Related Answers
Download topic as PDF
Create an incident in Splunk Mission Control
Splunk Mission Control automatically ingests all of your Splunk Enterprise Security (Cloud) notable events as incidents. You can also create incidents in Splunk Mission Control on the Incident review page.
To manually create an incident in Splunk Mission Control, complete the following steps:
- Select the Incident review page in Splunk Mission Control.
- Select + Incident.
- Enter a name for the incident in the Name field.
- (Optional) Expand the Advanced section to configure more incident fields. You can use the drop-down lists to change the default field values.
- (Optional) Change the default status.
- (Optional) Change the default urgency.
- (Optional) Change the default sensitivity for the incident based on the US-CERT TLP.
- (Optional) Change the default incident type to associate an incident with another area of Splunk Mission Control, such as a response template.
When you create an incident in Splunk Mission Control with summary data, all active playbooks that operate on the incident type for that incident run automatically. To learn more about incident types, see Create incident types.
- (Optional) Change the default disposition value to reflect the classification of the incident.
- (Optional) Enter a description for the incident.
- Select Submit to save and create the incident.
After you create an incident, you can start investigating it. Select View incident in the dialog box to open the incident's investigation in the Overview tab. See Investigate an incident in Splunk Mission Control.
To see the new incident in the incident review table, you must refresh the page.
|
PREVIOUS Triage incidents using incident review in Splunk Mission Control |
NEXT Group incidents by creating parent-child relationships in Splunk Mission Control |
This documentation applies to the following versions of Splunk® Mission Control: Current
Feedback submitted, thanks!