Migrating Splunk Mission Control incident data to Splunk Enterprise Security 8.0
After you upgrade to Splunk Enterprise Security 8.0, some incidents from Splunk Mission Control appear as investigations in Splunk Enterprise Security.
Splunk Enterprise Security automatically migrates incident data to a new investigation if the incident meets any of the following criteria:
- The incident has a response plan added to it
- The incident has any attachments, such as a note or file
- The incident is a parent incident and has associated child incidents
Child incidents appear as findings in Splunk Enterprise Security
- The incident was manually created in Splunk Mission Control and not ingested from Splunk Enterprise Security
If the incident meets any of these criteria, you can find it listed as an investigation in the analyst queue on the Mission Control page of Splunk Enterprise Security. Investigations migrated from Splunk Mission Control incidents include new fields such as the following:
- is_investigation
- risk_event_count
- count_findings
- risk_score
You can find these fields by selecting the name of the investigation in the Splunk Enterprise Security analyst queue to open the side panel and the investigation overview page.
Incident data that has been modified for Splunk Enterprise Security 8.0 is backed up in the mc_incidents_backup index. Converted investigations are also added to the mc_investigations index.
Processing time to backfill Splunk Mission Control incidents in Splunk Enterprise Security 8.0
After you upgrade to Splunk Enterprise Security 8.0, it might take some time before you can see your incident data as investigations in Splunk Enterprise Security.
See the following table for a reference of the expected processing time:
| Number of incidents in Splunk Mission Control before upgrading | Time in minutes |
|---|---|
| 1,000 | 2 |
| 10,000 | 10 |
| 30,000 | 30 |
| 50,000 | 50 |
| 100,000 | 100 |
| 1,000,000 | 1,000 |
| 5,000,000 | 5,000 |
The modular input that migrates Splunk Mission Control incidents, convert_pre_es_convergence_incidents_mod_input , prioritizes the incidents most recently created or worked on.
Role mapping from Splunk Mission Control to Splunk Enterprise Security
After you upgrade to Splunk Enterprise Security 8.0, begin assigning new roles that map to the roles you used in Splunk Mission Control.
The follow table maps Splunk Mission Control roles to Splunk Enterprise Security 8.0 roles:
| Splunk Mission Control role | Splunk Enterprise Security role |
|---|---|
| mc_admin | ess_admin |
| mc_analyst | ess_analyst |
| mc_observer | ess_user |
Splunk Mission Control and Splunk SOAR capabilities included in Splunk Enterprise Security 8.0
Some capabilities from Splunk Mission Control and Splunk SOAR are included in Splunk Enterprise Security after you upgrade to version 8.0.
Do not remove these capabilities.
The following list includes all the capabilities from Splunk Mission Control and Splunk SOAR included in Splunk Enterprise Security 8.0:
- edit_intelligence_management
- mc_view_im_data
- mc_health_report
- mc_incident_settings_read
- mc_incident_settings_edit
- mc_response_template_view
- mc_response_template_edit
- mc_trigger_backfill
- mc_incident_sla_settings_read
- mc_incident_sla_settings_edit
- mc_edit_soar_system_settings
- soar_user
- es_soar_settings_admin
See also
For more details on upgrading to Splunk Enterprise Security 8.0 and getting started, see the product documentation:
| Known issues for Splunk Mission Control | Share Splunk Mission Control data usage in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Mission Control: Current
Download manual
Feedback submitted, thanks!