Splunk® Mission Control

Investigate and Respond to Threats in Splunk Mission Control

Scenario: Alex automates a security workflow in Splunk Mission Control

The following scenario features Buttercup Games, a fictitious game company.

Buttercup Games recently released the latest version of its sought-after artificial intelligence gaming software to complement one of its popular online games. Alex, a security operations center (SOC) analyst at Buttercup Games, uses Splunk Mission Control to automate their security workflow. In the first two scenarios, Alex found a suspicious IP address during their incident investigation and added relevant events to the incident during their response. See Scenario: Alex triages and investigates an incident in Splunk Mission Control and Scenario: Alex responds to a security incident in Splunk Mission Control. In this scenario, Alex decides that they want to update their manager, Wei, who is a SOC administrator, and automate the workflow to improve incident response time when other similar security incidents occur.

Automate a security workflow

To automate a security workflow using an action and playbook in Splunk Mission Control, Alex follows these steps:

  1. Alex uses the IP address from the Overview tab of the incident to run an action. In the Automation tab of the incident, Alex selects Run action. They select geolocate_ip for the action and Maxmind for the connector. Then, Alex configures the action and selects Run action. This image shows the Run action dialog box with geolocate_ip selected and with Maxmind selected for the connector.
  2. Alex runs a playbook to automatically file a SNOW ticket that contacts their manager. In the Automation tab of the incident, Alex selects Run playbook. They select Create Ticket SNOW, set the scope to All events, and then select Run playbook. This image shows the Run playbook dialog box with Create Ticket SNOW selected and with All events selected for the scope.
  3. Running the playbook assigns a prompt to Wei, a SOC administrator, to escalate blocking the suspicious IP address. In the meantime, Alex returns to the Response tab to continue working through response template tasks.

Summary

In this scenario, Alex automated their security workflow using an action and playbook in Splunk Mission Control. They ran an action using a connector and then ran a playbook that filed a ticket and sent a prompt. The automation that Alex set up allows them to spend less time responding to similar incidents in the future.

In the Splunk Mission Control scenario library, Alex uses Splunk Mission Control to investigate and respond to an improbable login. Alex triages and investigates the incident, applies a response plan to the incident, and uses an action and playbook to automate incident response for future similar security incidents.

Learn more

To learn more about automating your security workflows with Splunk Mission Control, see Automate incident response with playbooks and actions in Splunk Mission Control.

Last modified on 31 May, 2023
Scenario: Alex responds to a security incident in Splunk Mission Control   Scenario: Wei creates an intelligence workflow in Splunk Mission Control to reduce false positives

This documentation applies to the following versions of Splunk® Mission Control: Current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters