Splunk® Mission Control

Investigate and Respond to Threats in Splunk Mission Control

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Search in Splunk Mission Control

Explore the data in Splunk Mission Control and investigate raw events related to incidents by searching in Splunk Mission Control.

Select Search in the Splunk Mission Control menu bar or the Search tab while investigating an incident to start searching.

To process incidents, Splunk Mission Control adds searches on the Splunk Enterprise Security (Cloud) notable event index.

Splunk Mission Control does not duplicate searches from Splunk Enterprise Security (Cloud).

Search your tenant

Search data in your Splunk Mission Control tenant using the Search Processing Language (SPL).

You can only see data for incident types that you have access to. For more details about access control based on incident type, see Manage roles and capabilities for users of Splunk Mission Control.

For example, to search for critical incidents with a sensitivity level of white or green, use this search:

| mcincidents | search sensitivity="Green" OR sensitivity="White"

For additional details and example searches when searching incidents, see Search with incident data in Splunk Mission Control.

You can also search with tokens using the $token_name$ syntax. See Add tokens in response templates to learn more about tokens in Splunk Mission Control.

To learn more about searching with SPL, see the Splunk Enterprise Search Reference manual.

Use search macros in Splunk Mission Control

Search macros are reusable chunks of SPL that you can insert into other searches. You can use the following search macros in Splunk Mission Control.

mc_incidents

Use the mc_incidents macro to return all unsorted incidents with Splunk Enterprise Security (Cloud) data.

For example, use the following search to find and sort all incidents with a specific search ID.

| `mc_incidents` | search id="value" OR name="value" OR description="value" | sort field2 | eventstats count as total_incidents_count

mc_incident_by_id(incident_id)

Use the mc_incidents_by_id macro to return a specific incident with the corresponding Splunk Enterprise Security (Cloud) data.

For example, use the following search to find a specific incident based on the incident ID.

|`mc_incident_by_id(incident_id)`

You can supply a quoted string separated by commas in order to search for multiple incidents at the same time.

|`mc_incident_by_id("<incident ID>,<incident ID>,..,<incident ID>")`

add_events(incident_id)

Use the add_events macro to add multiple events to an incident in Splunk Mission Control. Add the macro to the end of a search.

You can run a search to add particular events to an incident. For example, to add events with a source IP of 192.168.1.8 from your chosen index, use the following search:

index=<index_name> | search src="192.168.1.8" | `add_events(incident_id)`

To add events to an incident using the add_events macro, you must run a search that produces Events results. To ensure that your search produces Events results, do the following:

  • Include an event-generating command, such as search, in your search. You can add transforming commands, such as stats, in addition to an event-generating command, but the SPL that follows the transforming command isn't included in the SPL added to the incident.

    Some commands, such as makeresults, synthesize results without actually producing Events results. You can't use these commands to add events to an incident.

    For more information on search command types and to see which ones generate events, see Generating commands in the Splunk Enterprise Search Reference manual.
  • Run the search in Verbose mode. Searches run in Smart mode or Fast mode don't produce Events results and don't add any events to an incident.

If you choose to use the full syntax for add_events instead of the macro, ensure to use the following syntax. 

| sendalert add_events param.incident_id=<incident_id>

Following the previous example of using the add_events macro, to add events with a source IP of 192.168.1.8 from your chosen index, use the following search.

index=<index_name> | search src="192.168.1.8" | sendalert add_events param.incident_id=<incident_id>

After you add events to an incident using the add_events macro, you can find them on the Events tab of your incident investigation. Adding events to an incident in Splunk Mission Control also adds the events in Splunk SOAR (Cloud). In Splunk SOAR (Cloud), you can find the newly added events on the Investigation page and continue to investigate them there. See Manage the status, severity, and resolution of events in Splunk SOAR (Cloud) in the Use Splunk SOAR (Cloud) manual.

If you run a search that produces events with missing indexer location values, you can still add the events to an incident. For example, events produced using a transaction command don't have _cd or _bkt values. If you add these events to an incident, Splunk Mission Control automatically adds them to the mc_events index associated with the incident.

For more information on events, including how you can add a single event from a search to an incident, see Add an event to an incident.

Use the custom search command in Splunk Mission Control

You can use the mcincidents custom search command in Splunk Mission Control to learn more about incidents. Custom search commands are Splunk Search Processing Language (SPL) commands that extend SPL to serve your specific needs. Although Splunk software includes an extensive set of search commands, these existing commands might not meet your exact requirements. Custom search commands let you complete additional data analysis.

You can use the following options with mcincidents.

Field Type Description
incident_type String The incident type for which incidents are retrieved.
limit Integer The number of items to retrieve.
fields String Comma-separated list of fields to retrieve.
unwind_to String List events of a certain type with one row per field to provide a clearer reading experience. Valid types are response plan, phase, and task.
query JSON JSON dictionary of conditions supported by KV store. Do not use conditions with status, assignee, urgency, or disposition.
add_response_stats Boolean Add additional columns in response plans.
per_incident_type_sort JSON JSON dictionary of sort parameters supported by KV store.

Custom search command example searches

See the following searches for examples of how to use the mcincidents custom search command.

To make the incident names appear in the search results table instead of in the row expansion, select the name check box for any of the incidents.

List incidents by incident ID

To list incidents by their ID, use this example search.

| mcincidents query={"id": "incident_id"}

List incidents based on ID, name, summary, and response plans

To list incidents based on specific fields such as ID, name, summary, or response plans use this example search.

| mcincidents fields=id,name,summary,response_plans

Last modified on 18 October, 2023
PREVIOUS
Available open intelligence sources for Splunk Mission Control 		  NEXT
Search with incident data in Splunk Mission Control

This documentation applies to the following versions of Splunk® Mission Control: Current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters