Splunk admin onboarding checklist for Splunk Mission Control
Splunk Mission Control is an application that allows triage, investigation, and response to security incidents from a cloud-based console integrated with Splunk Enterprise Security (Cloud).
As a Splunk Cloud Platform admin, complete the following steps to get the most out of your Splunk Mission Control experience. See Manage roles and capabilities for users of Splunk Mission Control to compare the available roles.
| Number | Task | Description | Documentation |
|---|---|---|---|
| 1 | Activate Splunk Mission Control | To activate Splunk Mission Control, follow these steps:
Splunk SOAR is available within two hours of activating Splunk Mission Control. |
See description. |
| 2 | Assign a default SLA | A service-level agreement (SLA) in Splunk Mission Control represents a deadline for responding to or remediating an incident. You can use SLAs to prioritize your incident response. You can change the default SLA time for all incidents, and you can apply different SLA times to incidents that meet particular conditions. | See Customize SLA settings. |
| 3 | Create incident types | Create incident types to categorize incidents ingested into and created in Splunk Mission Control by use case or source. Incident types can also be used to associate incidents with other Splunk Mission Control features, such as a certain response template. | See Create incident types. |
| 4 | Assign and manage user roles | Assign analysts roles and capabilities in Splunk Mission Control. | See View and assign user roles. |
| 5 | Create or manage response templates | Standardize the response tasks and phases that analysts perform when investigating and responding to incidents by creating and modifying response templates. | See Create response templates to establish guidelines for incident response in Splunk Mission Control to learn how to create response templates and Included response templates in Splunk Mission Control to learn what industry standard response templates are included in Splunk Mission Control. |
| 6 | Activate data source integrations for Threat Intelligence Management | Set up the Threat Intelligence Management system and activate data source integrations to import threat intelligence data into Splunk Mission Control. Contact your account representative to verify whether or not your Splunk Mission Control configuration is eligible for Threat Intelligence Management. |
See Activate intelligence source integrations from Splunk Mission Control to import threat intelligence data into Threat Intelligence Management. |
| 7 | Set up threat intelligence workflows | Set up intelligence workflows to gather intelligence from external data sources, pass that data through filters, and then transform the results into a destination data repository that stores the intelligence data. Contact your account representative to verify whether or not your Splunk Mission Control configuration is eligible for Threat Intelligence Management. |
See Set up intelligence workflows in Splunk Mission Control to automate indicator processing. |
After you complete these steps, see Get started with Splunk Mission Control to learn how you can start triaging, investigating, and responding to security incidents.
| Get started with Splunk Mission Control |
This documentation applies to the following versions of Splunk® Mission Control: Current
Download manual
Feedback submitted, thanks!