Splunk Mission Control brings order to the chaos of your security operations by enabling your SOC to detect, investigate and respond to threats from one modern and unified work surface. Here are some frequently asked questions to help you better adopted to the product.
Mission Control is a Splunk application that provides a unified, simplified and modern security operations experience for your SOC.With Mission Control, you can unify detection, investigation and response capabilities and data to take action based on prioritized insights, simplify operations by codifying your processes into response templates, and modernize your SOC with security automation (SOAR).
The Mission Control app is automatically installed for you if you are an eligible user. You simply need to login to Enterprise Security Cloud and go into the app selector > choose Mission Control > read through the info > click “Enable”.
Currently, Mission Control is available for customers who own Enterprise Security (ES) in the Cloud and is deployed in the following AWS regions. This link will stay updated as MC is deployed in more regions.
You can use Splunk Mission Control to triage, investigate, and respond to security incidents from a unified console integrated with Splunk Enterprise Security (Cloud). You can identify and remediate incidents while collaborating with others on your team.
Perform an end-to-end Threat Detection, Investigation & Response (TDIR) Workflow. Please check the demo for more details: Watch the Demo
Yes. To view a list of incidents in Splunk Mission Control, select Incident review. You can view information about incidents using the default time range of the last 24 hours or another time range that you select. Incidents appear in the order they were created or ingested with the most recent incidents listed first.
Yes, you can, as long as you are an eligible Mission Control user.
MC supports Incident creation from two sources: 1) Incidents can come from ES notables, or 2) Incidents can be created ad-hoc in the MC UI. Incidents are stored in the Key Value (KV) store because much of the Incident data is updated frequently (e.g. status, owner, notes, task status). MC Incidents also contain data that is not present in an ES Notable (e.g. response template data). Finally, data in an MC Incident can be updated, much like SOAR artifact data can be modified by a playbook.
You will be linked into the integrated SOAR UI in order to build playbooks and configure connectors. Most existing SOAR playbooks will work when run via Mission Control. SOAR Playbooks will need to use the new Mission Control block in the Virtual Playbook Editor to interact with new MC capabilities.
Where can I get resources and help, If I have questions for Mission Control?