Splunk® Mission Control

Get Data into Splunk Mission Control

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Customize getting data into Splunk Mission Control from Splunk Enterprise Security

When you enable the default searches in Splunk Connect for Mission Control, the alert action associated with those searches send all notable events for the time range of the search and the associated artifacts returned from asset and identity lookups for those notable events. If you only want to get a subset of notable events into Splunk Mission Control or if you have another use case, you can customize the data that you get into Splunk Mission Control from Splunk Enterprise Security.

The following list shows some possible customizations:

  • Send historical notable events to Splunk Mission Control to backfill the analyst queue.
  • Send only some notable events to Splunk Mission Control
  • Send all notable events to Splunk Mission Control with custom labels to use for role-based access control (RBAC)
  • Send notable events with custom values for severity, status, or similar fields to Splunk Mission Control
  • Send notable events with custom artifact fields that are not part of a CIM data model to Splunk Mission Control

Send historical notable events to Splunk Mission Control to backfill the analyst queue

When you first set up Splunk Mission Control, you might want to send notable events from the past that are still open, so that you can start triaging and investigating notable events in Splunk Mission Control right away, instead of waiting for new notable events to be detected and sent.

  1. Log in to Splunk Web on the search head that has Splunk Connect for Mission Control installed.
  2. Select Settings > Searches, reports, and alerts.
  3. Change the App: filter to Splunk Connect for Mission Control.
  4. Locate the Mission Control - Forward Notable Events - Ingestion saved search.
  5. Click Edit > Clone.
  6. Change the title to say Mission Control - Forward Notable Events Backfill - Ingestion.
  7. Update the description to say Send only open notable events from the past month to Splunk Mission Control.
  8. For the permissions of the alert, select Clone.
  9. Click Clone Alert.
  10. After the alert is created, click Edit alert.
  11. Modify the search to specify notable events with open statuses, such as New, Unassigned, In Progress, and Pending. Make changes only to the portion of the search before the join command. For example:

    `notable` | search status_label IN (New,"In Progress",Pending) | join...

  12. Modify the Cron Expression to something else, such as Saturday at 11:15 PM to correspond to a maintenance window: 15 23 * * 6
  13. Modify the Time Range to match the amount of data you want to backfill. For example, click the time range selector and select Presets and click Last 30 Days. Click Apply to save your time range.
  14. Click Save.
  15. Click Edit > Enable to enable the search.
  16. After the search runs, click Edit > Disable to prevent the search from running again.

Send only some notable events to Splunk Mission Control

If you want to limit the notable events that you send to Splunk Mission Control, you must modify the search syntax in the Mission Control - Forward Notable Events - Ingestion search. To make customizing and debugging easier, make any changes to a cloned version of the original search. For example, you might want to send only notable events with an aggregate risk score above a certain threshold to Splunk Mission Control.

Send only notable events where the risk score for an asset or identity is above a certain threshold

If you want to send only notable events to Splunk Mission Control where the aggregate risk score for the affected assets and identities is above a specific threshold, follow this example.

  1. Log in to Splunk Web on the search head that has Splunk Connect for Mission Control installed.
  2. Select Settings > Searches, reports, and alerts.
  3. Change the App: filter to Splunk Connect for Mission Control.
  4. Locate the Mission Control - Forward Notable Events - Ingestion saved search.
  5. Click Edit > Clone.
  6. Change the title to say Mission Control - Forward Notable Events Above Risk Threshold - Ingestion.
  7. Update the description to say Send only notable events above a risk threshold of 100 to Splunk Mission Control.
  8. For the permissions of the alert, select Clone.
  9. Click Clone Alert.
  10. After the alert is created, click Edit alert.
  11. Modify the search to specify the security domain. Make changes only to the portion of the search before the join command. For example:

    `notable` | search risk_score>100 | join...

  12. Click Save.
  13. Click Edit > Enable for the alert to start sending data.

Send notable events to Splunk Mission Control with custom labels

Splunk Mission Control uses labels for RBAC.

For example, you can choose to send all notable events to Splunk Mission Control, but with different labels for each security domain of the notable event.

Apply different labels to notable events with different security domains

There are four different security domains in Splunk Enterprise Security: Access, Endpoint, Network, and Identity.

Prerequisite

Create labels for each of the security domains. See Add labels in Splunk Mission Control to restrict access to notables.

Steps

  1. Log in to Splunk Web on the search head that has Splunk Connect for Mission Control installed.
  2. Select Settings > Searches, reports, and alerts.
  3. Change the App: filter to Splunk Connect for Mission Control.
  4. Locate the Mission Control - Forward Notable Events - Ingestion saved search.
  5. Click Edit > Clone.
  6. Change the title to say Mission Control - Forward Access Notable Events - Ingestion.
  7. Update the description to say Send notable events for the access security domain to Splunk Mission Control.
  8. For the permissions of the alert, select Clone.
  9. Click Clone Alert.
  10. After the alert is created, click Edit alert.
  11. Modify the search to specify the security domain. Make changes only to the portion of the search before the join command. For example:

    `notable` | search security_domain=access | join...

  12. Modify the alert settings under When triggered to match the label that you want to use in Splunk Mission Control. The label that you type must already exist in Splunk Mission Control. For example, access.
  13. Click Save.
  14. Repeat these steps for each security domain and label combination.
  15. After you create all four searches, enable them to start sending data.

Customize the search for sending notables in other ways

You can customize the search for sending notables in other ways that make sense for your environment. See Using notable events in search in the Splunk Developer Portal for other fields available for all notable events that you can use to inform your search modifications.

Prerequisite

Test your search modifications before cloning, modifying, and enabling the alert to make sure that your search is valid and works as expected.

Steps

  1. Log in to Splunk Web on the search head that has Splunk Connect for Mission Control installed.
  2. Select Settings > Searches, reports, and alerts.
  3. Change the App: filter to specify Splunk Connect for Mission Control.
  4. Locate the Mission Control - Forward Notable Events - Ingestion saved search.
  5. Click Edit > Clone.
  6. Change the title to something that describes your modifications.
  7. Update the description to something that describes your modifications.
  8. For the permissions of the alert, select Clone.
  9. Click Clone Alert.
  10. After the alert is created, click Edit alert.
  11. Modify the search in a way that makes sense for your modifications. Do not remove the `notable` macro or modify any of the search syntax after and including the join command in the search. If you modify these portions of the search, the search could fail to send artifacts when sending data, or cause other unwanted behavior.
  12. Click Save.
  13. Enable the alert.

You cannot specify labels in the search syntax. For example, you aren't able to conditionally apply labels to different sets of data depending on values returned by the search. The label defined in the alert action takes precedence over any label field defined in the search syntax.

Modify how often to send notable events to Splunk Mission Control

By default, the search to send notable events to Splunk Mission Control runs every 2 minutes on the last 2 minutes of data. If you want the search to run less frequently or more frequently, modify the time range. You always want to match the time range and the scheduling frequency to make sure that you don't duplicate data when you send it. Splunk Mission Control does deduplicate notable data, so you can choose to send data in overlapping time ranges.

  1. Log in to Splunk Web on the search head that has Splunk Connect for Mission Control installed.
  2. Select Settings > Searches, reports, and alerts.
  3. Change the App: filter to Splunk Connect for Mission Control.
  4. Locate the Mission Control - Forward Notable Events - Ingestion saved search.
  5. Click Edit > Edit Alert.
  6. Modify the Cron Expression to something else, such as every 15 minutes: */15 * * * *
  7. Modify the Time Range to match the cron expression. For example, click the time range selector and for Earliest, type 15 and select Minutes Ago. Click Apply to save your time range.
  8. Click Save.
  9. Click Edit > Enable to enable the search.

Send notable events with custom values to Splunk Mission Control

If the notable event data that you plan to send to Splunk Mission Control contains custom status, severity, label, urgency, or sensitivity fields, you must make changes to Splunk Mission Control or to your data to retain those field values when you send them to Splunk Mission Control.

Notable event data that you send with unrecognized field values for label, status, urgency, sensitivity, or severity fields use the default value in Splunk Mission Control.

  1. Review the expected values for the following fields: label, status, urgency, sensitivity, and severity.
    Field Description Default value Expected values
    Label Used for RBAC. Unknown Event, Exchange, ES Notable, UBA Threat, Incident, Generator
    Status Indicates the investigation status of a notable. Unknown Unassigned, New, In Progress, Pending, Resolved
    Urgency In Splunk Enterprise Security, indicates the urgency of a notable event. Unknown Critical, High, Medium, Low, Informational
    Sensitivity Indicates the sensitivity of the information in the notable according to the US-CERT traffic light protocol (TLP). White White, Green, Amber, Red
    Severity Indicates the severity of the notable. Unknown Unknown, Critical, High, Medium, Low, Informational
  2. Compare the expected values with the values in Splunk Enterprise Security for the notable events that you plan to send to Splunk Mission Control.
  3. For custom values, take the appropriate action:
    1. If you have custom status or severity values, re-create the custom values in Splunk Mission Control. See Customize Splunk Mission Control notable settings.
    2. If you want to use custom labels for your data, create those labels in Splunk Mission Control. See Add labels in Splunk Mission Control to restrict access to notables.
    3. If you have custom urgency or sensitivity values, make changes in Splunk Enterprise Security.
      • You can remove the custom urgency values. See Modify notable event urgency in Use Splunk Enterprise Security.
      • You can make changes to the search syntax used to send notable events to Splunk Mission Control to modify the custom urgency and sensitivity values to match expected values. See the example following these steps.

For example, if you're using a custom urgency value that you want to align with an expected value when sending the notable events to Splunk Mission Control, you can modify the search syntax for the relevant searches.

  1. Log in to Splunk Web on the search head that has Splunk Connect for Mission Control installed.
  2. Select Settings > Searches, reports, and alerts.
  3. Change the App: filter to Splunk Connect for Mission Control.
  4. Locate the Mission Control - Forward Notable Events - Ingestion saved search.
  5. Click Edit > Clone.
  6. Change the title to say Mission Control - Forward Custom Urgency Notable Events.
  7. Update the description to say Update the custom urgency fields to use expected values.
  8. For the permissions of the alert, select Clone.
  9. Click Clone Alert.
  10. After the alert is created, click Edit alert.
  11. Modify the search to use a conditional statement to change the custom urgency value to an expected value. Only make changes to the portion of the search before the join command. For example, to change a custom urgency value "Warning" to the expected value "Medium":

    `notable` | eval urgency=if(urgency="Warning", "Medium", urgency) | join ...

  12. Click Save.
  13. Enable the alert.

Send notable events with custom artifact fields to Splunk Mission Control

If your notable events contain custom fields that are not a part of the Splunk CIM data models, and you want to be able to run actions on those custom fields in Splunk Mission Control, you must update a lookup file used by Splunk Connect for Mission Control.


  1. Confirm that your custom field does not exist in the list of artifact fields.
    1. In Splunk Web, review the existing list of fields to verify that your field is not listed.

      |inputlookup cim_artifact_fields.csv

    2. Confirm that this search returns no results:

      |inputlookup cim_artifact_fields.csv | search name=<yourcustomfield>

  2. Review this list of data types to determine which data type fits your custom field best. If no value fits your field, use null. You must provide a data type value for your field. This list is not exhaustive. The data type field is used to run actions on artifacts in Splunk Mission Control.
    Common data type values
    domain
    email
    file name
    file path
    file size
    hash
    host name
    ip
    mac address
    md5
    pid
    port
    process name
    url
    user name
  3. Update the custom artifact fields lookup file custom_artifact_fields.csv with the name and type field values that you want to add. You can modify the lookup file with a search using the outputlookup search command, using the file system if you have access, or use an app like the Lookup File Editor to edit the lookup file in Splunk Web. Both the name and type columns must have values for the field to appear in Splunk Mission Control.

    Fields that you add to the custom artifact fields lookup file take precedence over those defined in the cim_artifacts_fields.csv lookup file.

    1. To update the custom artifact fields lookup file using the outputlookup search command, first determine if there are existing custom artifact fields:

      |inputlookup custom_artifact_fields.csv

    2. If there are no custom fields, add one using the outputlookup and makeresults search commands. For example, add a field with the name "oats" and a type of "mac address":

      |makeresults | eval name="oats", type="mac address" | fields - _time | outputlookup custom_artifact_fields.csv append=t

    3. If there are existing custom fields, you can use this search syntax. For example, add a field with the name "barley" and a type of "ip":

      |inputlookup custom_artifact_fields.csv | eval name="barley", type="ip" | outputlookup custom_artifact_fields.csv append=t

    4. Confirm your changes by reviewing the lookup file again:

      |inputlookup custom_artifact_fields.csv

  4. Repeat these steps for additional fields.
Last modified on 24 May, 2021
PREVIOUS
Set up getting data into Splunk Mission Control from Splunk Enterprise Security
  NEXT
Add labels in Splunk Mission Control to restrict access to notables

This documentation applies to the following versions of Splunk® Mission Control: Current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters