Add events to an incident in Splunk Mission Control

An event is a single piece of data in Splunk software similar to a record in a log file or other data input. When data is indexed, it is divided into individual events. Each event is given a timestamp, host, source, and source type. An event in Splunk Mission Control is comparable to an artifact in Splunk SOAR. In Splunk Mission Control, an event can be raw data associated with an incident, or it can represent activity that contributes to the creation of the incident. You can investigate an incident by adding events to it through search or automation and then tracking the related raw data.

All of the events added to an incident are in the Events tab. If you're investigating an incident that's part of a parent-child relationship, select which incident you want to view events for using the drop-down list in the Incident field. You can expand each event to see all of the fields related to that event. For some fields, you can choose field actions by selecting the expand icon ( ) in the Action column of the events table.

If you can't see any events in your incident investigations, you might need to add the mc_events index to your role. See Manage indexes for roles in Splunk Mission Control.

You can add an event to an incident by adding one from a search. Adding an event to an incident saves the event with the incident itself and helps other users, such as auditors or managers, extract critical data related to the incident. Adding events to an incident can also provide justification for the remediation of that incident.

If you create, update, or delete events from playbooks in Splunk SOAR (Cloud), your changes automatically reflect in the Events tab of your incident investigation in Splunk Mission Control.

Add an event from a search

Complete the following steps to add an event from a search to an incident:

1. Select an incident from the Incident review page of Splunk Mission Control.
2. Select the Search tab.
3. Enter your search using the Splunk Search Processing Language (SPL). For example, to detect excessive failed login attempts, enter the following search:
   

   | from datamodel: "Authentication"."Failed_Authentication" | stats values("tag") as "tag", dc("user") as "user_count", dc("dest") as "dest_count", count by "app", "src" | where 'count'>=6

4. Expand the event you want to add to an incident.
5. Select Event actions, then select Add event to Mission Control incident.
6. From the drop-down list, select the incident you want to add the event to. You can also search for a particular incident by name or ID.
7. Select Submit.

After you add the event to an incident, you can continue investigating that incident by selecting Open incident. You can find the event you just added in the Events tab.

To add events in bulk to an incident, see the section on add_events in Use search macros in Splunk Mission Control.

Open a search to find an event

Sometimes, when an incident has a long list of events, it's difficult to search for a particular event. To find a particular event for your incident investigation, you can open the search used to generate the incident's events in the Events tab of Splunk Mission Control. Then, you can edit the search to filter for particular events.

To open a search to find an event, complete the following steps:

1. Select the incident you want to investigate from the Incident review page of Splunk Mission Control.
2. Select the Events tab.
3. Select Open events in search.
4. Edit the Splunk Search Processing Language (SPL) to reduce the list of events and find the event you're looking for. For example, if you want to find an event with a particular time stamp, such as time="2022-11-02T19:48:24Z", you can edit the SPL to include that time by adding it to the search.

After you open a search from the Events tab, you can also use the Search tab to start a new search or add events to other incidents. See Add an event from a search.