Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / Alert Triage Automation

Documentation

Alert Triage Automation

arxsec-site / library/workflows/alert-triage/README.md

arxsec-site repo-root library/workflows/alert-triage/README.md

Automates the SOC alert triage pipeline: pulls Splunk alerts, enriches them with CrowdStrike detection data, and creates ServiceNow incidents for high-severity findings.

Maturity: L4+ (Governed and up)  ·  See the 5-level maturity model for where this workflow fits in your program.

What It Does

  1. Queries Splunk for new notable events and correlation alerts
  2. Enriches each alert with CrowdStrike detection data (host context, process tree, threat score)
  3. Calculates a composite severity score using alert + detection signals
  4. For high-severity alerts: creates ServiceNow incidents with full enrichment context
  5. For high-severity alerts: updates CrowdStrike detection status to "in_progress"
  6. All CrowdStrike write operations require human-in-the-loop approval

Time Saved

Before: 3 hours per analyst per day — manually correlating Splunk alerts with CrowdStrike, copying context into ServiceNow.

After: Automated enrichment and triage. Analysts review pre-enriched incidents and approve detection status updates.

Connectors

| Connector | Operations | Risk | |-----------|-----------|------| | Splunk | search:execute, alerts:read | LOW | | CrowdStrike | detections:read, detections:write | HIGH | | ServiceNow | incidents:create | MEDIUM |

Overall Risk: HIGH — CrowdStrike detections:write modifies detection status. Requires HITL approval.

ARX Governance

  • HITL Gate: Enabled — all CrowdStrike write operations require analyst approval
  • Risk Threshold: 85 — operations above this score trigger HITL review
  • Approval Channel: #soc-approvals
  • Audit Trail: Every alert processed, enrichment performed, and incident created is logged
  • Schedule: Every 5 minutes (*/5 * * * *)

Setup

Prerequisites

``bash pip install arx ``

Environment Variables

``bash export SPLUNK_HOST="https://splunk.your-org.com:8089" export SPLUNK_TOKEN="your-splunk-bearer-token" export CROWDSTRIKE_CLIENT_ID="your-cs-client-id" export CROWDSTRIKE_CLIENT_SECRET="your-cs-client-secret" export SERVICENOW_INSTANCE="your-org.service-now.com" export SERVICENOW_USERNAME="svc-arx" export SERVICENOW_PASSWORD="your-servicenow-password" ``

Run

```bash

One-time execution

arx run workflow.py

Register on schedule

arx register --config arx.yaml ```

Customization

  • Adjust the Splunk search query for your correlation rules
  • Configure severity thresholds in SEVERITY_THRESHOLDS
  • Modify ServiceNow assignment group and category
  • Change the HITL approval channel in arx.yaml