an incident. General notes and files are not associated with a particular response task.

    Select the link attached to a response file to navigate to the response task associated with that file. You can work on the response plan from there in the Response tab.

  8. To edit or delete a note, select the more icon ( more icon ) next to the one you want to modify.
  9. To download or delete a file, use the icons next to the file you want to download or delete.

By adding, sorting, and searching notes and files, you can help other analysts understand your process. You might want to continue documenting your progress in your incident investigation by updating the status of tasks and phases in the response plan. See Respond to an incident using response phases and tasks.

You can also copy files to use with Splunk Mission Control automation features. Hover over the information icon ( information icon ) on a file to find the vault ID, and then highlight and select the ID to copy it. See Automate incident response with playbooks and actions in Splunk Mission Control to learn more about automation.

Last modified on 21 November, 2023
PREVIOUS
Group incidents by creating parent-child relationships in Splunk Mission Control 		  NEXT
Explore artifact data in Splunk Mission Control

This documentation applies to the following versions of Splunk® Mission Control: Current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters