Splunk® Mission Control

Investigate and Respond to Threats in Splunk Mission Control

Explore artifact data in Splunk Mission Control

Artifacts are pieces of machine data that indicate risk. They add context to Splunk Mission Control incidents to help you progress incident investigations and identify potential security threats. An artifact can be a risk object, threat object, observable, asset, identity, or indicator. If an incident has a respective notable event in Splunk Enterprise Security, meaning you didn't create the incident directly from Splunk Mission Control, then Splunk Mission Control automatically ingests the associated artifacts from Splunk Enterprise Security.

You can find artifacts in the Overview tab of your incident investigation along with other summary fields. Artifacts are the fields denoted by the down arrow icon ( artifact arrow icon ) in the Summary section. Only certain summary fields in Splunk Mission Control are considered artifacts.

Splunk Mission Control observes the following fields from Splunk Enterprise Security as artifacts:

  • orig_host
  • dvc
  • src
  • dest
  • src_user
  • user

To add or edit summary fields, including artifacts, see Edit field values for an incident.

If you edit the field or value for an artifact, it might not appear as an artifact in Splunk Mission Control anymore. Summary fields are only considered artifacts if the field and value meet the criteria set by Splunk Enterprise Security.

View risk-based alerting scores for artifacts

You can view the risk-based alerting (RBA) scores for certain artifacts in the Overview tab. This information can help you understand the likelihood that an artifact is a potential threat.

Splunk Mission Control ingests the RBA score and color from Splunk Enterprise Security. The RBA score determines the color of the badge next to the artifact. The following list explains the range of scores for each color:

  • Yellow: 0-25
  • Orange: 26-50
  • Light red: 51-75
  • Dark red: 76 and higher

See How risk scores work in Splunk Enterprise Security in the Use Splunk Enterprise Security Risk-based Alerting manual to learn more about risk-based alerting.

If you can't see RBA scores for any artifacts, you might need to add the mc_artifacts index to your role. See Manage indexes for roles in Splunk Mission Control.

Last modified on 18 October, 2023
Investigate an incident in Splunk Mission Control   Investigate risk events associated with an incident in Splunk Mission Control

This documentation applies to the following versions of Splunk® Mission Control: Current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters