This section describes useful Splunk SIEM queries for triaging alerts. What to read next Useful Splunk SIEM Queries for Alert Triage - CB Analytics AlertsEvery CB Analytics (NGAV) alert is tied to one or more Enriched Events. It’s very helpful to pivot to these events (also known as “Alerted Events”) and identify the behavior that led to the alert. This activity can provide insights such as what processes, cmdlines, and users were involved if any network connections occurred, and what files or registry keys were modified. Useful Splunk SIEM Queries for Alert Triage - Watchlist AlertsCarbon Black Cloud has dozens of metadata fields about every process that executes on an endpoint. While not all of this metadata is included in a Watchlist Alert, the Process GUID Details Alert action can automatically query Carbon Black Cloud for all process details following a Watchlist Alert. Useful Splunk SIEM Queries for Alert Triage - Handy URLsWhen investigating an alert, it can be helpful to pivot back to the Carbon Black Cloud console to view purpose-built NGAV and EDR content, such as the process tree. There are a variety of pages to visit, and those can vary team to team. These URLs can be formed based on the content of an Alert. Useful Splunk SIEM Queries for Alert Triage - Enriched EventsEnriched Event descriptions are preformatted for a user interface and contain some HTML markup. This format can be effectively stripped away, although you might lose some context. Useful Splunk SIEM Queries for Alert Triage - Alert TrendsAggregate data can help identify improvements in your SOC workflows. Are their known-good processes driving false positive alert volume? Can existing Watchlist Reports be tuned for greater efficacy? What type of alerts should new SOAR playbooks focus on? Parent topic: Useful Queries for Splunk SIEM
