Splunk® Mission Control

Investigate and Respond to Threats in Splunk Mission Control

Scenario: Alex responds to a security incident in Splunk Mission Control

The following scenario features Buttercup Games, a fictitious game company.

Buttercup Games recently released the latest version of its sought-after artificial intelligence gaming software to complement one of its popular online games. Alex, a security operations center (SOC) analyst at Buttercup Games, uses Splunk Mission Control to triage, investigate, and respond to security incidents. In the first scenario, Scenario: Alex triages and investigates an improbable login in Splunk Mission Control, Alex triaged and investigated a security incident in which a user logged in from an IP address located in the United States and 10 minutes later the same user logged in from the United Kingdom. In this scenario, Alex responds to the security incident since it is highly improbable that the user traveled from the United States to the United Kingdom in 10 minutes.

Respond to a security incident

To respond to the security incident in Splunk Mission Control, Alex follows these steps:

  1. Alex selects the incident assigned to them and then selects Response to get started.
  2. To begin working on a response plan, Alex applies a response template to the incident. A response template is a set of operating procedures, or a guide with standardized tasks and phases. A response template, when applied to a specific incident, becomes a response plan. They select + Response and then choose a response template included with Splunk Mission Control.
  3. Alex starts a task in the response plan to validate that the same user logged in twice from two different locations. After selecting the active task, Alex expands the Respond section to browse the response options. They select the search icon ( Search icon ) to open SPL related artifact query, the search that Wei, a SOC administrator, embedded in the response template task. This image shows the Response tab of Alex's incident investigation. The Splunk Search option is highlighted in the Respond section of an open task.
  4. In the Search tab, Alex locates the two events in the 10-minute time window with the same IP address but different locations. They add the two events to the incident by selecting Event actions and then Add to Mission Control incident. Saving the raw events to the incident itself helps other users understand how Alex came to the conclusion that this incident is a threat.

    If Alex wants to add all of the events that the search produced to the incident, they can add the events to the incident in bulk by adding `add_events(incident_id)` to the end of the search.

    This image shows the Search tab of Alex's incident investigation. An event is highlighted, and the Event Actions drop-down list highlights the Add Event to Mission Control Incident option.
  5. After Alex adds the events to the incident, they return to the Response tab to end the task. They select End to complete the task.


In this scenario, Alex responded to a security incident using a response plan in Splunk Mission Control. They started a task, inspected a search added by a SOC administrator, and then added relevant events to the incident. Using a response plan allowed Alex to quickly respond to the incident in a way that is standardized by their management.

Learn more

To learn more about responding to incidents with Splunk Mission Control, see:

Next step

To learn how Alex automates a security workflow, see Scenario: Alex automates a security workflow in Splunk Mission Control.

Last modified on 02 June, 2023
Scenario: Alex triages and investigates an incident in Splunk Mission Control   Scenario: Alex automates a security workflow in Splunk Mission Control

This documentation applies to the following versions of Splunk® Mission Control: Current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters