Overview of Mission Control in Splunk Enterprise Security
Triage, investigate, and respond to security incidents using the Mission Control page in Splunk Enterprise Security. You can also collaborate with others on your team to identify and remediate security incidents.
The Mission Control page includes the following:
- An analyst queue for viewing findings and investigations
- Charts and a timeline for visualizing finding and investigation details
The analyst queue
In Splunk Enterprise Security, detections generate the findings and finding groups that appear in the analyst queue based on raw events and third-party alerts. An investigation is a structured approach for gathering evidence and responding to a security incident. Each investigation is based on one or more findings related to the security incident, and they appear alongside findings in the analyst queue.
As an analyst, you can use the analyst queue to review findings, finding groups, and investigations to gain insight into the severity of events occurring in your system or network.
Charts and timeline
Gain insight into findings and investigations using the pie charts and timeline visualization. To see the charts on the Mission Control page, select Charts.
The four pie charts show findings and investigations by the following criteria:
Chart | Criteria |
---|---|
Urgency |
Classifies all findings and investigations based on importance, such as Critical, High, Low, Medium, Informational, or Unknown. |
Status | Classifies all findings and investigations based on status, such as New, In progress, Pending, Resolved, or Closed. |
Owner | Classifies all findings and investigations based on owners, such as Unassigned, Administrator, or by a specific username. |
Domain | Classifies all findings and finding groups based on the security domain from which they're generated, such as Access, Audit, Endpoint, Identity, Network, or Threat. |
Identify when findings were generated using the timeline visualization. To display the timeline on the Mission Control page, select Timeline. You can zoom in, zoom out, select, or deselect to focus on specific periods of time and view related events that might be of interest for more targeted threat investigations.
Example: Analyst workflow on the Mission Control page
The following high-level example workflow covers how to triage and investigate a finding by assigning it to yourself, reviewing its details, and responding to it by starting an investigation and using automation and a response plan.
- In Splunk Enterprise Security, select Mission Control from the main menu navigation bar to view a list of findings and investigations in the analyst queue.
- Review the findings and investigations from the last 24 hours from newest to oldest, and filter to focus on the ones that are most important to you.
- Select the name of a finding in the analyst queue to open the side panel.
- Triage the finding by selecting Assign to me, updating the status to reflect that you're working on it, and then selecting Save.
- Select Start investigation, and then view details such as events, additional fields, notes, and files.
- Add a response plan to the investigation to follow standardized tasks and phases for remediating the security incident.
- Automate your security workflow by running actions and playbooks on the investigation to gather more information and then remediate the security incident.
- Use threat intelligence sources to update the investigation and assess the risk posed by observables.
- Continue to update the investigation to keep other analysts informed of your progress. For example, update the status of the investigation to Pending to reflect that you're waiting for other information, action, or help from other teams, such as a crucial playbook or action approval.
- After you come to a conclusion about the investigation, update the disposition value. Available outcome values include True positive, Benign positive, False positive, and Undetermined.
- Close the investigation to indicate that you took all of the appropriate actions to resolve the security incident.
Using the Mission Control page in Splunk Enterprise Security
Use the following links to learn more about what you can do on the Mission Control page in Splunk Enterprise Security:
- Triage findings and finding groups
- Start investigations
- Respond to investigations with response plans
- Add events to an investigation
- Automate your investigation response with actions and playbooks
- Analyze risk with risk-based alerting
- Investigate observables related to an investigation
See also
For more details on how to customize your experience in Splunk Enterprise Security, see the following links in the Administer Splunk Enterprise Security manual:
- Manage analyst workflows using the analyst queue in Splunk Enterprise Security
- Configure the settings for the analyst queue in Splunk Enterprise Security
- Sort and filter findings and investigations for triage in Splunk Enterprise Security
- Manage saved views to display findings and investigations in Splunk Enterprise Security
- Customize table settings for the analyst queue in Splunk Enterprise Security
- Collaborate on investigations in Splunk Enterprise Security
Use Federated Analytics with Splunk Enterprise Security for threat detection in Amazon Security Lake (ASL) datasets | Triage findings and finding groups in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!