Get started with Splunk Mission Control
Use Splunk Mission Control to triage, investigate, and respond to security incidents from a cloud-based console integrated with Splunk Enterprise Security (Cloud). You can identify and remediate incidents while collaborating with others on your team.
Use Splunk Mission Control to complete the following tasks:
- Triage incidents. See Triage incidents using incident review in Splunk Mission Control.
- Investigate incidents. See Investigate an incident in Splunk Mission Control.
- Respond to incidents using response templates. See Create response templates to establish guidelines for incident response in Splunk Mission Control.
- Automate incident response. See Automate incident response with playbooks and actions in Splunk Mission Control.
- Detect and manage threats with Threat Intelligence Management. See Get started with Threat Intelligence Management in Splunk Mission Control.
To get started, select the Incident review tab in Splunk Mission Control, and then select an incident to start investigating it. See Example incident response workflow in Splunk Mission Control. Additionally, see Splunk Mission Control scenario library to learn how to use Splunk Mission Control to remediate a common security incident.
Splunk Mission Control compatibility prerequisites
To access Splunk Mission Control, you must be a customer with both of the following Splunk products:
- Splunk Enterprise Security (Cloud) versions 6.6 and higher
- Splunk Enterprise versions 8.0 and higher
Splunk Mission Control is automatically preinstalled as an app for customers who have both compatible versions of Splunk Enterprise and Splunk Enterprise Security (Cloud) and who also reside within a supported region. To learn more about regional availability and how to access the app, see Splunk Mission Control regional availability in the Splunk Mission Control Service Description.
Splunk Mission Control components
The main components of Splunk Mission Control each play a role in delivering security triage, investigation, and response. Some of these components are present in other Splunk security software.
Component | Description |
---|---|
Action | A command that an analyst can run manually or in a playbook in Splunk Mission Control or Splunk SOAR (Cloud). For example, adding a file, comment, or attachment. |
Artifact | Any item in Splunk SOAR (Cloud) or Splunk Mission Control that indicates risk, including risk objects, threat objects, observables, assets, identities, and indicators. Groups of similar artifacts are called entities. |
Connector | An entity that permits connection from Splunk SOAR (Cloud) or Splunk Mission Control to an external device, such as Okta or Maxmind. It determines the actions available to a user or to a playbook for that specific device. |
Event | A contributing event or raw data associated with an incident. It can represent the incident itself or a series of activities that resulted in the creation of the incident. |
Incident | An event generated by a correlation search as a security alert in Splunk Mission Control. Comparable to a notable event in Splunk Enterprise Security (Cloud), an incident is an item that you can investigate. As an example, it might include an email from a phishing inbox. |
Incident type | A category of incidents that share common characteristics, such as source or severity. After creating an incident type, you can associate the incident type with a response template to automate and personalize your incident response workflow. |
Indicator | A piece of data that provides additional information about unusual, suspicious, or malicious cyber activity, such as when it was observed and the level of risk it poses. Observables become indicators after Threat Intelligence Management enriches and scores them for deeper context. |
Intelligence workflows | No-code data pipelines in Threat Intelligence Management that automate the extraction, transformation, prioritization, and sharing of indicators to meet specific security use case requirements. You can configure multiple intelligence workflows to pinpoint responses and reduce data wrangling, accelerate intelligence automation, and reduce false positives. |
Observable | A piece of data indicating an event that has occurred or been observed on a computer system, network, or other digital entity. Threat Intelligence Management records observables, which can be malicious or benign, as part of an incident. |
Playbook | A saved sequence of actions, prompts, or manual tasks that can be performed by connectors or analysts to automate security workflows. |
Response plan | A guide with predefined tasks and phases for a particular incident response. After you add a response template to an incident, it becomes a response plan. Any changes you make to the response plan do not apply to the original response template and instead only apply to the investigation of that specific incident. |
Response template | A plan that provides standardized guidelines for response tasks and phases that security analysts perform when investigating and responding to incidents. |
Risk score | A single metric that shows the relative risk of an entity. When a risk score surpasses a specified threshold over a period of time, analysts can focus their efforts on potentially connected behaviors associated with the entity to identify security threats. The risk score of an asset or identity is the sum of all the risk scores for risk events in the risk index that apply to the specific asset or identity over a period of time. |
Threat object | An observable, such as a URL, file hash, or email address, that poses an increased security risk or is at risk of being the target of a threat. |
Splunk admin onboarding checklist for Splunk Mission Control | Get data into Splunk Mission Control from Splunk Enterprise Security (Cloud) |
This documentation applies to the following versions of Splunk® Mission Control: Current
Feedback submitted, thanks!