Splunk® Mission Control

Investigate and Respond to Threats in Splunk Mission Control

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Troubleshoot Threat Intelligence Management in Splunk Mission Control

To find troubleshooting steps for resolving issues you might face with Threat Intelligence Management in Splunk Mission Control, see the following list:

Error message: Intelligence modular input is disabled

In Splunk Mission Control, there are two modular inputs used to get intelligence from Threat Intelligence Management. The two modular inputs, Mission Control - Retrieve IM Indicators and Mission Control - Parse IM indicators, are active by default.

If you see an error message in Splunk Mission Control about deactivated modular inputs, complete the following steps to check for and activate the necessary modular inputs.

  1. Select the Settings tab in Splunk Web.
  2. In the Data section, select Data inputs.
  3. Select Mission Control - Retrieve IM Indicators for the local input.
  4. Select Enable in the Status field.
  5. Return to the Data inputs page and select Mission Control - Parse IM indicators files.
  6. Select Enable in the Status field.

After you activate the modular inputs for Splunk Mission Control, you can access threat intelligence data in the Intelligence tab of your incident investigation. To learn more about what you can do with Threat Intelligence Management, see Get started with Threat Intelligence Management in Splunk Mission Control.

SA-ThreatIntelligence `notable` macro is inactive

With the `notable` macro from SA-ThreatIntelligence, the Threat Intelligence Supporting Add-on (SA), you can create a notable event in Splunk Enterprise Security and its respective incident in Splunk Mission Control. In a Splunk Enterprise Security search head environment, the `notable` macro from SA-ThreatIntelligence is active by default, but users can activate or deactivate the macro through the Splunk Web menu.

The `notable` macro from SA-ThreatIntelligence is not the same as the `notable` macro from DA-ESS-ContentUpdate, the Splunk Enterprise Security Domain Add-on.

If the `notable` macro from SA-ThreatIntelligence is inactive, you can reactivate it by following these steps:

  1. In the Splunk Web menu, select Settings and then Advanced search.
  2. Select Search macros.
  3. Using the drop-down list, select SA-ThreatIntelligence for the App.
  4. Locate the notable search macro in the table. You can filter the table results using the search bar.
  5. For the notable search macro, select Enable.

To learn more about search macros specific to Splunk Mission Control, see Use search macros in Splunk Mission Control.

Last modified on 18 October, 2023
PREVIOUS
Comparing open source and premium intelligence sources in Splunk Mission Control 		  NEXT
Available premium intelligence sources for Splunk Mission Control

This documentation applies to the following versions of Splunk® Mission Control: Current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters