Splunk® Mission Control

Investigate and Respond to Threats in Splunk Mission Control

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Customize Splunk Mission Control incident settings

Customize Splunk Mission Control incident settings to match your incident response procedures. You can add or modify status or disposition values to align with the terms used at your organization to respond to security incidents.

After you add custom status or disposition values, analysts can use those values when triaging incidents. See Triage incidents using incident review in Splunk Mission Control.

You can also create incident types, custom fields, and service-level agreement (SLA) conditions to personalize your incident response workflow.

Customize incident settings from other Splunk security products

Users of Splunk security products can utilize single sign-on (SSO) across Splunk Cloud Platform to seamlessly navigate between apps. From Splunk Mission Control, you can access other Splunk security apps, such as Splunk Enterprise Security (Cloud) and Splunk SOAR (Cloud), without using your credentials to sign in again.

Some features of Splunk Mission Control link directly to other security apps. For example, if you're signed in to Splunk Mission Control, you can pivot to Splunk Enterprise Security (Cloud) from the Settings page of Splunk Mission Control. If you want to change the status settings for incidents in Splunk Mission Control, navigate to Settings and select Incident settings then Status settings to open Splunk Enterprise Security (Cloud) and adjust the settings without using your credentials to navigate between products.

Customize the incident type macro

Customizing the incident type macro in Splunk Mission Control overrides the incident type you might have selected using the Mission Control Incidents adaptive response action. However, if the incident type macro is set to "default" and you select an incident type in the Mission Control Incidents adaptive response action, the default incident type in Splunk Mission Control is updated to reflect your selection from the adaptive response action. As such, it is recommended to only set the default incident type from one location, either through the incident type macro or the adaptive response action. For more information on the adaptive response action, see Get data into Splunk Mission Control from Splunk Enterprise Security (Cloud).

As Splunk Mission Control ingests incidents, the incident type macro assigns particular incidents to incident types. This global macro determines a hierarchy of conditions across all incident types, so it must define each incident type.

Using the Search Processing Language (SPL), you can edit the incident type macro by navigating to Settings in Splunk Mission Control and selecting Incident settings then Incident type macro. The following code is an example of a macro that matches incidents with more than 20 risk events to one incident type and also matches incidents with an urgency of medium to another incident type.

eval incident_type=case(risk_event_count>20, "incident_type_1", urgency=="medium", "incident_type_2")

See Search with incident data in Splunk Mission Control to learn more about incident data you can leverage with SPL in the incident type macro.

Create incident types

You can create incident types to categorize your incidents by use case or source.

To create an incident type, follow these steps:

  1. From the Settings page in Splunk Mission Control, select Incident Settings then Incident type.
  2. Select + Incident type.
  3. Enter a name for the incident type. You cannot change the name of the incident type after you create it.
  4. (Optional) Enter a description for the incident type.
  5. (Optional) Edit the macro for the incident type in the Incident type matching macro field. This macro matches incidents with incident types as Splunk Mission Control ingests them. For example, you can use eval incident_type = case( severity == "medium", "Phishing") to assign the incident type of Phishing to all incidents with a severity of medium when Splunk Mission Control ingests them. The incident type macro is a global macro that determines a hierarchy of conditions across all incident types. You can edit the macro while creating a new incident type, or you can edit the macro by navigating to Settings and selecting Incident settings then Incident type macro.

    Use the case statement in the macro to make sure that the macro applies to all incident types.

    1. Save the macro.
    2. Select See your macro in action to check the status of your macro on the Search page.
  6. Select Save.
  7. (Optional) You can edit an incident type you've already created by selecting the incident type in the Incident types table. You can assign new response templates and custom fields to the incident, or remove ones from it.

You can also associate an incident type with other Splunk Mission Control features, such as a response template. See Associate an incident type with a response template.

You can't rename incident types after you create them. You must create another incident type instead.

Customize status settings

You can customize Splunk Mission Control status settings in Splunk Enterprise Security (Cloud).

  1. From the Settings page in Splunk Mission Control, select Incident settings then Status settings.
    You are then redirected to Splunk Enterprise Security (Cloud).
  2. In Splunk Enterprise Security (Cloud), manage and customize the investigation statuses for your incidents. See Manage and customize investigation statuses in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual.

Customize incident review and disposition settings

You can customize Splunk Mission Control disposition settings in Splunk Enterprise Security (Cloud).

  1. From the Settings page in Splunk Mission Control, select Incident settings then Dispositions.
    You are then redirected to Splunk Enterprise Security (Cloud).
  2. In Splunk Enterprise Security (Cloud), manage the incident review settings and dispositions. For more information on how to manage and customize incident review and disposition settings, see Customize Incident Review in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual and Add dispositions to notables in the Use Splunk Enterprise Security manual.

Create a custom field

A custom field is a unique label that you can assign to an incident to help with your investigation in Splunk Mission Control. For example, if you want to investigate phishing incidents by tracing the emails back to their sources, you can create a custom field like originating sender and assign the phishing incident type to it to accelerate the investigation. You can view and edit custom field values for an incident in the Overview tab.

Unlike summary fields, which apply only to the incidents for which you create them, custom fields apply to all or specific incident types. See Create a summary field for an incident for more information about summary fields.

To create a custom field, complete the following steps:

  1. From the Settings page in Splunk Mission Control, select Incident settings then Custom fields.
  2. Select + Custom field.
  3. Give your field a name.
  4. Decide whether you want your custom field to be global. Global custom fields apply to all incidents.
    1. (Optional) To assign an incident type to your custom field, select No for Global Field, and then enter the incident type. You can either enter the name of an existing incident type or create a new one.
  5. Select a data type and then a field type. If you select Selection for field type, add field values.
  6. Decide whether you want to allow inline editing for the custom field value. Select the Allow inline editing check box to automatically save edits made to the field value in the Overview tab of an incident. If you deselect the check box, you can still edit the custom field value along with other summary field values. See Edit field values for an incident.
  7. Select whether or not you want to require a custom field value before closing an incident. Selecting Yes for Resolution needed requires a user to enter a value for the custom field in the Overview tab of their incident investigation before they can close the incident.
  8. Select Confirm.

Manage custom fields

You can manage your existing custom fields in the custom fields table by deleting the ones you no longer want and by reordering the ones you do. You can also edit the properties of a custom field you already created.

To start managing custom fields, navigate to Settings in Splunk Mission Control and select Incident settings then Custom fields. Then, follow the steps in this table for each type of action:

Action Steps
Delete Select the trash can icon ( trash can icon ) next to the field you want to delete, and then select Delete to confirm you want to delete it.
Edit Select the pencil icon ( pencil icon ) next to the field you want to edit. You can change any of the properties that you set when you created the custom field.
Reorder Select and drag the move icon ( move icon ) next to the field you want to relocate. You can drop the field anywhere in the table.

Customize SLA settings

A service-level agreement (SLA) in Splunk Mission Control represents a deadline for responding to or remediating an incident. You can use SLAs to prioritize your incident response. For example, you can sort incidents on the Incident review page from the soonest to latest SLA time.

Manage conditions for an incident SLA

You can change the default SLA time for all incidents, and you can apply different SLA times to incidents that meet particular conditions.

The default SLA time for incidents is 24 hours. To change the default incident SLA time, complete the following steps:

  1. From the Settings page in Splunk Mission Control, select Incident settings then SLA.
  2. Enter a time for the Default incident SLA and select the appropriate unit of time.
  3. Select Save changes.

To add an incident SLA condition, complete the following steps:

  1. From the Settings page in Splunk Mission Control, select Incident settings then SLA.
  2. Select + Condition.
  3. Enter the name of your condition and a new SLA time.

    You can't use special characters, such as #, %, or &, in your SLA name.

  4. Select the appropriate unit of time.
  5. Complete the conditional statement by selecting an incident field, an operator, and a value. For example, to apply an 8-hour SLA time for incidents that don't have a phishing incident type, select the != operator and enter 8 hours for incident type and phishing. Splunk Mission Control supports the following operators for SLA conditions: ==, !=, and in.To learn more about operators, see Relational operators in the SPL2 Search Manual.
  6. (Optional) If you want to add another conditional statement, select the add icon ( add icon ).
  7. Select Save.

If an incident meets more than one condition, the shortest SLA time applies.

You can edit existing SLA conditions and delete the ones you no longer want. To edit and delete SLA conditions, complete the following steps:

  1. From the Settings page in Splunk Mission Control, select Incident settings then SLA.
  2. If you want to edit an existing SLA condition, expand the condition you want to edit.
    1. Make the changes.
    2. Select Save changes.
  3. If you want to delete an incident SLA condition, select the trash icon ( trash icon ) next to the condition you want to delete, and then select Delete.

You can also view the SLA deadline, status, and condition of a particular incident from the Incident review page and modify the condition by selecting the SLA condition link.

Last modified on 27 February, 2024
PREVIOUS
Customize Splunk Mission Control product settings
  NEXT
Manage roles and capabilities for users of Splunk Mission Control

This documentation applies to the following versions of Splunk® Mission Control: Current


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters