Alert Triage: Real Threats vs False Positives
Alert triage is the core SOC skill — learn the framework analysts use to assess severity, confirm IOCs, and separate real threats from false positives.

Picture your first week in a real SOC. The queue shows 847 open alerts. Your lead drops a single sentence before walking away: "Clear what you can, escalate what you can't." No further instructions. The clock is running.
That scenario is not an edge case. It is Tuesday morning in most tier-1 SOCs around the world. The skill that separates analysts who thrive from those who burn out in six months is not knowing every MITRE technique by heart. It is the ability to triage: to look at an alert, gather the right evidence in the right order, and reach a defensible verdict before the next alert lands.
What Alert Triage Actually Is
Triage comes from the French verb trier, to sort. In medicine it means assigning priority to patients before any treatment begins. In a SOC it means the same thing: sorting the signal from the noise before you act.
The process has four stages, and they are sequential for a reason.
Stage one: queue intake. Before you open any individual alert, you scan the queue for patterns. Are there clusters of the same rule firing across multiple hosts? Is one source IP appearing in a dozen separate alerts? Pattern recognition at the queue level is faster than investigating each alert in isolation and often reveals whether you are looking at coordinated activity or a single misconfigured scanner.
Stage two: evidence assessment. Once you pick an alert to investigate, you pull all available context: the asset and its owner, the user account involved, the raw log payload, and historical baseline for that entity. You are building a picture, not confirming a hypothesis. The goal at this stage is to gather before you judge.
Stage three: verdict. Based on the evidence, you assign one of three labels. True positive (TP): the activity is malicious or clearly policy-violating. False positive (FP): the rule fired correctly but the activity is not malicious. Benign true positive (BTP): the activity is exactly what the rule describes, it is real, and it is not an attack. We will spend more time on that distinction below because it matters enormously.
Stage four: disposition. Your verdict determines the action. True positives escalate to tier 2 or trigger an incident. False positives get closed with a note that feeds back into rule tuning. Benign true positives get closed with documentation of why the activity is expected and authorized.
Missing any stage collapses the whole structure. Analysts who skip queue intake waste time investigating individual alerts that would have been obviously linked at the queue level. Analysts who skip evidence assessment jump straight to verdict and miss context that would have changed it. Analysts who conflate verdict categories create noise downstream and undermine escalation credibility.
A Practical Triage Framework
Good triage is not intuition. At tier 1, it is a structured checklist you run every time, and the checklist has four axes.
Severity. What is the detection rule's confidence and impact rating? A
SIGMA rule tagged critical on a domain controller is not
the same as a low rule on a developer workstation. Severity from the rule is a
starting weight, not a final verdict, but it calibrates where you spend the most
scrutiny.
Asset criticality. Who or what generated the event? A failed login on a shared printer differs from the same failed login on a database server that stores payment records. Your organization's CMDB or asset inventory maps hostnames and service accounts to their business function. If you do not have that mapping, your first week's side project should be building a cheat-sheet version of it.
IOC corroboration. Does the indicator of compromise appear in more than one data source? A suspicious domain that appears only in a DNS log is interesting. The same domain appearing in DNS, proxy, and firewall logs simultaneously is significant. CISA advisories and threat intel feeds like the MITRE ATT&CK framework give you a fast sanity-check on whether an IP address, hash, or domain has documented malicious history.
Baseline deviation. Is this activity normal for this user or host? A login at 3 AM from a European IP for an account that has only ever authenticated from Chicago during business hours is anomalous. A login at 3 AM from a developer who routinely works overnight is not. Baseline requires data: thirty days of history for the entity involved. Most SIEMs make this trivial to query. Analysts who skip the baseline check generate the most false escalations.
Run all four axes on every alert. Not in four hours per alert. In three to five minutes. The goal is not exhaustive investigation — that is what tier 2 is for. The goal is a calibrated preliminary verdict backed by evidence you can articulate.
True Positive vs. False Positive vs. Benign True Positive
These three labels are the vocabulary of triage, and confusing them is the most consequential mistake a new analyst makes.
A true positive is an alert that fired because something genuinely malicious or policy-violating happened. An attacker ran Mimikatz. A user exfiltrated files to a personal cloud drive in violation of policy. The detection worked correctly and the activity is a real problem.
A false positive is an alert that fired but the underlying activity is not what the rule was designed to catch. A vulnerability scanner doing authorized work trips a port-scan detection. A backup job generates "brute force" level authentication noise. The rule's logic is correct, but the specific instance is not an actual threat. False positives are where most of your queue lives, and learning to recognize them quickly without rubber-stamping them carelessly is the central tier-1 skill.
A benign true positive is the subtle one. The rule fired correctly. The activity is exactly what the rule describes. And it is not an attack. An employee using an approved remote access tool generates a legitimate-looking lateral movement alert. A sysadmin running an authorized credential audit trips a credential-dumping detection. The detection is technically correct. The activity is real. It just has a valid business explanation.
Warning
Never auto-close benign true positives as if they were false positives. A BTP closed without documentation creates a blind spot: the next time the same activity appears, you have no record of why it was previously approved. If a real attacker later mimics that pattern, your institution has no documented baseline to differentiate it. Always note who authorized the activity, what ticket or change window it falls under, and when it is expected to recur.
Getting these three categories right matters beyond the individual alert. Your escalation credibility with tier 2 depends on the precision of your TP calls. If you escalate ten alerts per shift and eight turn out to be BTPs, the tier-2 team will start ignoring your escalations. If you close everything that looks like a BTP and miss a real TP using the same pattern, the consequences are obvious.
Alert Fatigue: Why It Happens and How Pros Survive It
The SANS SOC Survey found that analyst burnout and alert volume are consistently ranked among the top operational challenges in security operations. This is not a coincidence, and it is not a failure of individual analysts.
Alert fatigue has a structural cause: base rates. In most enterprise environments, the vast majority of alerts generated by detection rules are not true positives. This is true even in well-tuned SOCs with mature detection engineering. The Ponemon Institute's research on SOC effectiveness has documented that analysts in high-volume SOCs close a significant portion of their daily queue without meaningful investigation, not because they are lazy but because the cognitive load of genuine investigation is unsustainable at scale.
Understanding base rates means internalizing this: if your environment generates 200 alerts per shift and historically 3% are true positives, you should expect six real threats today. That expectation shapes how you allocate attention. It does not mean you close everything carelessly. It means you develop rapid, systematic filters that let you spend deep investigation time on the 6 that matter rather than equal time on all 200.
Experienced analysts survive alert fatigue through a combination of deliberate triage structure, aggressive feedback loops on false positives (every FP you close should feed a tuning ticket), and a strategy borrowed from signal detection theory called criterion shifting: when the queue is overwhelming, you raise the threshold of evidence required before escalation rather than escalating everything or closing everything. That is a conscious adaptation, not capitulation.
A Worked Example: Suspicious Login Alert from Queue to Verdict
The best way to understand triage in practice is to walk one alert through the full process. Here is a realistic alert payload as it might appear in a Splunk SIEM:
Alert: Suspicious Authentication Event
Severity: Medium
Rule: Multiple Failed Logins Followed by Success ([T1110.001](https://attack.mitre.org/techniques/T1110/001/))
Time: 2026-04-21 02:47:33 UTC
User: j.hartley@corp.internal
Source IP: 185.220.101.47
Destination: CORPDC01.corp.internal (Domain Controller)
Failed attempts: 14
Outcome: Authentication Succeeded on attempt 15Stage one: queue intake. You scan around it. Three other alerts in the same
window also show 185.220.101.47 as a source. One is a proxy alert for an access
to an external file-sharing site. Two more are authentication failures against
different accounts. That IP appearing across four separate detections in a twelve-
minute window is a pattern. You flag this cluster for investigation.
Stage two: evidence assessment. You pull context on the user j.hartley:
User profile: Jessica Hartley, Accounts Payable
Manager: M.Torres
Normal auth pattern: Mon-Fri 08:00-18:00, source IPs in 10.44.0.0/16 (Chicago VPN)
Last login before this event: 2026-04-20 17:22 UTC (Chicago VPN, 10.44.18.22)
Current event: 02:47 UTC, IP 185.220.101.47
IP 185.220.101.47:
ASN: Tor exit node operator (AS201814)
Threat intel: Listed in AbuseIPDB with 847 recent reports
CISA KEV match: None
Geolocation: NetherlandsThe source IP resolves to a Tor exit node with documented abuse history. The authentication time is outside every historical pattern for this user. The target is a domain controller, not a workstation. Fourteen failed attempts followed by success is consistent with a low-rate password spray that eventually matched.
Stage three: verdict. This is a true positive. Four corroborating signals: Tor exit node source, time anomaly, historical pattern break, and domain controller target. Any one of these in isolation might be an FP. All four together produce a confident TP.
Stage four: disposition. Escalate immediately. Your escalation note documents the cluster pattern, the Tor exit node context, the geolocation deviation, and the exact query you used to surface the corroborating alerts. Tier 2 can act immediately without re-investigating ground you already covered.
This entire process, from opening the alert to submitting the escalation, should take roughly ten minutes for a clear TP with good context. If you are spending forty minutes on a single alert at tier 1, you are investigating, not triaging.
Common Rookie Triage Mistakes
Every analyst makes these. Knowing them in advance shortens the learning curve.
Investigating in isolation. Opening one alert and treating it as independent without first checking the queue for related activity. Correlation at the queue level is faster and surfaces incident-level patterns that individual alert investigation misses.
Trusting severity labels without context. A critical alert on a decommissioned
server that still sends logs is not more urgent than a medium alert on a
production database. Rule severity is calibrated to general environments, not your
specific asset landscape.
Closing without documenting. Closing a false positive with no notes means the next analyst — or future you — has no record of why that activity was benign. Good triage notes are an institutional memory asset. NIST SP 800-61 explicitly recommends documentation of every disposition decision for exactly this reason.
Escalation to avoid the decision. Escalating alerts you have not triaged because you are uncertain feels conservative but is actually a failure mode. Tier-2 analysts have a higher skill ceiling, not a different job function. Your role is to filter noise with the tools and data available to you. An unexplained escalation consumes tier-2 capacity without adding value.
Confusing speed with sloppiness. Fast triage is good. Fast triage that skips the baseline check is not fast — it creates rework downstream when the verdict is wrong. A three-minute triage with all four checklist axes covered beats a thirty-second gut-feel close every time.
Where the Framework Becomes Judgment
A framework tells you which axes to check. Judgment tells you how much weight to put on each one when they disagree — and that calibration only develops by seeing the same patterns resolve, correctly and incorrectly, across hundreds of alerts.
One BTP that reliably catches new analysts off-guard is a sysadmin running PingCastle against their own Active Directory. The tool issues LDAP queries at volume, touches high-value group memberships, and generates a stream of events that maps almost perfectly onto a T1069.002 domain-enumeration pattern. Teams that have not documented the quarterly audit cycle will escalate it. Teams that have escalated it twice, and twice received "authorized scan" back from tier 2, eventually write the BTP entry. After that, the third occurrence is a five-second recognition rather than a forty-minute investigation. That is the whole mechanism: document the first occurrence properly — ideally as a reusable playbook — and every recurrence becomes faster. The habit only forms through reps on realistic material.
A live production SOC is a poor place to acquire those reps — the alerts are real, a missed true positive has consequences, and the clock does not pause for you to think. SOCSimulator's shift mode closes that gap: realistic SIEM, XDR, and firewall alerts at realistic volume and sequence, scored against the same verdict framework above, so you meet the base rate and build the baseline-check reflex before it can cost you anything.
The detections feeding that queue are themselves worth understanding from the other side — our breakdown of 10 SIEM use cases every SOC runs shows the logic behind the rules you will be triaging. Phishing reports are one of the most common alert types you will triage, and learning to read the lures pays off fast: 15 phishing email examples breaks down the recurring tells side by side. From there, the same triage confidence carries into a tier-1 SOC role, a SOC analyst interview, and a phishing email analysis investigation alike.
The framework is here. The queue is waiting.
Free forever · No credit card
Train on real alerts, with zero consequences
Practice triage on realistic alert volume in a live SOC console. Free forever — no credit card.
Frequently Asked Questions
- What is alert triage in cybersecurity?
- Alert triage is the process a SOC analyst follows to evaluate each incoming security alert, determine whether it represents a real threat, and decide what action to take. It involves assessing severity, checking asset context, corroborating indicators of compromise, and delivering a verdict — true positive, false positive, or benign true positive — before escalating or closing the ticket.
- What percentage of security alerts are false positives?
- Industry surveys consistently put the false-positive rate in most enterprise SOCs between 40 and 70 percent. Some organizations report rates above 80 percent during periods of poor rule hygiene. This is not a flaw in your tooling alone; it is a structural consequence of applying broad detection logic to diverse environments, and understanding base rates is the first step to surviving it.
- What is alert fatigue in cybersecurity?
- Alert fatigue is the cognitive and behavioral degradation that occurs when analysts face more alerts than they can meaningfully investigate. It typically manifests as faster, less rigorous verdicts, higher rates of closed-without-investigation tickets, and eventually attrition. The root cause is almost always a high false-positive rate compounded by insufficient staffing and poor rule tuning.
- How do I get better at alert triage?
- Triage skill improves through deliberate reps on realistic, high-volume alert queues where you receive feedback on your verdicts. Reading documentation helps, but judgment under uncertainty is a practitioner skill built through repetition. Platforms like SOCSimulator let you run simulated shifts on authentic-looking SIEM, XDR, and firewall alerts so you can build that muscle without the consequences of a live environment.
- How do you triage a security alert step by step?
- Run the same four stages every time. First, queue intake: scan the whole queue for clusters before opening anything, so linked alerts are obvious. Second, evidence assessment: pull the asset, the user, the raw log, and thirty days of baseline for the entity involved. Third, verdict: assign true positive, false positive, or benign true positive based on severity, asset criticality, IOC corroboration, and baseline deviation. Fourth, disposition: escalate true positives with a documented note, and close false and benign true positives with a reason that feeds rule tuning. For a clear case with good context, the whole sequence takes three to ten minutes, not hours.
- What activities are performed during alert triage?
- Triage is a decision-and-routing function, not full remediation. The core activities are: centralizing alerts from SIEM, EDR, and firewall sources; validating that the rule actually fired on real conditions; enriching with context such as asset criticality, user history, and threat intelligence; prioritizing by severity and impact; rendering a verdict; and routing, meaning escalate to tier 2 or close with documentation. Deep forensic investigation belongs to tier 2 and incident response, not to the triage step.
- What are the four types of security alert verdicts?
- Most SOC triage resolves an alert into one of four dispositions. True positive: the rule fired and the activity is genuinely malicious or policy-violating. False positive: the rule fired but the activity is benign and not what the rule was meant to catch. Benign true positive: the activity is exactly what the rule describes, it is real, but it has a legitimate authorized explanation. Inconclusive: there is not yet enough evidence to decide, so the alert is escalated or held for more data. Confusing a benign true positive with a false positive is the most common rookie error.
Field notes
New walkthroughs and detections, in your inbox
A short email when we publish something worth your time. No spam, unsubscribe in one click.
Community
Continue the conversation
Discuss this with analysts who are actively training and working in the field.
Related Articles

Common Ports Cheat Sheet: 42 Ports SOC Analysts Memorize
Common ports cheat sheet for SOC analysts — master the 42 TCP/UDP ports that appear in firewall logs, SIEM alerts, and security interviews every single day.

SIEM Use Cases: 10 Every SOC Runs (With Detection Logic)
SIEM use cases explained with detection logic sketches, data sources, and tuning notes for the 10 detections every SOC team operates.

Windows Event IDs Cheat Sheet: The 31 That Matter
Windows event IDs cheat sheet for SOC analysts: 31 essential security event IDs covering auth, process execution, log tampering, and lateral movement.