Core Concepts
Understanding Alerts
Learn about alert types, severities, and how to interpret them.
Understanding Alerts
Alerts are the primary input for SOC analysts. Understanding how to read and prioritize them is essential.
Alert Anatomy
Every alert contains:
| Field | Description |
|---|---|
| Title | Brief description of what was detected |
| Severity | Urgency level (Critical → Info) |
| Source Tool | SIEM, XDR, or Firewall |
| Timestamp | When the event occurred |
| Status | Current handling state |
| Details | Technical information and context |
Severity Levels
Critical - Active attack in progress, immediate response required
High - Likely malicious activity, investigate urgently
Medium - Suspicious activity, needs investigation
Low - Minor anomaly, investigate when time permits
Info - Informational only, no action typically required
Alert Sources
SIEM Alerts
Generated from log correlation:
- Multiple failed logins
- Unusual access patterns
- Policy violations
- Data exfiltration indicators
XDR Alerts
Generated from endpoint behavior:
- Malicious process execution
- File system changes
- Registry modifications
- Suspicious network connections
Firewall Alerts
Generated from network traffic:
- Blocked connections
- Known bad IPs
- Port scanning
- Protocol anomalies
Alert Status
| Status | Meaning |
|---|---|
| New | Just arrived, not yet reviewed |
| Investigating | Currently being analyzed |
| Escalated | Requires senior analyst or IR team |
| Resolved | Action taken, incident closed |
| False Positive | Not a real threat |
Reading Alert Details
When you click on an alert, look for:
- Source/Destination - Who/what is involved?
- User Account - Is this expected behavior for this user?
- Process/File - What executable or file triggered this?
- Network - Any external connections?
- Timeline - When did this start? Still ongoing?
Tips
Context is everything. An alert that looks benign for a developer might be critical for an HR system.
- Check the user's normal behavior pattern
- Look for related alerts in the same timeframe
- Consider the asset's criticality
- Trust but verify - don't dismiss without checking