Alert triage is the most time-critical skill in a SOC analyst's toolkit. Done well, it separates a false positive from a contained incident in under 10 minutes. Done poorly, it means closing a P1 as noise while an attacker moves through your environment.
This 5-phase process was built from 10 years of daily alert work across CrowdStrike Falcon, Splunk, and Microsoft Sentinel at major Canadian financial institutions. It is designed to be followed under pressure, at 2AM, by an analyst who is tired and staring at an unfamiliar alert.
Do not start investigating before you have identified your anchors. An anchor is a concrete entity you can pivot from: a hostname, a username, a source IP, a process name. Write them down before you touch anything else.
The Severity Matrix
Before starting the 5 phases, you need a clear severity framework. Gut feel is not a process. Every analyst on your team should apply the same severity to the same alert.
| Severity | Definition | Response Time | Action |
|---|---|---|---|
| P1 | Active breach, live execution, confirmed data exfiltration, or ransomware | Immediate | Page IR lead now, isolate affected systems |
| P2 | Confirmed malicious activity, contained or potentially active, no confirmed data loss | Within 15 minutes | Escalate to senior analyst, begin containment |
| P3 | Suspicious activity requiring investigation, no confirmed malicious action | Within 1 hour | Investigate and document findings |
| P4 | Low-risk anomaly or policy violation, no threat indicators | Same shift | Log, monitor, and close with documentation |
Phase 1: Read Before You Act
- 1. Read the full alert title, description, and all fields before clicking anything
- 2. Identify every entity: hostname, username, source IP, destination IP, process name, parent process
- 3. Write these down in your ticket as anchors — you will pivot from each one
- 4. Note the timestamp and time zone — alert times and log times sometimes differ
- 5. Assign an initial severity based on the matrix above before any investigation
The most common triage mistake is jumping straight to investigation without reading the full alert. Analysts miss secondary indicators that were right there in the alert fields because they started pivoting on the first thing they saw.
Phase 2: Build Context
- 1. Is the affected user active, on leave, or recently terminated?
- 2. Is the affected host a workstation, server, or critical system?
- 3. Has this source IP, domain, or file hash been seen before in your environment?
- 4. Pull 30 days of history for both the host and the user — is this behavior new or recurring?
- 5. Check threat intel feeds and VirusTotal for any external indicators
Context is what separates a 45-minute investigation from a 3-minute false positive close. A certutil.exe execution looks alarming in isolation. In context, if that host has run the same certutil command via the same service account at 3AM every Sunday for six months, it is probably a legitimate certificate renewal. The process is the same. The context is everything.
Phase 3: Score Your Severity
- 1. Revisit your initial severity based on the context you have now built
- 2. Apply the severity matrix — what does the evidence actually support?
- 3. If severity has increased: escalate now before continuing investigation
- 4. If severity is confirmed P3 or P4: document your reasoning explicitly
- 5. If you are uncertain between two severity levels: always assign the higher one
When evidence supports either P2 or P3, always go P2. The cost of over-escalating a false positive is a few minutes of a senior analyst's time. The cost of under-escalating a real incident is everything.
Frameworks like this 5-phase process get a new companion hunt hypothesis every Tuesday in the Intelligence Pack.
Join — $14.99/moPhase 4: Investigate and Contain
- 1. Pivot from each anchor: what else did this user do? What else happened on this host?
- 2. Pull the process tree for any endpoint involved — parent and child processes tell the story
- 3. Check network connections: what did this process or user connect to?
- 4. If confirmed malicious: initiate containment before continuing investigation
- 5. Look for persistence: scheduled tasks, registry run keys, new services, new accounts
The investigation and containment phases run in parallel for active threats. You do not finish investigating before containing. As soon as you confirm malicious activity, you isolate the endpoint or revoke the credentials and continue building the picture from there. Waiting costs you lateral movement time.
What to look for in the process tree
- Office applications or browsers spawning scripting engines (PowerShell, cmd, wscript)
- Scripting engines making outbound network connections
- Unusual parent-child relationships — services that never spawn children suddenly spawning children
- Processes running from unusual locations (Downloads, Temp, AppData)
Phase 5: Document and Close
- 1. Document your finding: confirmed malicious, false positive, or inconclusive with reason
- 2. List every pivot you performed and what you found at each one
- 3. Record any IOCs identified: IPs, domains, file hashes, user accounts
- 4. Note any tuning recommendations — if this fires as a false positive repeatedly, why?
- 5. Close with a clear disposition: True Positive, False Positive, or Benign True Positive
Documentation is not administrative overhead. It is what allows a different analyst to pick up this ticket six months later and understand what happened in three minutes instead of thirty. It is also what protects you if a closed alert turns out to be the early indicator of a breach that was not caught until later.
The 10 Most Common Triage Mistakes
- Starting the investigation before identifying all anchors
- Closing an alert as a false positive because it looks similar to previous false positives
- Skipping context-building and going straight to the process tree
- Assigning P3 when evidence actually supports P2 because escalating feels disruptive
- Not checking the time — alerts that look routine at 2PM look different at 2AM on a Saturday
- Investigating only the host or only the user, not both
- Closing without documenting the reason for the disposition
- Not checking for lateral movement after confirming an initial access indicator
- Dismissing an alert because the source IP passes reputation checks — credential attacks come from legitimate IPs
- Treating volume anomalies as less serious than signature-based detections
Production detection rule, real incident case study, hunt hypothesis with query, and a career tip, every Tuesday. Plus monthly Office Hours, private Discord, and a growing detection archive. First 25 subscribers lock in $14.99/month for life.
Join Intelligence Pack — $14.99/month Free Triage ChecklistCancel anytime. 30-day money back guarantee. Or grab the SOC Starter Kit — $39 for the full one-time toolkit.