Splunk® Mission Control

Investigate and Respond to Threats in Splunk Mission Control

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Get started with Splunk Mission Control

Use Splunk Mission Control to triage, investigate, and respond to security incidents from a cloud-based console integrated with Splunk Enterprise Security (Cloud). You can identify and remediate incidents while collaborating with others on your team.

Use Splunk Mission Control to complete the following tasks:

To get started, select the Incident review tab in Splunk Mission Control, and then select an incident to start investigating it. See Example incident response workflow in Splunk Mission Control. Additionally, see Splunk Mission Control scenario library to learn how to use Splunk Mission Control to remediate a common security incident.

Splunk Mission Control compatibility prerequisites

To access Splunk Mission Control, you must be a customer with both of the following Splunk products:

  • Splunk Enterprise Security (Cloud) versions 6.6 and higher
  • Splunk Enterprise versions 8.0 and higher

Splunk Mission Control is automatically preinstalled as an app for customers who have both compatible versions of Splunk Enterprise and Splunk Enterprise Security (Cloud) and who also reside within a supported region. To learn more about regional availability and how to access the app, see Splunk Mission Control regional availability in the Splunk Mission Control Service Description.

Splunk Mission Control components

The main components of Splunk Mission Control each play a role in delivering security triage, investigation, and response. Some of these components are present in other Splunk security software.

Component Description
Action A command that an analyst can run manually or in a playbook in Splunk Mission Control or Splunk SOAR (Cloud). For example, adding a file, comment, or attachment.
Artifact Any item in Splunk SOAR (Cloud) or Splunk Mission Control that indicates risk, including risk objects, threat objects, observables, assets, identities, and indicators. Groups of similar artifacts are called entities.
Connector An entity that permits connection from Splunk SOAR (Cloud) or Splunk Mission Control to an external device, such as Okta or Maxmind. It determines the actions available to a user or to a playbook for that specific device.
Event A contributing event or raw data associated with an incident. It can represent the incident itself or a series of activities that resulted in the creation of the incident.
Incident An event generated by a correlation search as a security alert in Splunk Mission Control. Comparable to a notable event in Splunk Enterprise Security (Cloud), an incident is an item that you can investigate. As an example, it might include an email from a phishing inbox.
Incident type A category of incidents that share common characteristics, such as source or severity. After creating an incident type, you can associate the incident type with a response template to automate and personalize your incident response workflow.
Indicator A piece of data that provides additional information about unusual, suspicious, or malicious cyber activity, such as when it was observed and the level of risk it poses. Observables become indicators after Threat Intelligence Management enriches and scores them for deeper context.
Intelligence workflows No-code data pipelines in Threat Intelligence Management that automate the extraction, transformation, prioritization, and sharing of indicators to meet specific security use case requirements. You can configure multiple intelligence workflows to pinpoint responses and reduce data wrangling, accelerate intelligence automation, and reduce false positives.
Observable A piece of data indicating an event that has occurred or been observed on a computer system, network, or other digital entity. Threat Intelligence Management records observables, which can be malicious or benign, as part of an incident.
Playbook A saved sequence of actions, prompts, or manual tasks that can be performed by connectors or analysts to automate security workflows.
Response plan A guide with predefined tasks and phases for a particular incident response. After you add a response template to an incident, it becomes a response plan. Any changes you make to the response plan do not apply to the original response template and instead only apply to the investigation of that specific incident.
Response template A plan that provides standardized guidelines for response tasks and phases that security analysts perform when investigating and responding to incidents.
Risk score A single metric that shows the relative risk of an entity. When a risk score surpasses a specified threshold over a period of time, analysts can focus their efforts on potentially connected behaviors associated with the entity to identify security threats. The risk score of an asset or identity is the sum of all the risk scores for risk events in the risk index that apply to the specific asset or identity over a period of time.
Threat object An observable, such as a URL, file hash, or email address, that poses an increased security risk or is at risk of being the target of a threat.
Last modified on 20 September, 2023
PREVIOUS
Splunk admin onboarding checklist for Splunk Mission Control 		  NEXT
Get data into Splunk Mission Control from Splunk Enterprise Security (Cloud)

This documentation applies to the following versions of Splunk® Mission Control: Current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters