Splunk® Enterprise Security

Administer Splunk Enterprise Security

Associate an investigation type with a response plan in Splunk Enterprise Security

You can associate one or more investigations with specific response plans based on the investigation type. After you create an investigation type and associate it with a response plan, any new investigation created with that investigation type applies the response plan you selected.

Prerequisites

Before you can associate an investigation type with a response plan, complete the following:

  • Create an investigation type.
  • Create a response plan or add a response plan included with Splunk Enterprise Security.

Steps

Follow these steps to associate an investigation type with a response plan in Splunk Enterprise Security:

  1. In Splunk Enterprise Security, select Configure from the main menu navigation bar.
  2. Select Findings and investigations and then Investigation types.
  3. On the Investigation types page, create a new investigation type, or select an existing investigation type from the table.
  4. In the Investigation type associations section, expand the Response plans section.
  5. Select Assign response plan.
  6. From the list of available response plans, select the ones you want to apply to the investigation type. Only published response plans appear in this list. You can drag and drop the response plans to change the order. The response plan listed first is the default response plan for the investigation type.
  7. (Optional) Create a new response plan to associate with the investigation type by selecting Create new response plan.

After you associate an investigation type with a response plan, any new investigation created with that investigation type becomes associated with the response plan that you selected. You can see your response plans in the Response tab of the investigation you're working on.

If you add any additional response plans to an investigation type after you save it for the first time, then those response plans apply only to newly started investigations.


See also

For more information on response plans and investigations, see the product documentation:

Last modified on 01 October, 2024
Add a response plan to an investigation in Splunk Enterprise Security   Integration of Splunk SOAR with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters