I am currently configuring Splunk Enterprise Security for Alerts. I have a doubt in the implementation of this solution.
I created a alert for Failed logins from Windows devices. If this alert is triggered, team is running some queries manually to collect more details such as the pattern of that user account in the past 30 days, or the servers to which the user account has logged in the past 30 days to identify a baseline or to investigate whether there are any anomaly in the usage of that account. My doubt is whether there are any way to automate this process. Like if the above alert triggers, then the subsequent queries which the team is currently running manually can be automated and show the results some where in the alert itself where the team can go and see either in tabular or graphical format. Could you please suggest a solution for this.
Any input on how to set up Enterprise security as a SOC detection and workflow is much appreciated.
Yes, you can customize the investigation Dashboard adding a new and/or customizing an existing Workbanches
You can find tis feature at [Configure -- Content -- Content Management] menu item and choosing the Workbech Types.
It isn't so easy, I learned to do this in the Splunk Enterprise Security Admin course.