Skip to content
About Human Managed
About Human Managed
Security Workbench
Customer Requirements & Qualification
Share
Explore

SecOps Pilot: Customer Intake Form

🚨Priority Alerts for Pilot (Select 3-5)

Instructions: Choose high-volume, high-impact, or high false-positive alerts. Describe current manual process and what you want automated.

💡 Examples - "Desired Automation"

Auto-enrich:
"Pull asset tier from CMDB, add user department from Active Directory"
"Check hash reputation in VirusTotal, add IP geolocation"
Auto-suppress:
"Close if hostname matches test-* or dev-* pattern"
"Suppress if IP is in approved scanning tool whitelist"
"Ignore if it's scheduled maintenance window"
Auto-escalate:
"Page security manager if asset tier = Critical"
"Immediately notify SWIFT team if it's a SWIFT workstation"
"Create P0 ticket if ransomware indicators detected"
Auto-contain:
"Isolate endpoint via CrowdStrike if hash reputation = malicious"
"Block IP at firewall if matches threat intel feed"
"Disable user account if multiple failed logins from foreign country"
Auto-investigate:
"Query firewall logs to check if domain was blocked"
"Count how many other hosts contacted the same malicious IP"
"Pull user's login history for last 7 days"

Alert #1

Alert #1
Field
Response
Playbook #
Alert Name*
(As shown in Splunk)
Alert Source*
(Tool generating alert - e.g., CrowdStrike, Symantec, FireEye)
Severity*
Critical
High
Medium
Low
Handling*
Real time
Batch
On-demand
Daily Volume
(Approximate alerts per day)
False Positive Rate
(% or High/Medium/Low)
Current Manual Process
(What analyst does today - check EDR, validate hash, check criticality, email team, etc.)
Playbook Steps
Detection Rule / Logic
Desired Automation
(What we want to automate - auto-enrich with asset tier, suppress known FPs, auto-isolate if malicious, etc.)
There are no rows in this table

Alert #2

Alert #2
Field
Response
Playbook #
Alert Name*
(As shown in Splunk)
Alert Source*
(Tool generating alert - e.g., CrowdStrike, Symantec, FireEye)
Severity*
Critical
High
Medium
Low
Handling*
Real time
Batch
On-demand
Daily Volume
(Approximate alerts per day)
False Positive Rate
(% or High/Medium/Low)
Current Manual Process
(What analyst does today - check EDR, validate hash, check criticality, email team, etc.)
Playbook Steps
Detection Rule / Logic
Desired Automation
(What we want to automate - auto-enrich with asset tier, suppress known FPs, auto-isolate if malicious, etc.)
There are no rows in this table

Alert #3

Alert #3
Field
Response
Playbook #
Alert Name*
(As shown in Splunk)
Alert Source*
(Tool generating alert - e.g., CrowdStrike, Symantec, FireEye)
Severity*
Critical
High
Medium
Low
Handling*
Real time
Batch
On-demand
Daily Volume
(Approximate alerts per day)
False Positive Rate
(% or High/Medium/Low)
Current Manual Process
(What analyst does today - check EDR, validate hash, check criticality, email team, etc.)
Playbook Steps
Detection Rule / Logic
Desired Automation
(What we want to automate - auto-enrich with asset tier, suppress known FPs, auto-isolate if malicious, etc.)
There are no rows in this table

Alert #4 (Optional)

Alert #4
Field
Response
Playbook #
Alert Name*
(As shown in Splunk)
Alert Source*
(Tool generating alert - e.g., CrowdStrike, Symantec, FireEye)
Severity*
Critical
High
Medium
Low
Handling*
Real time
Batch
On-demand
Daily Volume
(Approximate alerts per day)
False Positive Rate
(% or High/Medium/Low)
Current Manual Process
(What analyst does today - check EDR, validate hash, check criticality, email team, etc.)
Playbook Steps
Detection Rule / Logic
Desired Automation
(What we want to automate - auto-enrich with asset tier, suppress known FPs, auto-isolate if malicious, etc.)
There are no rows in this table

Alert #5 (Optional)

Alert #5
Field
Response
Playbook #
Alert Name*
(As shown in Splunk)
Alert Source*
(Tool generating alert - e.g., CrowdStrike, Symantec, FireEye)
Severity*
Critical
High
Medium
Low
Handling*
Real time
Batch
On-demand
Daily Volume
(Approximate alerts per day)
False Positive Rate
(% or High/Medium/Low)
Current Manual Process
(What analyst does today - check EDR, validate hash, check criticality, email team, etc.)
Playbook Steps
Detection Rule / Logic
Desired Automation
(What we want to automate - auto-enrich with asset tier, suppress known FPs, auto-isolate if malicious, etc.)
There are no rows in this table

Copy of Splunk Alert Samples
Playbook #
Alert Name
Alert Source
Alert Description
Alert Severity
Alert Handling
i
Playbook Steps
Org's Detection Rule or Logic
Alert Escalation Recipient
Author
Date Signed-off
1
SWIFT Workstation Malware
CrowdStrike, Symantec Endpoint Protection
Detects possible malware events/activity in SWIFT Endpoint
Critical
Immediate
1. Correlate logs for any malicious activities or patterns based on received alerts to determine source of EDR alert (e.g. Browsing, Internet, Email, USB, etc). Consider checking the following:
Source IP
File Path
File Name
Hash
User (Detected and/or Workstation user)
2. Escalate to Org’s SOC and provide details of detection via email and initiate a warm transfer/call to Org’s SOC personnel's for further investigation or recommended action. Please send all available details when escalating the issue:
Date/time
Source IP
File Path
File Name
Hash
associated file and hash
User (Detected and/or Workstation user)
Command line
Tactic and Technique
title: SWIFT Workstation Malware id: 3b9f6b6c-1d1b-4f6a-98c3-7a9c2b3b2f21 status: experimental description: > Detects malware alerts on SWIFT workstations/endpoints. Mirrors SPL logic: - filter on dest_category containing "SWIFT Endpoint" - extract file_path from _raw after "Occurrences:" - surface orig_time, dest, file_path, user, signature author: User / Org date: 2025/10/15 level: critical tags: - attack.initial_access - hm.swift - hm.malware references: []
logsource: category: endpoint product: windows
detection: selection_dest_category: dest_category|contains: 'SWIFT Endpoint'
_raw|contains: - 'Occurrences:' - 'Alert:SES Alert- Intrusion Activity'
extract_file_path: _raw|re: 'Occurrences\:[^,]+,(?<file_path>[^,]+)'
condition: selection_dest_category and selection_malware_text
fields: - _time - dest - user - signature - file_path - dest_category - _raw
falsepositives: - Benign SES alerts or test signatures on SWIFT endpoints - Repeated detections from known good processes without malicious behavior
Jane Doe
10/15/2025
2
Ransomware Detection
FireEye, Symantec Endpoint Protection
This will detect FireEye and SEP alerts involving ransomware signatures
Critical
Immediate
1. Correlate logs for any malicious activities or patterns based on received alerts to determine source of alert (e.g. Browsing, Internet, Email, USB, etc).
2. Identify and take note of the destination and source – workstation or server. Correlate logs for any malicious activities or patterns based on received alerts to determine further indicators of compromise.
3. Escalate to Org’s SOC and provide details of detection via email and initiate a warm transfer/call to Org’s SOC on-call personnel for further investigation.
title: Ransomware Detection via Known Signatures (FireEye or SEP Risk) id: 7d7d8f2c-2b2d-44ce-9d2a-0a7d6db94f0d status: experimental description: > Detect events whose signature matches a curated ransomware signature list. Sources: FireEye or Symantec Endpoint Protection (SEP risk). author: User / Org date: 2025/10/15 level: critical tags: - hm.ransomware - detection.signature - product.fireeye - product.sep
logsource: category: endpoint product: windows detection: selection_sep: sourcetype: 'sep:risk' selection_fireeye: vendor|contains: 'FireEye' # adjust to your actual field, e.g., source, product, host_product, event_source, etc.
selection_sig_match: signature|contains_any: - 'REPLACE_WITH_SIG_1' - 'REPLACE_WITH_SIG_2' - 'REPLACE_WITH_SIG_3'
condition: (selection_sep or selection_fireeye) and selection_sig_match
fields: - _time - action - src - dest - signature - sourcetype - message
falsepositives: - Test signatures / PoC exercises - Legitimate tools sharing names with signatures
Jane Doe
10/15/2025
3
Suspicious Domain Queried
Local OS Logs, Firewall Logs
Detects a query on monitored suspicious FQDNs
Critical
Immediate
1. Check the alert by taking note of all available information of themonitored detection. Correlate logs to get further information. Verify source and domain being queried.
2. Correlate logs with other sources such as Crowdstrike, WAZUH, Proxy, Web logs, etc for any malicious activities or patterns based on received alerts.
3. Escalate to BDO – IT Sec-SO-Threat Analytics and provide details of detection via email for further investigation or recommended action. Provide following details:
-User detected
-Source
-Destination
-Time
4. Initiate a warm transfer/call to BDO – IT Sec-SO-Threat Analytics personnel for further investigation or recommended action.
title: Suspicious Domain Queried id: a1b2c3d4-5678-90ab-cdef-1234567890ab description: Detects DNS queries to suspicious dynamic DNS domains excluding known internal sources and specific exceptions. status: experimental logsource: product: network service: dns detection: selection: query|contains: '.ddns.net' filter1: src_ip: '172.18.6.193' filter2: src_ip: '172.18.6.252' filter3: query|contains: 'swu-mham.ddns.net' condition: selection and not filter1 and not filter2 and not filter3 fields: - src_ip - query level: critical tags: - attack.initial_access - attack.t1071.004 - detection.domain.ddns
soc@organization.com
Jane Doe
10/15/2025
4
Web Access from Threatlisted IP
Cisco IPS, Web logs
Detects connection attempts from known malicious IPs and for unblocked IPS events from threatlisted IPs
Medium
Batch - Daily
1. Verify if the detected IP address is within the escalated 14-days quarantine period by checking the following.
IP Address
IP title/description
ISP
2. If detected IP surpass the 14 days quarantine period, investigate IP’s reputation if malicious. Check in AbuseIpdb (www.abuseipdb.com) or other related site for IP abuse report. Correlate also detected IP in Akamai platform (if onboarded) for any connection attempts.
3. Escalate to Org’s SOC, provide assessment and recommendation via email if reported IPs are for quarantine and/or if also to be blocked by Akamai platform.
title: Web Access from Threatlisted IP id: 9f8e7d6c-1234-4abc-9def-567890abcdef description: Detects web access events from IPs listed in threat intelligence collections, excluding proxy sources and non-OK statuses. status: experimental logsource: product: web service: proxy detection: selection: status: "OK" url|not: "/" filter1: sourcetype|not: "swg" filter2: source|not: "*forwardproxy*" threat_match: threat_collection|present: true condition: selection and filter1 and filter2 and threat_match fields: - src_ip - dest_ip - url - threat_match_value level: medium tags: - attack.command_and_control - attack.t1071.001 - detection.web.threatintel
Jane Doe
10/15/2025
There are no rows in this table

🚨Priority Alerts for Pilot (Select 3-5)
💡 Examples - "Desired Automation"
Alert #1
Alert #1
Alert #2
Alert #2
Alert #3
Alert #3
Alert #4 (Optional)
Alert #4
Alert #5 (Optional)
Alert #5
Copy of Splunk Alert Samples
Want to print your doc?
This is not the way.
Try clicking the ··· in the right corner or using a keyboard shortcut (
CtrlP
) instead.