Splunk® Mission Control

Investigate and Respond to Threats in Splunk Mission Control

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Apply response templates to standardize response to incidents in Splunk Mission Control

After you start investigating an incident, you can respond to the incident. Apply response templates in Splunk Mission Control to standardize the tasks and phases of incident response for specific incidents.

Add one or more response templates to an incident

After you start investigating an incident, you can add a response template to an incident. After you add a response template to an incident, it becomes a response plan. Any changes you make to the response plan are not applied to the original response template and are used only to investigate that specific incident. Using a response plan helps you remember and track all the tasks relevant for incident investigation. If you want, you can add more than one response plan to an incident.

Prerequisites

Before you can add a response template to an incident, complete the following:

Steps

  1. Select an incident from the Incident review page to start investigating it.
  2. Select the + Response tab.
  3. Select the Response button to add a response plan to the incident.
  4. Select a response template from the drop-down list.
  5. Select Submit to apply the response plan to the incident.
  6. (Optional) Repeat these steps to add another response plan to the incident.

Manage response plans for an incident

Response plans are response templates that you add to an incident. You can add response plans to an incident, reorder them, and delete the ones you no longer want.

  1. Select an incident from the Incident review page in Splunk Mission Control.
  2. Select the Response tab.
  3. Open the drop-down list next to the name of the incident's response plan.
  4. Select Manage templates.
  5. To add a response template to the incident, select + Response.
  6. To reorder a response plan in the list, select and drag the move icon ( move icon ). You can drop the response plan anywhere in the list.
  7. If there are multiple response plans, you can delete some. To delete a response plan, select the trash icon ( trash icon ). Each incident must have at least one response plan.
  8. Select Done.

Respond to an incident using response phases and tasks

After you apply a response template to an incident, use the phases and tasks to guide your incident investigation in Splunk Mission Control.

  1. Select the incident you want to investigate from the Incident review page.
  2. From the Response tab of an incident, review the current phase for the incident.
  3. Review the phase details, such as the number of tasks.
  4. Select a task to assign it to someone.
  5. Select Start to start the work, or use the Owner drop-down list to assign the task to someone else. When you start a task, the task is automatically assigned to you.
  6. (Optional) Expand the Respond section to browse response options.
    1. If there's a search embedded in the response template task, open the search in the Search tab by selecting the search icon ( Search icon ).
    2. You can edit the search, or you can run the search as is. By default, the search runs over the last 24 hours, but you can specify a custom time using the drop-down list. To learn more about searching, see Search in Splunk Mission Control.
    3. In the Search tab, you can add one or more events to the incident, or you can return to the Response tab to continue working on the task. To learn more about adding events, see Add events to an incident in Splunk Mission Control.
  7. (Optional) To run an action or playbook set up with the task, expand the Respond section.
    1. If there's an action or playbook set to run with the response template task, run the action or playbook by selecting the run icon ( run icon ).
    2. Select View results to see the action or playbook results associated with the incident. See Set up actions and playbooks to run with response template tasks.
  8. (Optional) If the response template requires a note, add a note to the task by expanding the Notes section. By default, the title of the note is the task name and number. If you have multiple notes, the number corresponds to the order you created the note in.

    You can't use more than 250 characters in the note title, and you can't use more than 10,000 characters in the note description.

    1. To add an image to your task note, select the image icon ( inline image ) or drag and drop an image file into the note box. Then, select Save when you finish editing the note.
    2. To add a link to your task note, select the link icon ( link icon ), and then paste the URL using the format [<text>](<url>).

      The task note box uses standard Markdown formatting. For details on how to use Markdown, look for basic syntax on the Markdown guide website.

  9. (Optional) Expand the Files section to add a file to the task.
  10. When you complete the task, select End.
  11. Review and complete all the tasks in a phase to end a phase.
  12. Review and complete all the phases to finish your response to the incident.
  13. To review additional response templates for the incident, select the down arrow next to the current template name. From the drop-down list, select the name of another applied response template.

If you want to share a phase or a task with someone without assigning it to them, you can copy the URL of the incident while viewing the phase or task and send it to the other person. If you want to reopen a task, select the checkmark icon (Checkmark icon).

Add tokens in response templates

A token is a variable that you can place inside a response template, so that when you apply that response template to an incident, you can see the token's respective value for that particular incident. Tokens can help you standardize your response to incidents by acting as a variable in a response template. You can add a token to the following fields in a response template:

  • Response template name
  • Response template description
  • Phase name
  • Phase description
  • Task name
  • Task description
  • Searches

Splunk Mission Control supports predefined tokens such as status, urgency, sensitivity, incident_id, and others. For example, if you want the status of an incident, such as New or Pending, to appear in a search embedded in a response template task, you can add the $status$ token to a new search in the response template task. See Embed new and existing searches in response template tasks.

To add a token to a response template, complete the following steps:

  1. In Splunk Mission Control, select Content, then select Response Templates.
  2. Open an existing response template, or create a new one. See Create response templates.
  3. Select the field in the response template that you want to add a token to. For example, if you want to add a token to a phase name, expand the phase that you want to edit, and then select the phase name field.
  4. In the field that you're editing, enter the name of the token you want to use with the $token_name$ syntax. For example, if you want to use the status token, enter $status$.
  5. Select Save Changes.

Included response templates in Splunk Mission Control

You can use the response templates included in Splunk Mission Control, or you can create your own. To create your own, see Create response templates to establish guidelines for incident response. Splunk Mission Control includes the following response templates:

Template name Details When to use
Account Compromise Outlines phases and tasks relevant to potential compromise of system or application accounts. When investigating a likely account compromise.
Data Breach Outlines response to a data breach by contacting affected system owners and containing data exfiltration. When investigating a likely data breach.
Network Indicator Enrichment Gathers and analyzes contextual information about URLs, host names, top level domain names, IP addresses, TLS certificates, and MAC addresses. To gather information about artifacts involved in the incident.
NIST 800-61 Outlines response phases and tasks based on the NIST Computer Security Incident Handling Guide, SP 800-61. To standardize responses for all incidents.
Generic Incident Response Outlines response phases and tasks for basic incident response: detect, analyze, contain, eradicate, recover, and review. To standardize responses for all incidents, especially malware infection.
Self-Replicating Malware Outlines response phases and tasks relevant to containing and remediating a self-replicating malware infection. When investigating self-replicating malware infections, especially those infecting network services or shared resources.
Suspicious Email Outlines response phases and tasks for a suspicious email campaign, including external investigations, internal hunting activities, enforcement, and increased monitoring. When investigating suspicious email incidents.
Vulnerability Disclosure Outlines response phases and tasks for a vulnerability disclosure, such as a critical CVE. To determine the impact of a vulnerability disclosure on your environment.
Last modified on 02 June, 2023
PREVIOUS
Create response templates to establish guidelines for incident response in Splunk Mission Control 		  NEXT
Associate an incident type with a response template in Splunk Mission Control

This documentation applies to the following versions of Splunk® Mission Control: Current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters