Alert triage is the most time-critical skill in a SOC analyst's toolkit. Done well, it separates a false positive from a contained incident in under 10 minutes. Done poorly, it means closing a P1 as noise while an attacker moves through your environment.

This 5-phase process was built from 10 years of daily alert work across CrowdStrike Falcon, Splunk, and Microsoft Sentinel at major Canadian financial institutions. It is designed to be followed under pressure, at 2AM, by an analyst who is tired and staring at an unfamiliar alert.

The core principle

Do not start investigating before you have identified your anchors. An anchor is a concrete entity you can pivot from: a hostname, a username, a source IP, a process name. Write them down before you touch anything else.

The Severity Matrix

Before starting the 5 phases, you need a clear severity framework. Gut feel is not a process. Every analyst on your team should apply the same severity to the same alert.

Severity Definition Response Time Action
P1 Active breach, live execution, confirmed data exfiltration, or ransomware Immediate Page IR lead now, isolate affected systems
P2 Confirmed malicious activity, contained or potentially active, no confirmed data loss Within 15 minutes Escalate to senior analyst, begin containment
P3 Suspicious activity requiring investigation, no confirmed malicious action Within 1 hour Investigate and document findings
P4 Low-risk anomaly or policy violation, no threat indicators Same shift Log, monitor, and close with documentation

Phase 1: Read Before You Act

Phase 01
Read Before You Act
Minutes 0 to 3 — Identify your anchors before touching anything

The most common triage mistake is jumping straight to investigation without reading the full alert. Analysts miss secondary indicators that were right there in the alert fields because they started pivoting on the first thing they saw.

Phase 2: Build Context

Phase 02
Build Context
Minutes 3 to 8 — Context turns noise into signal

Context is what separates a 45-minute investigation from a 3-minute false positive close. A certutil.exe execution looks alarming in isolation. In context, if that host has run the same certutil command via the same service account at 3AM every Sunday for six months, it is probably a legitimate certificate renewal. The process is the same. The context is everything.

Phase 3: Score Your Severity

Phase 03
Score Your Severity
Minutes 8 to 10 — Assign severity with evidence, not intuition
The uncertainty rule

When evidence supports either P2 or P3, always go P2. The cost of over-escalating a false positive is a few minutes of a senior analyst's time. The cost of under-escalating a real incident is everything.

Frameworks like this 5-phase process get a new companion hunt hypothesis every Tuesday in the Intelligence Pack.

Join — $14.99/mo

Phase 4: Investigate and Contain

Phase 04
Investigate and Contain
Minutes 10 to 30 — Build the full picture, take containment action

The investigation and containment phases run in parallel for active threats. You do not finish investigating before containing. As soon as you confirm malicious activity, you isolate the endpoint or revoke the credentials and continue building the picture from there. Waiting costs you lateral movement time.

What to look for in the process tree

Phase 5: Document and Close

Phase 05
Document and Close
Final phase — Leave a record that the next analyst can follow

Documentation is not administrative overhead. It is what allows a different analyst to pick up this ticket six months later and understand what happened in three minutes instead of thirty. It is also what protects you if a closed alert turns out to be the early indicator of a breach that was not caught until later.

The 10 Most Common Triage Mistakes

Intelligence Pack
A new triage framework refinement every Tuesday

Production detection rule, real incident case study, hunt hypothesis with query, and a career tip, every Tuesday. Plus monthly Office Hours, private Discord, and a growing detection archive. First 25 subscribers lock in $14.99/month for life.

Join Intelligence Pack — $14.99/month Free Triage Checklist

Cancel anytime. 30-day money back guarantee. Or grab the SOC Starter Kit — $39 for the full one-time toolkit.