Create response templates to establish guidelines for incident response in Splunk Mission Control

Standardize the response tasks and phases that analysts complete when investigating and responding to incidents by creating and modifying response templates.

Create response templates

Create a response template to establish guidelines for analysts to use when they investigate incidents.

1. In Splunk Mission Control, select Content, then select Response templates.
2. Select + Response Template.
3. Enter a name for the response template in the Title text box.

   You can't enter a title with more than 250 characters for response templates, phases, and tasks. Additionally, you can't enter a description with more than 7,000 characters for response templates and tasks.

4. (Optional) Enter a description for the response template to describe what someone might use it for. For example, "Guide response to a ransomware infection".
5. Select + Phase and enter a name for a phase of the response template. For example, "Contain infection".
6. Select + Task to add a task to the phase.
7. Enter a name for the task. For example, "Quarantine the device".
8. (Optional) Select an owner from the drop-down list to always assign this task to a specific person.
9. (Optional) Select the check box to require a note upon task completion.
10. Select the down arrow to expand the task and add details.
11. (Optional) Enter a description for the task. You can use Markdown syntax to format the text in the description and add tables, links, and other useful information to help an analyst complete the task.

    Markdown doesn't support adding links with HTML. You must use the [title](https://www.example.com) syntax to create a link. See the "Cheat Sheet" on the Markdown Guide website for more details.

12. (Optional) Select + Action or + Playbook to set an action or playbook to run with the task. See Set up actions and playbooks to run with response template tasks to automate your incident response.
13. (Optional) Select + Search to embed a search in the task. See Embed new and existing searches in response template tasks.
14. (Optional) Select + Phase to add another phase to the response template.
15. Continue adding phases and tasks until your response template is complete.
16. Toggle the Status switch to Published and select Save Changes to publish the response template. You can only add published response templates to incidents.

After you create a response template, you might want to apply it to an incident. See Apply response templates to standardize response to incidents in Splunk Mission Control.

Manage response templates

The response template table in Splunk Mission Control lists all of your drafted and published response templates. It includes default response templates included with Splunk Mission Control and any response templates you created. You can manage your response templates by modifying and sorting them.

Modify response templates

You can edit, copy, and delete response templates that you created. Changes that you make to response templates are not versioned. If you edit an already-published response template, it stays published and does not revert to a draft.

The response templates included with Splunk Mission Control are read-only. You can copy them, but you can't edit or delete them. To see a list of the default response templates, see Included response templates in Splunk Mission Control.

To modify a response template, complete the following steps:

1. In Splunk Mission Control, select Content, then select Response Templates.
2. Locate the response template you want to modify.
3. To edit the response template, select the name of the one you want to modify.
   1. Make the changes you want to the phases and tasks.
   2. If your template is not yet published, toggle the Status switch to Published and select Save Changes to publish the response template and make it available for analysts to use.
   3. If your template is already published, select Save Changes.
4. To delete the response template, select the more icon ( ).
   1. Select Delete.
   2. Confirm that you want to delete the response template by selecting Delete. After you delete a response template, you can no longer assign it to an incident. However, if you previously assigned the template to an incident, the response plan preserves the template.
5. To copy the response template, select the more icon ( ).
   1. Select Copy.
   2. Enter a new name for the copied response template, or keep the default copy name.
   3. Select Save.

Sort response templates

You can sort the response template table to search for a particular response template.

1. In Splunk Mission Control, select Content, then select Response Templates to find the response template table.
2. Select the column heading with the value you want to sort by. You can see which value the table is sorted by based on which column heading the arrow icon ( ) appears next to.
3. (Optional) Select the column heading again to reverse the order.

Embed new and existing searches in response template tasks

You can embed a new or existing search in a response template task to help an analyst complete that task. Embedding searches in tasks can help advance investigations, especially for use cases with complex searches or for users who are unfamiliar with the Search Processing Language (SPL). After you embed a search in a response template task, you can run the search directly from an incident in Splunk Mission Control. You can embed a search in a task by editing an existing response template or by creating a new one.

1. In Splunk Mission Control, select Content, then select Response Templates.
2. Open an existing response template, or create a new one. See Create response templates.
3. Expand the phase you want to edit, or select + Phase.
4. Expand the task you want to add a search to, or select + Task.
5. In the task you want to embed a search in, expand the Searches section.
6. Select + Searches. You can embed either a new search or an existing one.
7. To embed a new search, complete the following steps:
   1. Create a new search by giving your search a name and description.

      You can't enter more than 250 characters for the name of your search, and you can't enter more than 7,000 characters for the description of your search.

   2. Enter a Splunk search in the Search syntax field. For example, to detect excessive failed login attempts, enter the following search:
      

      | from datamodel: "Authentication"."Failed_Authentication" | stats values("tag") as "tag", dc("user") as "user_count", dc("dest") as "dest_count", count by "app", "src" | where 'count'>=6

   3. (Optional) To add a token to your search, enter the token name anywhere in the Search syntax field using the $token_name$ syntax. See Add tokens in response templates to learn more about using tokens in Splunk Mission Control.
8. To embed an existing search, complete the following steps:
   1. Select Browse Saved Searches.
   2. Choose an existing search and select Submit to automatically populate the Search syntax field with a saved search.

      You can't edit the name, description, or search syntax of a saved search.

9. Toggle the Status switch to Published. You must publish your response template to locate the response template task, and therefore your embedded search, from an incident.
10. Select Save Changes.

Best practices for using response templates

When using response templates in Splunk Mission Control, a good way to get started is by using an industry standard response template as a basis for your own response template. Splunk Mission Control supports both custom and industry standard response templates such as the NIST 800-61 template.

To view available response templates, select Content, then select Response Templates. For information on modifying a response template, see Manage response templates. To see what response templates are included in Splunk Mission Control, see Included response templates in Splunk Mission Control.