Migrating to Mission Control

Preparation

1. Identify impacted playbooks. Before initiating the migration process, it's crucial to identify which playbooks are impacted. Assess your current playbooks to determine their reliance on container artifacts and enrichment results.
2. Update playbooks. After you identify the playbooks, update them to pull from Splunk Mission Control incidents instead of container artifacts. Additionally, modify the playbooks to display enrichment results within Splunk Mission Control events rather than artifacts. This ensures seamless integration and optimal performance within the Splunk Mission Control environment.

Splunk Mission Control to Splunk SOAR integration

For users leveraging both Splunk Cloud Platform and Splunk SOAR cloud environments, integrating Splunk Mission Control with Splunk SOAR is a valuable step. Enable this integration by submitting a support ticket to Splunk. After activation, it's essential to disable the Splunk App for SOAR Export from sending Splunk Enterprise Security notables to Splunk SOAR.

A phased approach to migration

1. Configure correlation searches. By default, all enabled correlation searches create a Splunk Mission Control incident. Identify correlation searches that generate incidents that aren't needed, and disable the corresponding adaptive response actions.
2. Streamline incidents. Focus on having the "Mission Control Incidents" adaptive response added only to correlation searches that can generate incidents. Simultaneously disable the modular input “Mission Control - Add incident creation to ES” until you are ready for all notables to flow into Splunk Mission Control.

Common use cases in Splunk Mission Control

• Polled containers and incidents. One common use case involves adding polled containers to Splunk Mission Control as incidents. This process involves ingesting containers via the on-poll method from a Splunk SOAR app and adding them to Splunk Mission Control as incidents. Relevant playbooks include "[MC] Create Incident From Container".
• Migrating Splunk SOAR workbooks. Another crucial use case is migrating existing Splunk SOAR workbooks to Splunk Mission Control response plans. This is achieved by replicating the workbooks in Splunk Mission Control using REST endpoints. The playbook "[MC] Create MC Response Plan" facilitates this migration.
• Displaying Splunk SOAR containers in Splunk Mission Control. Efficiently pivot between Splunk SOAR and Splunk Mission Control by displaying the Splunk SOAR container ID in the Splunk Mission Control description field. The playbook "[MC] Save Container ID to Incident" enables this seamless transition.
• Enhancing Splunk SOAR with Splunk Mission Control fields. Run Splunk Mission Control incidents on existing playbooks designed for container artifacts. The playbook "[MC] Save MC Summary Fields to Container" allows you to retrieve Splunk Mission Control incident fields and save them as artifacts in the Splunk SOAR container.
• Updating RBA from Splunk SOAR. Leverage Splunk SOAR enrichment results to adjust the Risk-Based Analytics (RBA) score in both Splunk Enterprise Security and Splunk Mission Control. The playbook "[Utility] Update Risk Score" facilitates this process by mapping enrichment results to RBA scores.

Interactions between the Splunk platform and Splunk SOAR

You can make Splunk SOAR rest calls by using the | restsoar command to access Splunk SOAR metadata not available in the phantom_* indexes. This capability enhances the integration between the Splunk platform and Splunk SOAR.

Next steps

These resources might help you understand and implement this guidance:

• Splunk Docs: Mission Control
• .Conf Talk: SEC1226B - Mastering security automation: Accelerating incident response with Splunk SOAR and Splunk Mission Control (Slides)
• Github: Splunk SOAR playbooks