Get data into Splunk Mission Control from Splunk Enterprise Security (Cloud)

Data ingested or created in Splunk Mission Control becomes Mission Control incidents. These incidents include notable events automatically sent from Splunk Enterprise Security (Cloud) and other alarm and security event data that you create in Splunk Mission Control.

Although notable events are automatically sent from Splunk Enterprise Security (Cloud), as a user of Splunk Mission Control you can configure the Mission Control Incidents adaptive response action when you are creating correlation searches that create notable events in Splunk Enterprise Security (Cloud). This adaptive response action ensures that consistent Splunk Mission Control incidents are created from new Splunk Enterprise Security (Cloud) notable events.

It's a good idea to add a Mission Control Incidents adaptive response action to a correlation search that creates notables so it applies to newly created incidents right away. If you don't add an action, the system automatically checks for and adds a Mission Control Incidents adaptive response action to every correlation search that has a Notable adaptive response action every 15 minutes. Also, if you don't add this adaptive response action, the default incident type is used.

1. From Splunk Cloud Platform, select Apps, then Enterprise Security.
2. Select Configure, then Content, then Content Management.
3. Create a correlation search to create notable events in Splunk Enterprise Security (Cloud). See Create correlation searches in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual.
4. Add and configure the Notable adaptive response action. See Create a notable event in the Administer Splunk Enterprise Security manual.
5. From the Adaptive Response Actions heading, select + Add New Response Action and search for and select Mission Control Incidents
6. (Optional) Configure the incident type that you want assigned to the incidents created by the Mission Control Incidents adaptive response action. If no incident type is selected, the default incident type is used. See Create incident types.

   Customizing the incident type macro in Splunk Mission Control overrides the incident type you might have selected using the Mission Control Incidents adaptive response action. However, if the incident type macro is set to "default" and you select an incident type in the Mission Control Incidents adaptive response action, the default incident type in Splunk Mission Control is updated to reflect your selection from the adaptive response action. As such, it is recommended to only set the default incident type from one location, either through the incident type macro or the adaptive response action. For more information on customizing the incident type macro, see Customize the incident type macro.

7. Select Save.

A Mission Control incident is created in Splunk Mission Control for every Splunk Enterprise Security (Cloud) notable event created by the correlation search.

Deactivate adding incident creation to Splunk Enterprise Security correlation searches

Splunk Mission Control contains a modular input that automatically adds incident creation to Splunk Enterprise Security correlation searches that create notable events. You might want to deactivate this modular input if you don't want Splunk Mission Control incidents automatically created from Splunk Enterprise Security notable events. To deactivate this modular input, follow these steps:

1. From the Splunk Cloud Platform menu in Splunk Mission Control, select Settings then Data inputs.
2. From the Local inputs heading, select Mission Control - Add incident creation to ES correlation searches.
3. Select Disable.

If you choose to deactivate this modular input, you will need to manually add the Mission Control Incidents adaptive response action to any correlation searches that you want to create Splunk Mission Control incidents from. See "Get data into Splunk Mission Control from Splunk Enterprise Security (Cloud)" on this page.