Splunk® Mission Control

Investigate and Respond to Threats in Splunk Mission Control

Triage incidents using incident review in Splunk Mission Control

Triage incidents using the Incident review page in Splunk Mission Control. Review the list of incidents in the queue for potential security incidents that require further investigation. These incidents include notable events automatically sent from Splunk Enterprise Security (Cloud) and other alarm and security event data that you create in Splunk Mission Control.

Review incidents

To view a list of incidents in Splunk Mission Control, select Incident review. The incident review page updates every 2 minutes. You can view information about incidents using the default time range of the last 24 hours or another time range that you select. Incidents appear in the order they were created or ingested with the most recent incidents listed first. To change the order that incidents appear in the incident review table, see Sort incidents in the incident review table.

If you can't see any incidents on the Incident review page, you might need to add the mc_aux_incidents index to your role. See Manage indexes for roles in Splunk Mission Control.

If you created a suppression in Splunk Enterprise Security (Cloud) to hide particular notable events from the incident review dashboard, those suppressed notable events appear as incidents in the incident review table of Splunk Mission Control. To filter and organize incidents in Splunk Mission Control, see Apply filters and save filtered views for incidents.

The following table describes the default fields for incidents in the incident review table and states whether or not changes to the field value sync between Splunk Mission Control and Splunk Enterprise Security (Cloud).

Name Description Supports synced changes
Incident ID The unique identification number for the incident. You can search for an incident using the incident ID and then navigate to the investigation overview page for that incident. You can also hover over the incident ID and select the clip icon ( clip icon ) to copy the link to that incident's overview page. No
Name The name of the incident. No
Description The description of the incident. No
Created The date and time the incident was first created. No
Updated The date and time the incident was last updated. No
SLA The service-level agreement, or the time left to respond to or remediate the incident. No
Owner The person the incident is assigned to. Yes
Status The status of the incident. Yes
Urgency The urgency of the incident. Yes
Sensitivity The sensitivity of the incident based on the US-CERT TLP. No
Disposition The classification of the incident. For example, True Positive or False Positive. Yes
Source type Where the incident comes from. The source is either a Splunk Enterprise Security (Cloud) notable event or a Splunk Mission Control incident. No
Incident type An incident's association with other components in Splunk Mission Control, such as response templates. See Create incident types. No

If you make changes to the Status, Disposition, Urgency, or Owner field values in either Splunk Enterprise Security (Cloud) or Splunk Mission Control, the changes sync in the other application. See Customize incident review and disposition settings for more information.

Sort incidents in the incident review table

In Splunk Mission Control, you can sort incidents in the incident review table by only one field at a time. You can sort by default fields provided by Splunk Mission Control, or you can sort by custom fields that you add to the incident review table. See Customize the incident review table.

To sort incidents, select the column header of the field you want to sort by on the Incident review page. Then, select the up or down arrow icon to determine which incidents appear first.

Incidents do not appear in their sorted order until after Splunk Mission Control finishes loading all relevant incidents.

Some fields, such as SLA time, follow continuous ordering, or values that fall in a constant sequence. You can sort incidents from soonest to latest SLA time or the reverse. Other fields, such as Status and Disposition, follow discrete ordering, or values that fall in distinct, separate categories.

The following table describes the logical ordering of values for discrete ordered fields:

Field Order of values
Status
  1. Unassigned
  2. In progress
  3. Pending
  4. Resolved
  5. Closed
Disposition
  1. Unassigned
  2. True positive
  3. Benign positive
  4. False positive - Incorrect analytic data
  5. False positive - Inaccurate data
  6. Other
  7. Undetermined

You can also add custom values for the status and disposition fields. See Customize status settings and Customize incident review and disposition settings for details on how to add custom values. Any value that you create becomes the next consecutive value in the order of values. For example, if you create a value for status called Blocked, that value becomes sixth in the order. Then, you can sort incidents from Unassigned to Blocked or the reverse. If you add more custom values, those values rank incrementally in the order that you create them.

Customize the incident review table

You can add, remove, and reorder fields in the incident review table to customize the incident information you see during the triage process in Splunk Mission Control. You can also adjust the settings for how you want to view parent and child incidents in the incident review table.

The incident review table settings are specific to individual users. As an admin, you can't globally customize the incident review table for users.

To customize the incident review table, complete the following steps:

  1. In Splunk Mission Control, select Incident review.
  2. Select the settings icon ( settings icon ) to open the table settings.
  3. (Optional) In the Parent and child incidents section, deselect the check box for hiding child incidents in the incident review table. By default, parent incidents are collapsable, and you can expand a parent incident to see its related child incidents. By deselecting this option, you can see all incidents as separate entries in the incident review table regardless of their parent-child relationship status.

    If you hide child incidents in the incident review table, the total incident count doesn't include child incidents.

  4. In the Available columns section, select the check boxes for the fields you want to include in the table. Deselect the check boxes for the fields you want to remove from the table. You can search for and select any summary or incident fields provided by Splunk Mission Control, such as Reference ID or Dest, as well as any custom fields that you created.

    You can't remove the Name field from the incident review table, and you can't add more than 20 columns.

  5. In the Selected columns section, drag and drop the move icon ( move icon ) to place the fields in the order you want them to appear in the table. You can also remove a field from the Selected columns section by selecting the remove icon ( remove icon ).
  6. Select Apply to save your changes.

After you apply your changes, you can continue to triage incidents from your customized incident review table.

Perform bulk actions on incidents

You can select multiple incidents in the Incident review table to update in bulk or to run a playbook on at the same time.

Edit multiple incidents

To make changes that apply to multiple incidents, follow these steps:

  1. Navigate to the Incident review page in Splunk Mission Control.
  2. Select the checkboxes of the incidents you want to edit, or select the checkbox in the menu header to update all incidents.
  3. Select Edit.
  4. Select the fields you want to update across the incidents you have selected. If you are updating many incidents at once, you might want to create a filter so you can use the checkbox in the Incident review table header to select all of them at once. See Apply filters and save filtered views for incidents.
  5. Select Submit.
    A message appears to notify you if the incidents were updated successfully or not.

Run playbooks on multiple incidents

To run a playbook on multiple incidents, follow these steps:

  1. Navigate to the Incident review page in Splunk Mission Control.
  2. Select the checkboxes of the incidents you want to run the playbook on, or select the checkbox in the menu header to run the playbook on all incidents.
  3. Select Run playbook.
  4. Locate and select the playbook that you want to run on the selected incidents.
  5. Set the Scope to decide which events to process in the playbook run. To process only new events since the last run of this playbook, select New Events. To process all events in the playbook run, select All Events.
  6. Select Run playbook.
    Success or error messages appear to notify you if the playbook started successfully on your selected incidents or not.

View the playbook run details by selecting the entry in Automation history. For more information about playbooks, see Automate incident response with playbooks and actions in Splunk Mission Control.

Apply filters and save filtered views for incidents

On the Incident review page in Splunk Mission Control, you can apply filters to incidents and save the view to help organize and triage incidents. To apply filters, save a filtered view, and apply that filtered view on the incident review table, complete the following steps:

  1. To apply a filter, select the column header of the field you want to filter incidents by. Not all fields are filterable. You can see sorting and filtering options for a field by selecting the down arrow icon ( down arrow icon ) in the column header. Fields that aren't filterable don't have a filter menu with check boxes.

    You can also apply a filter by entering a search in the incident review search bar.

  2. In the filter menu, select a value. For some fields, such as Urgency, you can select multiple values, such as Critical and High. For other fields, such as Owner, you can only select a single value.
  3. (Optional) To remove a filter so that it no longer applies to incidents in the incident review table, select the remove icon ( remove icon ) next to the respective filter, or select Clear all to remove them all. Removing a filter doesn't delete it from any filtered views you saved.
  4. When you're ready to save the view, select Save. You can save a view only after you apply at least one filter.
  5. If you want to save the filtered view as a new view, enter the name of your filtered view in the New tab.
    1. Review the filter configuration to make sure that the fields and their respective values are the ones you want to save.
  6. If you want to save the filtered view by replacing an existing view, select the Existing tab.
    1. Select a view from the Existing saved filter drop-down list to replace it with your new view.
  7. Select Save.
  8. To apply a filtered view to incidents, select the one you want from the Saved filters drop-down list.

Manage filtered views

You can delete and reorder filtered views that you previously saved. To manage filtered views, complete the following steps:

  1. Select the Saved filters drop-down list.
  2. Select Manage saved filters.
  3. To delete a filtered view, select the delete icon ( trash can icon ) next to the filtered view you want to delete.
  4. To reorder filtered views, select the move icon ( move icon ) and drag and drop the filtered views in the order you want.
  5. Select Save to apply your changes.

Triage incidents

You can triage incidents from the Incident review page by assigning it to yourself and modifying the status. If you can edit incidents, you can also assign an incident to someone else.

  1. Hover over the incident you want to triage and select Preview. To find a particular incident, you can search for it using the incident ID with the MC-XXXXX syntax.

    If you hide child incidents in the incident review table, you can still search for a child incident using its incident ID. After you search for a child incident, you can find its related parent incident by selecting the child incident. Selecting the incident opens the Overview tab where you can investigate both the parent and child incidents.

  2. Triage the incident by configuring your desired fields such as Owner, Status, Urgency, Sensitivity, Incident type, or Disposition.
  3. (Optional) View the risk-based alerting (RBA) scores associated with the artifacts to help you understand the likelihood of the artifact being a potential threat. See View risk-based alerting scores for artifacts for more information.
  4. (Optional) Select View contributing events to open a search that identifies which events contributed to the generation of the incident.
  5. (Optional) If this incident was ingested from Splunk Enterprise Security, select View all recent activity for this Notable Event. You are taken to the search page where you can see the activity of this incident for the time period you select.
  6. (Optional) Select the more icon ( three dots icon ) then Edit to edit the name, description, and other fields for the incident.
  7. (Optional) Select the more icon ( three dots icon ) then Run playbook. Next, select or search for a playbook to run it on the incident. The details of the playbook run appear on the automation tab on the incident.

After assigning an incident to yourself and modifying the status, you can begin working on it.

Incidents sent from Splunk Enterprise Security (Cloud) to Splunk Mission Control automatically sync every status, urgency, disposition, and sensitivity change made in Splunk Mission Control with Splunk Enterprise Security (Cloud).

Last modified on 18 October, 2023
Best practices for improving performance in Splunk Mission Control   Create an incident in Splunk Mission Control

This documentation applies to the following versions of Splunk® Mission Control: Current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters