Severity and state mappings for Splunk Security

Alert priority and resolution state mapping between Splunk Security and Incident Response.

Splunk Security alert priority mapping

Splunk Security's alert priority is based on one field in the payload.

The field of interest is severity.

Splunk Security payload field Splunk Security payload value Incident Response alert priority value
severity Critical P1-Critical
Major P2-High
Minor P3-Moderate
Warning P4-Low
Info P5-Informational

Splunk Security resolution state mapping

The field of interest is status.

Splunk Security payload field Splunk Security payload value Incident Response alert resolution state value
status ok Closed
anomalous New
Note: If you require any other severity and state mappings, use the Generic webhook integration.