Add a response plan to an investigation in Splunk Enterprise Security

Add a response plan to an investigation in Splunk Enterprise Security so that analysts can follow response guidelines for that particular investigation.

Add one or more response plans to an investigation

Using a response plan helps you remember and track all the tasks relevant to an investigation. You can add one or more response plans to an investigation after you start the investigation. After you add a response plan to a particular investigation, any changes you make to the response plan are not applied to the original response plan and apply only to that particular investigation.

Prerequisites

Before you can add a response plan to an investigation, complete the following:

• Create your own response plan or add a response plan included with Splunk Enterprise Security.
• Publish the response plan you want to add to the investigation. You can only add published response plans to investigations.

Steps

Follow these steps to add a response plan to an investigation:

1. Select an investigation from the analyst queue on the Mission Control page.
2. Select View details.
3. Select the Response tab.
4. Select + Response to add a response plan to the investigation.
5. Select a response plan from the drop-down list.
6. Select Submit to apply the response plan to the investigation.
7. (Optional) Repeat these steps to add another response plan to the investigation.

Manage response plans for an investigation

You can add response plans to an investigation, reorder them, and delete the ones you no longer want.

Follow these steps to manage response plans for an investigation:

1. Select an investigation from the analyst queue on the Mission Control page.
2. Select View details.
3. Select the Response tab.
4. Open the drop-down list next to the name of the response plan.
5. Select Manage plans.
6. To add a response plan to the investigation, select + Response.
7. To reorder a response plan in the list, select and drag the move icon ( ). You can drop the response plan anywhere in the list.
8. If there are multiple response plans, you can delete some. To delete a response plan, select the trash icon ( ).
9. Select Done.

Add tokens in response plans

Use tokens inside response plans and use the value of the token to substitute the response plan in an investigation. A token is a variable that you can use in response plans to standardize your response to investigations.

You can add a token to the following fields in a response plan:

• Response plan name
• Response plan description
• Phase name
• Phase description
• Task name
• Task description
• Searches

Splunk Enterprise Security supports predefined tokens such as status, urgency, sensitivity, investigation_id, and others. For example, if you want the status of an investigation, such as New or Pending, to appear in a search embedded in a response plan task, you can add the $status$ token to a new search in the response plan task.

Follow these steps to add a token to a response plan:

1. In Splunk Enterprise Security, select Security content, then select Response plans.
2. Open an existing response plan, or create a new one.
3. Select the field in the response plan that you want to add a token to. For example, if you want to add a token to a phase name, expand the phase that you want to edit, and then select the phase name field.
4. In the field that you're editing, enter the name of the token you want to use with the $token_name$ syntax. For example, if you want to use the status token, enter $status$.
5. Select Save changes.

See also

For more information on response plans, see the product documentation:

• Create response plans in Splunk Enterprise Security
• Included response plans in Splunk Enterprise Security
• Embed new and existing searches in response plan tasks in Splunk Enterprise Security