Where is it used?
- Splunk can start a Cyber Triage endpoint investigation when an alert is generated.
- Cyber Triage results can be imported into Splunk so that the data is available for future alert triage.
Why is it useful?
- Allows users to more quickly start the investigation and makes the best use of responder’s time.
- Users will have more context when they investigate similar alerts in the future. They will know how common a process is or where else it was seen, for example.