Splunk® Mission Control

Investigate and Respond to Threats in Splunk Mission Control

Example incident response workflow in Splunk Mission Control

After you add data to Splunk Mission Control, you're ready to start triaging, investigating, and responding to the data. Data that you add to Splunk Mission Control appears in the product as incidents.

You can use Splunk Mission Control as part of your security response processes. This example workflow covers how to triage the incidents by assigning them to the relevant people, investigating them, and running searches against the data you have stored in order to help contain or remediate a security incident.

  1. Navigate to your Splunk Cloud Platform instance with Splunk Enterprise Security (Cloud) installed and select Mission Control from the list of apps.
  2. Select Incident review from the menu bar to view the list of incidents.
  3. Review the incidents from the last 24 hours from newest to oldest, and sort to focus on the incidents that are most important to you.
  4. Triage an incident by hovering over it and selecting Preview.
  5. Then, assign the incident to yourself and update the status to reflect that you're working on it.
  6. Select the incident to start investigating it. Review the details on the overview tab.
  7. Add a response template to the incident to guide the tasks that you complete while investigating and remediating the incident. See Apply response templates to standardize response to incidents.
  8. Automate your security workflow by running actions and playbooks to gather more information about the incident, contain it, and then remediate it. See Automate incident response with playbooks and actions in Splunk Mission Control.
  9. Use intelligence sources to update the incident and investigate the risk posed by observables. See Get started with Threat Intelligence Management in Splunk Mission Control.
  10. As you investigate, update the incident to keep other analysts informed of your progress.
  11. As needed, update the status of the incident to Pending to reflect that you are waiting for other information, action, or help from other teams, such as a crucial playbook or action approval.
  12. Select Search to use Splunk Search Processing Language (SPL) and search data in your tenant to gather additional data as needed from your raw data.
  13. After you come to a conclusion about the incident, update the disposition value. Available outcome values include True positive, Benign positive, False positive, and Undetermined.
  14. Close the incident to indicate that you took all of the appropriate actions to resolve the incident.

See also

See more details about triaging, investigating, and responding to incidents.

Last modified on 20 September, 2023
Get data into Splunk Mission Control from Splunk Enterprise Security (Cloud)   Best practices for improving performance in Splunk Mission Control

This documentation applies to the following versions of Splunk® Mission Control: Current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters