Associate an incident type with a response template in Splunk Mission Control
You can associate one or more incidents with specific response templates based on incident type. After you create an incident type and associate it with a response template, any new incident ingested or created with that incident type applies the response template you selected.
Prerequisites
Before you can associate an incident type with a response template, complete the following:
- Create an incident type. See Create incident types.
- Select the response template you want to associate with an incident type by either creating a response template or using a response template included with Splunk Mission Control. See Create response templates or Included response templates in Splunk Mission Control.
Steps
- Navigate to Settings.
- Select Incident Settings then Incident Types.
- Either create a new incident type, or select an existing incident type from the table. For example, you can create or select an incident type with the name "Phishing".
- Navigate to the Incident Type Associations section and select + Response Template.
- Select the response template that you want to apply to the incident type of "Phishing". Only published response templates appear in this list.
- (Optional) Select + Response Template to associate an additional response template with "Phishing". You can drag and drop the response templates to change the order. The response template listed first is the default response template for the incident type.
- Select Save Changes.
After you associate the incident type with a response template, any new incident ingested or created with the incident type "Phishing" becomes associated with the response templates you selected. You can see your response plans on the Response tab of the incident. For more information on selecting an incident type at the incident level, see Triage incidents using incident review in Splunk Mission Control.