Preface
Every organization relies on security analysts to react to cyber alerts. The cyber alert triage function is the only process that has proven effective in reliably separating noise from real threats.
Most organization see 1000's of cyber alerts but find only 1 or 2 are actionable.
We trained Salem, the AI cyber analyst on the below cyber triage process to enable it to work to find the few alerts that matter, resulting in more free time for your people to do more impactful work such as: intelligence gathering, incident response and attack surface reduction.
Most organization see 1000's of cyber alerts but find only 1 or 2 are actionable.
We trained Salem, the AI cyber analyst on the below cyber triage process to enable it to work to find the few alerts that matter, resulting in more free time for your people to do more impactful work such as: intelligence gathering, incident response and attack surface reduction.
Alert Triage Playbook
What threat behavior is this cyber alert trying to tell me about?
Cyber alerts identify suspicious activities that could represent a specific threat behavior. Your first job is to identify what threat behavior the alert could map to. This understanding is essential to determine if this suspicious action is a threat.
How to classify threat behavior
What systems, accounts, programs, or data objects are involved?
Every alert will have unique details that include atomic systems, accounts, programs, and/or data objects. Identifying as many of these entities that relate to an alert up front will help guide your investigation.
How to find associated entities
What do I know about each of these entities?
Once you know what entities are involved, you need to understand what these entities are, what they do, what special attributes are associated with them, where they are, and who owns them.
How to classify entities
What else has been going on that could be related?
Often an attacker will need to perform multiple actions to achieve their objectives. Search the entities involved in your alert in log data, change management systems, and other recent security alerts and highlight additional behavior that should be considered along with the activity reported in the alert you are investigating.
How to find related activity
What are the last 3 to 5 important questions to answer?
This is where experience kicks in. Once you have all the information you can gather from steps 1 – 4, you might find 3 to 5 additional questions you’ll need to ask to figure out if this alert is a business activity (most likely outcome) or a real threat.
Playbooks specific to a threat family can be a great resource to help guide you through this final stage of analysis. Below, you’ll find runbooks we’ve built that we hope can help those unfamiliar with investigation-specific types of threats.
Playbooks specific to a threat family can be a great resource to help guide you through this final stage of analysis. Below, you’ll find runbooks we’ve built that we hope can help those unfamiliar with investigation-specific types of threats.
