Splunk® Enterprise Security

Use Splunk Enterprise Security

Overview of Mission Control in Splunk Enterprise Security

Triage, investigate, and respond to security incidents using the Mission Control page in Splunk Enterprise Security. You can also collaborate with others on your team to identify and remediate security incidents.

The Mission Control page includes the following:

  • An analyst queue for viewing findings and investigations
  • Charts and a timeline for visualizing finding and investigation details

The analyst queue

In Splunk Enterprise Security, detections generate the findings and finding groups that appear in the analyst queue based on raw events and third-party alerts. An investigation is a structured approach for gathering evidence and responding to a security incident. Each investigation is based on one or more findings related to the security incident, and they appear alongside findings in the analyst queue.

As an analyst, you can use the analyst queue to review findings, finding groups, and investigations to gain insight into the severity of events occurring in your system or network.

Charts and timeline

Gain insight into findings and investigations using the pie charts and timeline visualization. To see the charts on the Mission Control page, select Charts.

The four pie charts show findings and investigations by the following criteria:

Chart Criteria
Urgency

Classifies all findings and investigations based on importance, such as Critical, High, Low, Medium, Informational, or Unknown.

Status Classifies all findings and investigations based on status, such as New, In progress, Pending, Resolved, or Closed.
Owner Classifies all findings and investigations based on owners, such as Unassigned, Administrator, or by a specific username.
Domain Classifies all findings and finding groups based on the security domain from which they're generated, such as Access, Audit, Endpoint, Identity, Network, or Threat.

Identify when findings were generated using the timeline visualization. To display the timeline on the Mission Control page, select Timeline. You can zoom in, zoom out, select, or deselect to focus on specific periods of time and view related events that might be of interest for more targeted threat investigations.

Example: Analyst workflow on the Mission Control page

The following high-level example workflow covers how to triage and investigate a finding by assigning it to yourself, reviewing its details, and responding to it by starting an investigation and using automation and a response plan.

  1. In Splunk Enterprise Security, select Mission Control from the main menu navigation bar to view a list of findings and investigations in the analyst queue.
  2. Review the findings and investigations from the last 24 hours from newest to oldest, and filter to focus on the ones that are most important to you.
  3. Select the name of a finding in the analyst queue to open the side panel.
  4. Triage the finding by selecting Assign to me, updating the status to reflect that you're working on it, and then selecting Save.
  5. Select Start investigation, and then view details such as events, additional fields, notes, and files.
  6. Add a response plan to the investigation to follow standardized tasks and phases for remediating the security incident.
  7. Automate your security workflow by running actions and playbooks on the investigation to gather more information and then remediate the security incident.
  8. Use threat intelligence sources to update the investigation and assess the risk posed by observables.
  9. Continue to update the investigation to keep other analysts informed of your progress. For example, update the status of the investigation to Pending to reflect that you're waiting for other information, action, or help from other teams, such as a crucial playbook or action approval.
  10. After you come to a conclusion about the investigation, update the disposition value. Available outcome values include True positive, Benign positive, False positive, and Undetermined.
  11. Close the investigation to indicate that you took all of the appropriate actions to resolve the security incident.

Using the Mission Control page in Splunk Enterprise Security

Use the following links to learn more about what you can do on the Mission Control page in Splunk Enterprise Security:

See also

For more details on how to customize your experience in Splunk Enterprise Security, see the following links in the Administer Splunk Enterprise Security manual:

Last modified on 29 October, 2024
Use Federated Analytics with Splunk Enterprise Security for threat detection in Amazon Security Lake (ASL) datasets   Triage findings and finding groups in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters