Hi all,
Can anyone recommend a way of allowing 'investigative' information to be added to an alert, such that it's stored in our Splunk Cloud instance?
We use a 3rd party supplier who carries out triage on our Splunk alerts, and they have their own ticketing system as part of their SOAR infrastructure. That works well but it's not our system and if we decide to stop using that supplier we potentially lose all the information and comments added to alert tickets.
We would therefore like to add our own comments within Splunk when an alert is triggered, so that the information is stored for future reference, e.g. to help an analyst investigating an alert if it triggers again in future, or if someone else in the organisation wants to modify that alert.
I'm aware an alert is simply an action that takes place if the output of a query meets a certain condition, so I'm not necessarily asking how to add information to the alert object itself. I'm open to any suggestions, e.g. simple add-ons or Apps that act like a basic SOAR/incident management system.
Thanks.