Splunk® Mission Control

Investigate and Respond to Threats in Splunk Mission Control

Search with incident data in Splunk Mission Control

Make sure that you're correctly using incident fields when searching data about incidents in Splunk Mission Control.

Indexed incident fields either come from the initial event sent to Splunk Mission Control from Splunk Enterprise Security (Cloud), or Splunk Mission Control adds them automatically. This table describes the fields added by Splunk Mission Control that are present in all incidents so that you can accurately interpret them. Other fields might be present based on the data sent from Splunk Enterprise Security (Cloud). To learn more about incidents, see Triage incidents using incident review in Splunk Mission Control.

Field name Description When to use
assignee Uniquely identifies the user assigned to the incident To determine who currently is assigned to work an incident or who was assigned to it in the past
create_time The time that an incident was created in Splunk Mission Control To determine the time an incident was created
description The description of the incident To understand more information about the incident
disposition The classification of the incident, such as True Positive or False Positive To determine how the incident is classified
id Uniquely identifies an incident in Splunk Mission Control To search for a specific incident
incident_type Uniquely identifies the incident type assigned to the incident To determine what incident type is assigned to the incident or complete incident type specific metrics
name The name of the incident To understand what types of incidents are common in your environment
sensitivity The sensitivity of the incident is based on the US-CERT Traffic Light Protocol (TLP). Search "Traffic Light Protocol (TLP) Definitions and Usage" on the Department of Homeland Security website for more information. If no value existed in the original incident, a default value is used. To differentiate metrics for different sensitivity levels
sourcetype The source of the incident To determine the source of the incident
status_name The status of the incident (if no status is specified when the event was sent, a default value is used) To determine how many incidents are in which status of the investigation
summary The summary of incident data To see an overview of an incident including various fields
update_time The time that changes were last made to the incident, such as by modifying the status or severity To understand how active an incident investigation is
urgency The urgency of the incident To determine when the incident needs to be investigated

Example searches for incidents in Splunk Mission Control

Use these example searches to learn more about incidents in Splunk Mission Control.

Determine incident metrics

To calculate metrics based on the most recent state of an incident, use the following search.

| `mc_incidents` | eventstats count as total_incidents_count

Determine the number of users assigned to an incident

To learn how many different users were assigned to an incident while it was being investigated, use the following search.

|`mc_incidents` | stats count by assignee

Determine the number of incidents for each incident type

To learn how many incidents each incident type has associated with it, use the following search.

|`mc_incidents` | stats count by incident_type

Determine the average duration of open incidents for each incident type

To find the average time that each incident type remains open before it's resolved, use the following search.

|`mc_incidents` | search status_name="Resolved" | eval duration=update_time-create_time | stats avg(duration) by incident_type

Determine which incidents have specific summary data

To find incidents with a specific value for a specific field, such as 8.21.146.47 for dest, use the following search.

|`mc_incidents` | search summary.dest="8.21.146.47"

Number of incidents open after the SLA time passed

To see the number of incidents that are still open after the SLA time period elapsed, use the following example search. The sla field refers to the time when this incident passes the SLA, in seconds. For example, if an incident is created at 9 am, and the SLA expires in 1 hour, the sla key has the epoch time of 10 am.

| `mc_incidents` | where status_name != "Closed" | eval current_time = now() | spath input=sla output=sla_epoch path=sla| eval sla_diff =sla_epoch - current_time | where sla_diff < 0 | table sla_diff, sla_epoch, id, current_time

Last modified on 25 January, 2024
Search in Splunk Mission Control   Search with response template data in Splunk Mission Control

This documentation applies to the following versions of Splunk® Mission Control: Current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters