Splunk® Mission Control

Splunk Mission Control Service Description

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Splunk Mission Control Service Details

Splunk Mission Control is a cloud-based security operations platform that is delivered as a SaaS (software-as-a-service) solution hosted and managed by Splunk. Splunk Mission Control helps you investigate potential and confirmed security incidents.

Use Splunk Mission Control to connect to your private cloud and public cloud data sources and tooling to support your security operations center (SOC) processes. Splunk Mission Control tightly integrates with the Splunk platform and Splunk Enterprise Security (ES), supporting both on-premises deployments and Splunk Cloud Platform deployments. Splunk Mission Control complements these existing Splunk products and does not replace them. See How Splunk Mission Control works with other Splunk software in Set Up and Customize Splunk Mission Control.

You can add data from multiple data sources, such as Splunk Enterprise Security (ES) and others. Notable event and alarm data that you add to Splunk Mission Control appears in the product as notables. See Get data into Splunk Mission Control on this page.

Splunk Mission Control is currently available in the following regions:

AWS Data Center: US East

Access Splunk Mission Control

Splunk Mission Control is packaged at no additional cost when you purchase or have an entitlement for any of the following Splunk products deployed in the US East AWS Data Center:

  • Active Term Cloud Subscription for Splunk Enterprise Security.
  • Active Subscription for Splunk Security Suites

Splunk Mission Control is not available as a standalone product at this time. Splunk Mission Control is not packaged with Splunk Enterprise or Splunk Cloud Platform, and is not packaged with Splunk Phantom.

If you gain access to Splunk Mission control through an Active Term Cloud Subscription for Splunk Enterprise Security, you must use Splunk Cloud Platform version 8.2.2104 and higher.

Set up Splunk Mission Control

To start using Splunk Mission Control, you must have access to a Splunk Mission Control tenant. To gain access to a Splunk Mission Control tenant, you must be an administrator and follow the steps found in Set up Splunk Mission Control in the Set up and Customize Splunk Mission Control manual.

Get data into Splunk Mission Control

Splunk Mission Control provides an API and a Splunk app that enable you to get data in from Splunk Enterprise Security and other applications. Splunk Mission Control is designed to help you investigate possible security incidents. As a result, the manner and location of your enterprise data does not change when you use Splunk Mission Control. Instead, you can search your existing data in the Splunk platform from your Splunk Mission Control tenant without moving the data. This data flow is secured by TLS 1.2 and sent over port 443.

The data that you do want to send to Splunk Mission Control is the results of data analysis that you perform on your data to identify possible security incidents to Splunk Mission Control. For example, Splunk Enterprise Security runs correlation searches on data and creates notable events which indicate possible security incidents. The Splunk Mission Control service includes an app, Splunk Connect for Mission Control, that you can use to send those notable events to Splunk Mission Control according to parameters that you control. The notable events that you send to Splunk Mission Control are then stored in Splunk Mission Control in a database and a searchable index. You can also send risk event data and content management data from Splunk ES to Splunk Mission Control. Splunk Connect for Mission Control secures all types of data sent to Splunk Mission Control from Splunk ES with certificates and sends the data over port 9997. You can use self-signed certificates or certificates from a certificate authority (CA). Only Splunk Connect for Mission Control versions 2.0.0 and above are supported.

You can only send up to 1000 notables per hour per tenant to Splunk Mission Control. See Cause: you are sending more than 1000 notables per hour total to Splunk Mission Control in Get Data into Splunk Mission Control for more details.

The following table describes the limits per tenant for an active Splunk Mission Control subscription.

Description Limit
Ingestion capacity in bytes per second 4 MB
Concurrent searches 200 searches
Seats 250 seats
Ingestion rate 1000 notables per hour

For diagrams and details about the data flows between Splunk Mission Control and other systems, see Get data into Splunk Mission Control in Get Data into Splunk Mission Control.

For details about what parameters you can adjust when sending notable events from Splunk Enterprise Security to Splunk Mission Control using Splunk Connect for Mission Control, see Set up getting data into Splunk Mission Control from Splunk Enterprise Security and Customize getting data into Splunk Mission Control from Splunk Enterprise Security in Get Data into Splunk Mission Control.

SOC2 compliance

Splunk Mission Control is now SOC2 compliant, with SOC 2 Type II compliance:

  • SOC 2 Type II: The SOC 2 audit assesses an organization's security, availability, process integrity, and confidentiality processes to provide assurance about the systems that a company uses to protect customers' data. If you require the SOC 2 Type II attestation to review, contact your Splunk sales representative to request it.

Data storage and retention

Data sent to Splunk Mission Control as notable events or as risk events or content data from Splunk Enterprise Security is stored for active subscribers of Splunk Mission Control. To delete data, work with your Splunk account team. See Where data is stored in Splunk Mission Control in Get Data into Splunk Mission Control.

Last modified on 27 August, 2021
 

This documentation applies to the following versions of Splunk® Mission Control: Current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters