Splunk® Mission Control

Investigate and Respond to Threats in Splunk Mission Control

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Investigate observables in Splunk Mission Control

After you have access to threat intelligence data, you can start managing observables and reviewing their priority scores in the Intelligence tab of your incident investigation.

To access threat intelligence data, see Get started with Threat Intelligence Management in Splunk Mission Control.

Filter and sort observables

Filter, sort, and search for observables in the Intelligence tab of your incident investigation. To manage observables in Splunk Mission Control, complete the following steps:

  1. Select an incident on the Incident review page.
  2. Select the Intelligence tab.
  3. If you're investigating an incident that's part of a parent-child relationship, select which incident you want to view intelligence data for using the drop-down list in the Incident field.
  4. To filter observables, select the column header of the field you want to filter by. You can sort and filter a field by selecting the down arrow icon ( down arrow icon ) in the column header or by entering a search in the observable search bar. Fields that aren't filterable don't have a filter menu with check boxes.
  5. In the filter menu, select a value. For some fields, such as Score, you can select multiple values, such as Medium and High.
  6. To remove a filter so that it no longer applies to observables, select the remove icon ( remove icon ) next to the respective filter, or select Clear all to remove them all.
  7. To sort observables, select the column header of the field you want to sort by. Then, select the up arrow icon ( up arrow icon for sorting ) or the down arrow icon ( down arrow icon for sorting ) to determine which observables appear first.

Review priority scores for observables

After you set up Threat Intelligence Management in Splunk Mission Control, select an observable in the Intelligence tab of your incident investigation to begin exploring potential pain points.

If you're investigating an incident that's part of a parent-child relationship, select which incident you want to view intelligence data for using the drop-down list in the Incident field.

The list of observables includes those found in the following incident fields:

  • risk_object
  • threat_object
  • threat_match_value
  • host
  • orig_host
  • dvc
  • dest
  • src
  • src_user
  • user

Different intelligence sources often use different scoring systems, which makes it difficult to compare threats across sources. For example, one source might use the scale of 1 through 10 for severity, and another source might use text labels such as Benign or Malicious.

Threat Intelligence Management normalizes the different scores using a conversion table so that you can compare all scores across different intelligence sources. You can use these scores to evaluate the risk associated with an observable or risk event.

After you select an observable, you can find its passthru score and normalized score by expanding the Intel report summaries section. The priority score is the badge that appears in the Observable overview section.

The following table defines the scores associated with each observable.

Score Description
Passthru score The original score assigned to the observable by an external intelligence source.
Normalized score The score created by Threat Intelligence Management and assigned to the observable to show the relative severity of the observable. Normalized scoring automatically converts the passthru score from an intelligence source into a value that reflects the observable's severity on a standardized scale.
Priority score The score that aggregates the normalized scores from all the IOCs to create one score for that observable.

Some observables don't have any intelligence information. If you select an observable with no intelligence information, select Search to open the Search page and find related threat intelligence indicators.

Intelligence sources provide the tags and attributes for the observable in the Observable overview section. However, you can't distinguish which specific intelligence source provided each tag or attribute.

Last modified on 18 October, 2023
PREVIOUS
Set up intelligence workflows in Splunk Mission Control to automate indicator processing 		  NEXT
Comparing open source and premium intelligence sources in Splunk Mission Control

This documentation applies to the following versions of Splunk® Mission Control: Current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters