Splunk® Mission Control

Investigate and Respond to Threats in Splunk Mission Control

Create an incident in Splunk Mission Control

Splunk Mission Control automatically ingests all of your Splunk Enterprise Security (Cloud) notable events as incidents. You can also create incidents in Splunk Mission Control on the Incident review page.

To manually create an incident in Splunk Mission Control, complete the following steps:

  1. Select the Incident review page in Splunk Mission Control.
  2. Select + Incident.
  3. Enter a name for the incident in the Name field.
  4. (Optional) Expand the Advanced section to configure more incident fields. You can use the drop-down lists to change the default field values.
    1. (Optional) Change the default status.
    2. (Optional) Change the default urgency.
    3. (Optional) Change the default sensitivity for the incident based on the US-CERT TLP.
    4. (Optional) Change the default incident type to associate an incident with another area of Splunk Mission Control, such as a response template.

      When you create an incident in Splunk Mission Control with summary data, all active playbooks that operate on the incident type for that incident run automatically. To learn more about incident types, see Create incident types.

    5. (Optional) Change the default disposition value to reflect the classification of the incident.
    6. (Optional) Enter a description for the incident.
  5. Select Submit to save and create the incident.

After you create an incident, you can start investigating it. Select View incident in the dialog box to open the incident's investigation in the Overview tab. See Investigate an incident in Splunk Mission Control.

To see the new incident in the incident review table, you must refresh the page.

Last modified on 18 October, 2023
Triage incidents using incident review in Splunk Mission Control   Group incidents by creating parent-child relationships in Splunk Mission Control

This documentation applies to the following versions of Splunk® Mission Control: Current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters