Associate an investigation type with a response plan in Splunk Enterprise Security
You can associate one or more investigations with specific response plans based on the investigation type. After you create an investigation type and associate it with a response plan, any new investigation created with that investigation type applies the response plan you selected.
Prerequisites
Before you can associate an investigation type with a response plan, complete the following:
- Create an investigation type.
- Create a response plan or add a response plan included with Splunk Enterprise Security.
Steps
Follow these steps to associate an investigation type with a response plan in Splunk Enterprise Security:
- In Splunk Enterprise Security, select Configure from the main menu navigation bar.
- Select Findings and investigations and then Investigation types.
- On the Investigation types page, create a new investigation type, or select an existing investigation type from the table.
- In the Investigation type associations section, expand the Response plans section.
- Select Assign response plan.
- From the list of available response plans, select the ones you want to apply to the investigation type. Only published response plans appear in this list. You can drag and drop the response plans to change the order. The response plan listed first is the default response plan for the investigation type.
- (Optional) Create a new response plan to associate with the investigation type by selecting Create new response plan.
After you associate an investigation type with a response plan, any new investigation created with that investigation type becomes associated with the response plan that you selected. You can see your response plans in the Response tab of the investigation you're working on.
If you add any additional response plans to an investigation type after you save it for the first time, then those response plans apply only to newly started investigations.
See also
For more information on response plans and investigations, see the product documentation:
Add a response plan to an investigation in Splunk Enterprise Security | Integration of Splunk SOAR with Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!