Splunk Mission Control

Mission Control FAQs

loriexi
Splunk Employee
Splunk Employee

 

Splunk Mission Control brings order to the chaos of your security operations by enabling your SOC to detect, investigate and respond to threats from one modern and unified work surface.  Here are some frequently asked questions to help you better adopted to the product. 

  • What is Mission Control?

Mission Control is a Splunk application that provides a unified, simplified and modern security operations experience for your SOC.With Mission Control, you can unify detection, investigation and response capabilities and data to take action based on prioritized insights, simplify operations by codifying your processes into response templates, and modernize your SOC with security automation (SOAR). 

  • How can I access Mission Control?

The Mission Control app is automatically installed for you if you are an eligible user. You simply need to login to Enterprise Security Cloud and go into the app selector > choose Mission Control > read through the info > click “Enable”

  • Am I eligible to use Splunk Mission Control?

Currently, Mission Control is available for customers who own Enterprise Security (ES) in the Cloud and is deployed in the following AWS regions. This link will stay updated as MC is deployed in more regions. 

  • What are the key functionalities Mission Control provides?

You can use Splunk Mission Control to triage, investigate, and respond to security incidents from a unified console integrated with Splunk Enterprise Security (Cloud). You can identify and remediate incidents while collaborating with others on your team.

  • What is the most common use case of Mission Control?

Perform an end-to-end Threat Detection, Investigation & Response (TDIR) Workflow. Please check the demo for more details: Watch the Demo

  • What are the initial steps required to set up Mission Control?
  1. Enable Splunk Mission Control
  2. Assign a default SLA
  3. Create incident types
  4. Assign and manage user roles
  5. Create or manage response templates
  • Are all the incidents automatically ingested in Mission Control from Enterprise Security?

Yes. To view a list of incidents in Splunk Mission Control, select Incident review. You can view information about incidents using the default time range of the last 24 hours or another time range that you select. Incidents appear in the order they were created or ingested with the most recent incidents listed first.

loriexi_0-1681846117306.png

  • If I don’t have SOAR, can I still use Mission Control?

Yes, you can, as long as you are an eligible Mission Control user. 

  • What is the difference between ES notables and Mission Control (MC) incidents? 

MC supports Incident creation from two sources: 1) Incidents can come from ES notables, or 2) Incidents can be created ad-hoc in the MC UI. Incidents are stored in the Key Value (KV) store because much of the Incident data is updated frequently (e.g. status, owner, notes, task status). MC Incidents also contain data that is not present in an ES Notable (e.g. response template data). Finally, data in an MC Incident can be updated, much like SOAR artifact data can be modified by a playbook. 

  • How do I build playbooks in Mission Control? 

You will be linked into the integrated SOAR UI in order to build playbooks and configure connectors. Most existing SOAR playbooks will work when run via Mission Control. SOAR Playbooks will need to use the new Mission Control block in the Virtual Playbook Editor to interact with new MC capabilities. 

  • Where can I get resources and help, If I have questions for Mission Control?

    • Check out the Mission Control Product Web Page
    • Learn more about Mission Control on our docs site
    • Watch the webinar titled “Unify Your Security Operations with Splunk Mission Control”. On this webinar, Splunk experts share how Splunk Mission Control strengthens your digital resilience by bringing order to your security operations.
    • If your organization has access to OnDemand Services (ODS) credits (What is ODS?), you can take advantage of several security specific tasks and connect with an ODS Consultant that can help with your Mission Control journey (ODS Catalog - find your product area).
    • If you need expert advice or guidance with your Splunk environment, find out how our team can help at Customer Success
Labels (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...