Splunk

Where is it used?

• Splunk can start a Cyber Triage endpoint investigation when an alert is generated.
• Cyber Triage results can be imported into Splunk so that the data is available for future alert triage.

Why is it useful?

• Allows users to more quickly start the investigation and makes the best use of responder’s time.
• Users will have more context when they investigate similar alerts in the future. They will know how common a process is or where else it was seen, for example.