Splunk Mission Control brings order to the chaos of your security operations by enabling your SOC to detect, investigate and respond to threats from one modern and unified work surface. Here are some frequently asked questions to help you better adopted to the product.
What is Mission Control?
Mission Control is a Splunk application that provides a unified, simplified and modern security operations experience for your SOC.With Mission Control, you can unify detection, investigation and response capabilities and data to take action based on prioritized insights, simplify operations by codifying your processes into response templates, and modernize your SOC with security automation (SOAR).
How can I access Mission Control?
The Mission Control app is automatically installed for you if you are an eligible user. You simply need to login to Enterprise Security Cloud and go into the app selector > choose Mission Control > read through the info > click “Enable”.
Am I eligible to use Splunk Mission Control?
Currently, Mission Control is available for customers who own Enterprise Security (ES) in the Cloud and is deployed in the following AWS regions. This link will stay updated as MC is deployed in more regions.
What are the key functionalities Mission Control provides?
You can use Splunk Mission Control to triage, investigate, and respond to security incidents from a unified console integrated with Splunk Enterprise Security (Cloud). You can identify and remediate incidents while collaborating with others on your team.
What is the most common use case of Mission Control?
Perform an end-to-end Threat Detection, Investigation & Response (TDIR) Workflow. Please check the demo for more details: Watch the Demo
What are the initial steps required to set up Mission Control?
Enable Splunk Mission Control
Assign a default SLA
Create incident types
Assign and manage user roles
Create or manage response templates
Are all the incidents automatically ingested in Mission Control from Enterprise Security?
Yes. To view a list of incidents in Splunk Mission Control, select Incident review. You can view information about incidents using the default time range of the last 24 hours or another time range that you select. Incidents appear in the order they were created or ingested with the most recent incidents listed first.
If I don’t have SOAR, can I still use Mission Control?
Yes, you can, as long as you are an eligible Mission Control user.
What is the difference between ES notables and Mission Control (MC) incidents?
MC supports Incident creation from two sources: 1) Incidents can come from ES notables, or 2) Incidents can be created ad-hoc in the MC UI. Incidents are stored in the Key Value (KV) store because much of the Incident data is updated frequently (e.g. status, owner, notes, task status). MC Incidents also contain data that is not present in an ES Notable (e.g. response template data). Finally, data in an MC Incident can be updated, much like SOAR artifact data can be modified by a playbook.
How do I build playbooks in Mission Control?
You will be linked into the integrated SOAR UI in order to build playbooks and configure connectors. Most existing SOAR playbooks will work when run via Mission Control. SOAR Playbooks will need to use the new Mission Control block in the Virtual Playbook Editor to interact with new MC capabilities.
Where can I get resources and help, If I have questions for Mission Control?
If your organization has access to OnDemand Services (ODS) credits (What is ODS?), you can take advantage of several security specific tasks and connect with an ODS Consultant that can help with your Mission Control journey (ODS Catalog - find your product area).
If you need expert advice or guidance with your Splunk environment, find out how our team can help at Customer Success.