Splunk® Mission Control

Investigate and Respond to Threats in Splunk Mission Control

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Use Splunk Mission Control data in Splunk SOAR (Cloud) playbooks

As a user of Splunk Mission Control, you can use data from Splunk Mission Control in Splunk SOAR (Cloud) playbooks to automate against your Splunk Mission Control incidents. To use the Mission Control block in the visual playbook editor to write a playbook that uses data from Splunk Mission Control, complete the following.

If you are building a playbook that automates against data from a source other than Splunk Mission Control, use the Utility block instead of the Mission Control block. See Add functionality to your playbook in Splunk SOAR (Cloud) using the Utility block in the Splunk SOAR (Cloud) Build Playbooks with the Playbook Editor manual.

Prerequisite

In order to use Splunk Mission Control data in playbooks in Splunk SOAR (Cloud), you must have the correct permissions to view, edit, and run playbooks. For more information on the permissions required, see Assign roles and capabilities to view, edit, and run playbooks.

Steps

  1. From Splunk Mission Control, select Content.
  2. Select Automation then Playbooks.
    You are redirected to Splunk SOAR (Cloud).
  3. Select + Playbook and choose between either an Automation or Input type playbook.
  4. Drag a Mission Control block from the playbook block menu, or select the half-circle icon attached to any existing block in the editor. Select a Mission Control block from the menu that appears.
  5. Select the Mission Control API you want to configure, or search for an API name in the search field. See Available options in the Mission Control block for a list of available Mission Control APIs and their functions.
  6. Specify the parameters used in the API by using the datapath picker. For more information on parameters, hover over the information icon listed by the parameters or see the Splunk Mission Control Automation API Reference. The * field marks the inputs that are required. For example, to get tasks for the incident this playbook is automating against, follow these steps.
    1. In the Mission Control block, select get tasks.
    2. Select the id* field to open the datapath picker.
    3. Select incident then mc_incident_id to populate the datapath. See Mission Control block terminology for more information on why the datapath might differ from the field you selected in the datapath picker.
  7. (Optional) Some inputs for the APIs require a list of paired values. Select the + Item button to add a pair, then select datapaths for the name and value. For example, if you were using the set summary fields API in a playbook as part of geolocating an IP address, you could enter dest_country_name as the name of the field that you want to update, and in the value field, select geolocate_ip_1 then country_name from the datapath picker.
  8. If the datapath you need isn't available, create a custom datapath. When you add a custom datapath, it is available only for the block you add it to. Custom datapaths aren't available for events then fields in the datapath picker in the Mission Control block. To create a custom datapath, follow these steps:
    1. Hover over a datapath field title and select +.
    2. Enter the datapath name.
    3. Select either Key or List from the drop-down menu. Use Key to use one value, and use List to use a list of values. Using List adds a .* value to the datapath and it appears as <list_name [] > with datapaths nested below it in the datapath picker. To add more values to your List, select the + icon under the top value of the list.
    4. Select Save.
  9. Select Done.
  10. Save the playbook.
    1. Enter a name for the playbook.

      You can't use more than 250 characters for the name of a playbook.

    2. Select Save.
    3. Select an entry in the Operates on field for the playbook to operate on. For example, select an incident type for the playbook to operate on all incidents with that specific incident type. If the playbook ingests incidents into Splunk SOAR, the incident type for the incident must match the incident types listed in the Operates on field for ingestion to occur.
    4. (Optional) Set the playbook as Active to set the playbook to automatically run on new incidents.
    5. Select Save.
    6. Enter a comment about this playbook.
    7. Select Save.

You can also configure Advanced settings for a Mission Control block. You can use Join Settings, Scope, and Action Settings in a Mission Control block. For more information on these settings, see Advanced settings in the Splunk SOAR (Cloud) Build Playbooks with the Playbook Editor manual. For an example of a custom datapath, see Example: Add a custom datapath to a playbook block in the Splunk SOAR (Cloud) Build Playbooks with the Playbook Editor manual.

Learn more

Run a playbook that automates against Splunk Mission Control

You can run a playbook that automates against Splunk Mission Control from the following locations:

Available options in the Mission Control block

Use the Mission Control block to set parameters of the incident it's running on. For example, you can use get tasks to get all the tasks of the incident. The following table describes the options available in the Mission Control block. For more information on these APIs and the parameters associated with them, see the Splunk Mission Control Automation API Reference.

API Description
add incident file Add an attachment to the KV store.
add incident note Add the note to the incident.
add response plan Apply a response template to an incident.
add task Add a task to the response plan phase you are currently working on.
add task file Add an attachment to a task.
add task note Add a note to a task. Author and update time are populated automatically.
create event Create events in Splunk Mission Control.
create incident Create an incident in Splunk Mission Control.
delete event Delete an event that is part of an incident.
delete incident file Delete an incident file from the KV store.
delete incident note Delete a note in an incident.
delete task file Delete the attachment from a task and from the collection, if applicable.
delete task note Delete the note and attachments from a task.
get file Download an attachment stored in the KV store.
get files in incident Return all files from an incident.
get incident Retrieve an incident by the incident ID without running a search. The response matches the data available for dispatch to automation.
get notes in incident Get notes from the incident.
get phase Get the current response plan phase of an incident.
get phase id Retrieve a phase ID by providing the incident ID, phase name, and response template name. The response matches the data available for dispatch to automation.
get response templates Get all response templates within Splunk Mission Control.
get task Get a specific response plan task from the current response plan phase.
get task file Get the base64 file contents from an attachment in a task.
get task id Retrieve a task ID by providing the incident ID, phase name, and response template name. The response matches the data available for dispatch to automation.
get task notes Get all the notes from a response plan task.
get tasks Get all tasks of an incident.
remove summary fields Remove summary fields. If a specified field does not exist, this action has no effect.
set phase Set the current response plan phase of an incident.
set summary fields Set summary fields on an incident. Fields that already exist are updated. Fields that don't exist yet are created.
update event Update events in Splunk Mission Control.
update incident Update a Splunk Mission Control incident.
update incident note Update a note in an incident.
update task Update a specific response plan task in the current response plan phase.
update task note Update a note in a task.

Mission Control block terminology

Some of the datapath terminology used in Mission Control blocks differs from terminology used in other Splunk SOAR (Cloud) playbook blocks. This table shows the differences in terminology.

Splunk Mission Control terminology Splunk SOAR terminology
incident event, container
event artifact
urgency container severity

Certain datapath values are labeled specifically for Splunk Mission Control, like mc_event_id and mc_incident_id, to distinguish them from similar Splunk SOAR values. Make sure to select the appropriate values for your use case when you are configuring your playbook.

Currently, when you are configuring a Mission Control playbook block and you specify one of the Mission Control values in a datapath, the equivalent Splunk SOAR value appears in the Mission Control block configuration panel. For example, when you select mc_event_id in the datapath, the configuration panel displays external_id. This is expected behavior.

Example: Enrich Splunk Mission Control summary data with geolocate information

The following example describes how you can automate enriching summary data with geolocate information in Splunk Mission Control by using the Mission Control block in a Splunk SOAR (Cloud) playbook. The summary field values appear in the Overview tab on an incident. For more information on the Overview tab, see Investigate an incident in Splunk Mission Control.

The playbook you create to do this uses a third-party application, MaxMind, to run an action to geolocate the IP. The set summary fields API from the Mission Control block updates the summary fields on your desired Splunk Mission Control incident with the geolocated values.

Prerequisite

In order to use Splunk Mission Control data in playbooks in Splunk SOAR (Cloud), you must have the correct permissions to view, edit, and run playbooks. For more information on the permissions required, see Assign roles and capabilities to view, edit, and run playbooks.

Steps

  1. Build the Geolocate summary data playbook.
  2. Run the Geolocate summary data playbook against an incident.

Build the Geolocate summary data playbook

  1. From Splunk Mission Control, select Content.
  2. Select Automation then Playbooks.
    You are redirected to Splunk SOAR (Cloud).
  3. Select + Playbook and choose the Automation type playbook.
  4. Enter Geolocate summary data as the name for this playbook.
  5. In the operates on field, select * to have the playbook operate on any incident.
  6. Select where you want to save the playbook, enter a comment, and select Save.
  7. Select the half-circle icon attached to the Start block in the editor. Select an Action block from the menu that appears. For more information on Action blocks, see Add an action block to your Splunk SOAR (Cloud) playbook in the Splunk SOAR (Cloud) Build Playbooks with the Playbook Editor manual.
  8. Select By App > MaxMind > geolocate ip.
  9. In the Inputs section, in the datapath picker, select ip* > incident > dest to geolocate an IP address associated with a Splunk Mission Control incident.
  10. Select the half-circle icon attached to the Action block and select a Mission Control block from the menu that appears.
  11. Select the set summary fields API from the list.
  12. Select incident_id* > incident > mc_incident_id to configure this block to run on a Splunk Mission Control incident ID.
    See Mission Control block terminology for more information on why the datapath might differ from the field you selected in the datapath picker.
  13. In the Inputs section, select + Item to configure a pair of inputs.
    1. In the name field, enter dest_country_name as the name of the field that you want to update or add.
    2. In the value field, select geolocate_ip_1 then country_name to update the dest_country_name field with the value of the country name.
  14. Drag the half-circle icon attached to the Mission Control block and attach it to the End block.
  15. Save the playbook.
    1. Select Save.
    2. Select an entry in the Operates on field for the playbook to operate on. For this example, select the incident type IP address for the playbook to operate on all incidents with this specific incident type. See Customize Splunk Mission Control incident settings for more information on incident types.
    3. Set the playbook as Active to set the playbook to automatically run on new incidents.
    4. Select Save.
    5. Enter a comment about this playbook.
    6. Select Save.

Run the Geolocate summary data playbook against an incident

  1. From the Incident review page in Splunk Mission Control, select the incident you want to run the Geolocate summary data playbook against.
  2. Select the Automation tab.
  3. Select Run playbook.
  4. Search for and select the Geolocate summary data playbook.
  5. Set the Scope to New events. Selecting New events processes new events from the last playbook run. For more information on scope options, see Run a playbook.
  6. Select Run playbook.

After you run the playbook, you can view the details by selecting the entry in Automation history. Alternately, you can run the playbook from the debugger if you want more information on the playbook run. See Troubleshoot playbook errors by running playbooks through the debugger.

If the automation was successful, in the Overview tab for the incident the value of the country name is populated in the dest_ country_name field.

After you run the playbook, you might need to refresh Splunk Mission Control for the automation to populate the fields in the Overview tab.

Example: Enrich Splunk Mission Control events with geolocate information

The following example describes how you can automate enriching event data with geolocate information in Splunk Mission Control by using the Mission Control block in a Splunk SOAR (Cloud) playbook. Event data appears in the Events tab on an incident. For more information on the Events tab, see Add events to an incident in Splunk Mission Control.

In this example, you select an incident with events with destination fields you can geolocate using the playbook you create. The playbook you create to do this uses a third-party application, MaxMind, to run an action to geolocate the IP addresses. The update event API from the Mission Control block updates the events on your desired Splunk Mission Control incident with the geolocated values.

Prerequisites

  1. Ensure you have the correct permissions to view, edit, and run playbooks. See Assign roles and capabilities to view, edit, and run playbooks.
  2. Follow the steps to build the Geolocate summary data playbook. This playbook is used as a starting point for the playbook you use to geolocate event data. See Build the Geolocate summary data playbook.

Steps

  1. Build the Geolocate event data playbook.
  2. Run the Geolocate event data playbook to update events.

Build the Geolocate event data playbook

  1. From Splunk Mission Control, select the Search tab.
  2. Select an incident with events that have destination fields that you want to automate against, or add events from a search to an incident. See Add an event from a search.
  3. Open the Geolocate summary data playbook that you previously created. See Build the Geolocate summary data playbook.
  4. Add a parallel path to the Geolocate summary data playbook by dragging the half-circle icon attached to the Start block. Select an Action block from the menu that appears to geolocate the IP addresses associated with the event.
    You are now building a parallel path to the playbook path you created previously.
    1. Select By App > MaxMind > geolocate ip.
    2. In the Inputs section, select event then dest to geolocate the IP addresses associated with the destination field for the events in Splunk Mission Control.
  5. Select the half-circle icon attached to the Action block and select a Mission Control block from the menu that appears.
  6. Select the update event API from the list.
    1. Select event_id* > geolocate_ip_2 > mc_event_id to configure this block to run on a Splunk Mission Control event.
    2. Select incident_id* > incident > mc_incident_id to configure this block to run on the events for a specific Splunk Mission Control incident ID.
  7. In the Inputs section, select + Item to configure a pair of inputs.
    1. In the name field, enter dest_country_name as the name of the field that you want to update.
    2. In the value field, select geolocate_ip_2 then country_name to update the dest_country_name field for an event with the value of the country name.
  8. Drag the half-circle icon attached to the Mission Control block and attach it to the End block.
  9. Select Save.
    1. Select an entry in the Operates on field for the playbook to operate on. For this example, select the incident type IP address for the playbook to operate on all incidents with this specific incident type. See Customize Splunk Mission Control incident settings for more information on incident types.
    2. Set the playbook as Active to set the playbook to automatically run on new incidents.
    3. Select Save.
    4. Enter a comment about this playbook.
    5. Select Save.

Run the Geolocate event data playbook to update events

  1. From the Incident review page in Splunk Mission Control, select the incident that has the events that you want to run the playbook against.
  2. Select the Automation tab.
  3. Select Run playbook.
  4. Search for and select the Geolocate summary data playbook that you added the event path to.
  5. Set the Scope to All events. Selecting All events processes all events in the playbook run. For more information on scope options, see Run a playbook.
  6. Select Run playbook.

After you run the playbook, you can view the details by selecting the entry in Automation history. Alternately, you can run the playbook from the debugger if you want more information on the playbook run. See Troubleshoot playbook errors by running playbooks through the debugger.

If the automation was successful, in the Events tab the values of the country names are populated in the dest_country_ name fields.

After you run the playbook, you might need to refresh Splunk Mission Control for the automation to populate the fields in the Events tab.

Troubleshoot playbook errors by running playbooks through the debugger

If you're having problems with your playbook and need to test or troubleshoot issues, run your playbook through the debugger.

  1. From Splunk Mission Control, select the incident you want to run the automation against.
  2. From the Overview tab, select the ID to copy the incident ID.
  3. Navigate to the playbook you want to debug and open the Playbook Debugger.
  4. Paste the incident ID you copied in the Incident ID field.
  5. Select Test.

To learn more about debugging, including what conditions your playbook must meet to use the debugger, see Debug playbooks in Splunk SOAR (Cloud) in the Splunk SOAR (Cloud) Build Playbooks with the Playbook Editor manual.

Last modified on 07 February, 2024
PREVIOUS
Automate incident response with playbooks and actions in Splunk Mission Control
  NEXT
Get started with Threat Intelligence Management in Splunk Mission Control

This documentation applies to the following versions of Splunk® Mission Control: Current


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters