Severity and state mappings for Splunk
Alert priority and resolution state mapping between Splunk and Incident Response.
Splunk alert priority mapping
Splunk expects field extraction to have happened, and it expects value in one field. The
field of interest is: severity.
| Splunk payload field | Splunk payload value | Incident Response alert priority value |
|---|---|---|
| severity | 1 | P1-Critical |
| 2 | P2-High | |
| 3 | P3-Moderate | |
| 4 | P4-Low | |
| 5 | P5-INFORMATIONAL | |
| 0 | Clear/0 |
If severity property is not sent in the payload, the default value for
alert priority is P4-Low.
Splunk resolution state mapping
Splunk’s resolution state is always New.
Note: If you require any other severity and state mappings, use the
Generic webhook integration.