Alert Triage

Triage is the process of quickly assessing and prioritizing alerts. In a busy SOC, you can't investigate everything deeply - you need to make fast, accurate decisions.

Triage Actions

Escalate

When to use: Real threat requiring immediate response

• Active attack in progress
• Data breach indicators
• Ransomware execution
• Compromised credentials being used

Investigate

When to use: Suspicious but needs more analysis

• Unusual but not clearly malicious
• Missing context
• Potential false positive but worth checking
• Related to other suspicious activity

Resolve

When to use: Handled, no further action needed

• True positive that was contained
• Investigation complete, no threat found
• Issue remediated
• Duplicate of existing incident

False Positive

When to use: Not a real threat

• Legitimate business activity
• Known good behavior misidentified
• Testing or maintenance activity
• Configuration issue, not security

Triage Workflow

1. Read alert title and severity
2. Check source (SIEM/XDR/Firewall)
3. Look at key indicators:
   - IP addresses
   - User accounts
   - Process names
   - File hashes
4. Check for correlation
5. Make decision
6. Move to next alert

Speed vs Accuracy

In Shift Mode, you're balancing:

Common Mistakes

Over-escalating

• Escalating every high-severity alert
• Not checking for known false positives
• Reacting to severity alone without context

Under-escalating

• Dismissing without investigation
• Assuming alerts are false positives
• Ignoring correlation signals

Taking Too Long

• Investigating deeply on every alert
• Perfectionism in triage
• Not using keyboard shortcuts

Keyboard Shortcuts

Master these for faster triage:

Building Intuition

Triage skill comes from:

1. Pattern recognition - Seeing common attack signatures
2. Context awareness - Understanding what's normal
3. Tool familiarity - Knowing where to look quickly
4. Experience - Making decisions and learning from outcomes

SOC Simulator helps build all of these through realistic practice.