Related Answers
Download topic as PDF
What's new in Splunk Mission Control
Splunk Mission Control releases continuously. This list periodically updates with the latest functionality and changes to Splunk Mission Control.
February 7, 2024 (Version 3.1.0)
This release of Splunk Mission Control included various bug fixes. See Fixed issues for Splunk Mission Control for more information.
October 18, 2023 (Version 3.0.0)
Enhancements
The following table lists the new features included in this release of Splunk Mission Control:
| New feature | Description |
|---|---|
| Group incidents by creating parent-child relationships | You can investigate related incidents, compare their data, and update some of their fields simultaneously by creating parent-child relationships. Grouping incidents can help reduce the time you spend updating each incident investigation and also help you resolve incidents faster. Parent-child relationships in Splunk Mission Control are currently released as a preview feature. See Group incidents by creating parent-child relationships in Splunk Mission Control. |
| Analyze risk events using the risk event timeline | With the risk event timeline visualization, you can analyze the risk events associated with an incident so that you can isolate the threat to your security environment. See Analyze risk events using the risk event timeline. |
| Evaluate the risk associated with an incident using MITRE ATT&CK | You can view the MITRE ATT&CK visualization while investigating an incident if the incident came from Splunk Enterprise Security as a notable event with MITRE technique annotations. The MITRE ATT&CK visualization highlights MITRE techniques detected in the incident so that you can reduce the mean time to detection (MTTD) and mean time to repair (MTTR). See Evaluate the risk associated with an incident using MITRE ATT&CK. |
| Create and edit summary fields for incidents | Use summary fields to document metadata that isn't automatically provided for an incident in Splunk Mission Control. Create and edit summary field values in the Overview tab of your incident investigation. See Create a summary field for an incident. |
| API updates | The get task file API was removed in this release. Additionally, you might notice that your notes field is empty in your response from the get tasks endpoint as from this release forward, notes are no longer stored in the task. To view your notes, use the get task notes action. See Splunk Mission Control Automation API Reference. |
| Enhanced filtering performance on the incident review page | You can now filter incidents on the incident review page and get results faster with filtering performance improvements on the following fields: owner, status, urgency, sensitivity, disposition, incident origin, incident ID, and incident type. |
September 20, 2023 (Version 2.3.2)
Enhancements
The following table lists the new features included in this release of Splunk Mission Control:
| New feature | Description |
|---|---|
| Filter incidents by incident type and origin | You can now filter incidents based on incident type and incident origin. |
| Add general files and notes to an incident | You can access, sort, and search for notes and files across multiple response plans all from the side panel of an incident investigation. Notes and files that are not associated with a particular response task are called general notes and files. You can add general notes and files to the incident in the side panel of your incident investigation while simultaneously viewing incident data. See Manage notes and files for an incident. |
| Select links to view Splunk Enterprise Security notable events and Splunk SOAR containers associated with an incident | Open Splunk Enterprise Security and Splunk SOAR from an incident investigation page to find data about associated notable events and containers. See View incident information. |
| Create and activate intelligence workflows | You can now set up intelligence workflows in Splunk Mission Control. In the Intelligence section of the Content page, you can activate intelligence sources, create intelligence workflows, and then activate which intelligence workflow you want to use. See Set up intelligence workflows in Splunk Mission Control to automate indicator processing. |
| New APIs available for automation | The add incident file, get file, add incident note, delete incident note, get response templates, get phase id, and get task id APIs are available for automation using the Mission Control block in the Splunk SOAR (Cloud) visual playbook editor. For more information, see the Splunk Mission Control Automation API Reference. |
| Python 3 compatibility | Splunk Mission Control is now Python 3 compatible. You can ignore any Python 3 compatibility related error messages you might see when the app is upgraded. |
June 9, 2023 (Version 2.2.1)
Deprecated features
The following features are no longer supported as of this release.
- Sequenced notable ingestion from Splunk Enterprise Security.
- Splunk Mission Control saved searches Mission Control - Ingest ES Notable Events and Mission Control - Ingest ES Sequenced Notable Events are disabled as notable event ingestion from Splunk Enterprise Security now uses an adaptive response action, see Get data into Splunk Mission Control from Splunk Enterprise Security (Cloud) in the Investigate and Respond to Threats in Splunk Mission Control manual.
Enhancements
The following table lists the new features included in this release of Splunk Mission Control:
| New feature | Description |
|---|---|
| Enhancements to incident sorting in the incident review table | Sort incidents in a new logical ordering for fields that follow discrete ordering, such as status and disposition. You can also add custom values for these fields and add them to the order of values. See Sort incidents in the incident review table in the Investigate and Respond to Threats in Splunk Mission Control manual. |
| Filter and sort observables with Threat Intelligence Management | Filter, sort, and search for observables in the Intelligence tab of your incident investigation to help assess threat. See Filter and sort observables in the Investigate and Respond to Threats in Splunk Mission Control manual. |
Enhancements to the add_events macro |
Add events to an incident using any event-generating command and the add_events macro in a Splunk search. You can also add events with missing indexer location values. Splunk Mission Control automatically adds these events to the mc_events index associated with the incident. See add_events(incident_id) in the Investigate and Respond to Threats in Splunk Mission Control manual.
|
| Splunk Enterprise Security history | If an incident was ingested from Splunk Enterprise Security, you can select View all recent activity for this Notable Event in the Info side panel to open a search with recent history. See Triage incidents in the Investigate and Respond to Threats in Splunk Mission Control manual. |
Search for multiple incidents with mc_incidents_by_id |
Use the mc_incidents_by_id macro to search for multiple incidents at the same time. See mc_incident_by_id(incident_id) in the Investigate and Respond to Threats in Splunk Mission Control manual.
|
| Ingestion improvements | You can now configure the Mission Control Incidents adaptive response action in Splunk Enterprise Security (Cloud) when you are creating correlation searches that create notable events. See Get data in from Splunk Enterprise Secuity (Cloud) in the Investigate and Respond to Threats in Splunk Mission Control manual. |
| Subscribe to new intelligence sources with Threat Intelligence Management | Find the information required to subscribe to the newly available premium intelligence sources:
See Available premium intelligence sources for Splunk Mission Control in the Investigate and Respond to Threats in Splunk Mission Control manual. |
| Add indexes to roles | If you want a particular role to include a particular index in Splunk Mission Control, you can add the index to the role to access the appropriate Splunk Mission Control functionality. See Manage indexes for roles in Splunk Mission Control. |
April 12, 2023 (Version 2.1.0)
The following table lists the new features included in this release of Splunk Mission Control:
| New feature | Description |
|---|---|
| Perform bulk actions on incidents | You can select multiple incidents in the incident review table to update in bulk or to run a playbook on at the same time. See Perform bulk actions on incidents in Investigate and Respond to Threats in Splunk Mission Control. |
| Search for an incident and copy its link using the incident ID | To find a particular incident to investigate, you can search for it on the incident review page using the incident ID with the MC-XXXXX syntax. You can also hover over the incident ID and select the link icon (  ) to copy the link to that incident's overview page. See Triage incidents using incident review in Splunk Mission Control in Investigate and Respond to Threats in Splunk Mission Control.
|
| Subscribe to new intelligence sources with Threat Intelligence Management | Find the information required to subscribe to each available premium intelligence source. See Available premium intelligence sources for Splunk Mission Control in Investigate and Respond to Threats in Splunk Mission Control. |
February 22, 2023 (Version 2.0.0)
Splunk Mission Control is an application where you can triage, investigate, and respond to security incidents from a modern cloud-based console integrated with Splunk Enterprise Security (Cloud). Get the information you need with fewer clicks, and identify and remediate incidents while collaborating with others on your team. This is the general availability release of Splunk Mission Control.
The following functionality is included in the general availability release of Splunk Mission Control:
| New feature | Description |
|---|---|
| Triage incidents | Review the list of incidents in the queue for potential security incidents that require further investigation, and triage them. See Triage incidents using incident review in Splunk Mission Control in Investigate and Respond to Threats in Splunk Mission Control. |
| Investigate incidents | Investigate incidents in Splunk Mission Control. See Investigate an incident in Splunk Mission Control in Investigate and Respond to Threats in Splunk Mission Control. |
| Respond to incidents using response templates | Use response templates to standardize the response tasks and phases that analysts perform when investigating and responding to incidents. See Create response templates to establish guidelines for incident response in Investigate and Respond to Threats in Splunk Mission Control. |
| Create incident types | Create incident types to categorize your incidents by use case or source and to associate incidents with other Splunk Mission Control features, such as a certain response template. See Create incident types in Investigate and Respond to Threats in Splunk Mission Control. |
| Add events to incidents | In Splunk Mission Control, an event can be raw data associated with an incident, or it can represent activity that contributes to the creation of the incident. Investigate an incident by adding events to it through search or automation and then tracking the related raw data. See Add events to an incident in Splunk Mission Control in Investigate and Respond to Threats in Splunk Mission Control. |
| Automate incident response with playbooks and actions | Use the security orchestration and automation functionality provided by Splunk SOAR (Cloud) to automate your security workflows in Splunk Mission Control. See Automate incident response with playbooks and actions in Splunk Mission Control in Investigate and Respond to Threats in Splunk Mission Control. |
| Use Splunk Mission Control data in Splunk SOAR (Cloud) playbooks | Use Splunk SOAR (Cloud) playbooks to automate against your Splunk Mission Control incidents. You can use the Mission Control block in the visual playbook editor in Splunk SOAR (Cloud) to write a playbook that uses data from Splunk Mission Control. See Use Splunk Mission Control data in Splunk SOAR (Cloud) playbooks in Investigate and Respond to Threats in Splunk Mission Control and the Splunk Mission Control Automation API Reference. |
| Detect and manage threats with Threat Intelligence Management | Use intelligence sources to update incidents and investigate the risk posed by observables based on their intelligence scores. To set up Threat Intelligence Management and access observables, you must activate your cloud tenant for Threat Intelligence Management, create an intelligence workflow, and then connect the workflow to Splunk Mission Control. See Assess threats with Threat Intelligence Management in Splunk Mission Control to learn more about what you can do with Threat Intelligence Management. |
| View risk-based alerting scores for artifacts | View the risk-based alerting (RBA) scores for certain artifacts in the Overview tab. This information can help you understand the likelihood of the artifact being a potential threat. See View risk-based alerting scores for artifacts in Investigate and Respond to Threats in Splunk Mission Control. |
| Search incident, event, action, and playbook data | Search incident, event, action, and playbook data. Use search data to make dashboards to track the work on incidents. See Search in Splunk Mission Control and Monitor activities in Splunk Mission Control in Investigate and Respond to Threats in Splunk Mission Control. |
| Create custom fields | Customize your incident investigation by creating custom fields, assigning them to incident types, and then editing their values for an incident. See Create a custom field in Investigate and Respond to Threats in Splunk Mission Control. |
| Prioritize incident response with SLA conditions | A service-level agreement (SLA) in Splunk Mission Control represents a deadline for responding to or remediating an incident. Set a default SLA time, add SLA conditions, and sort incidents by SLA time to prioritize your incident response. See Customize SLA settings in Investigate and Respond to Threats in Splunk Mission Control. |
| Scenario documentation | Learn how Splunk Mission Control can be used with an improbable login attempt to triage, investigate, respond, and even automate user response by SOC analysts and administrators. See Splunk Mission Control scenario library in Investigate and Respond to Threats in Splunk Mission Control. |
Last modified on 07 February, 2024
|
NEXT Fixed issues for Splunk Mission Control |
This documentation applies to the following versions of Splunk® Mission Control: Current
Feedback submitted, thanks!