Cyber Alert Triage Playbook

The process by which cybersecurity analysts identify threats among a sea of noisy cyber alerts


Every organization relies on security analysts to react to cyber alerts. The cyber alert triage function is the only process that has proven effective in reliably separating noise from real threats.  

Most organization see 1000's of cyber alerts but find only 1 or 2 are actionable.

We trained Salem, the AI cyber analyst on the below cyber triage process to enable it to work to find the few alerts that matter, resulting in more free time for your people to do more impactful work such as: intelligence gathering, incident response and attack surface reduction.  

Alert Triage Playbook

What threat behavior is this cyber alert trying to tell me about?

Cyber alerts identify suspicious activities that could represent a specific threat behavior. Your first job is to identify what threat behavior the alert could map to.  This understanding is essential to determine if this suspicious action is a threat.

What systems, accounts, programs, or data objects are involved?

Every alert will have unique details that include atomic systems, accounts, programs, and/or data objects. Identifying as many of these entities that relate to an alert up front will help guide your investigation.

What do I know about each of these entities?

Once you know what entities are involved, you need to understand what these entities are, what they do, what special attributes are associated with them, where they are, and who owns them.

What else has been going on that could be related?

Often an attacker will need to perform multiple actions to achieve their objectives.  Search the entities involved in your alert in log data, change management systems, and other recent security alerts and highlight additional behavior that should be considered along with the activity reported in the alert you are investigating.

What are the last 3 to 5 important questions to answer?

This is where experience kicks in.  Once you have all the information you can gather from steps 1 – 4, you might find 3 to 5 additional questions you’ll need to ask to figure out if this alert is a business activity (most likely outcome) or a real threat.

Playbooks specific to a threat family can be a great resource to help guide you through this final stage of analysis. Below, you’ll find runbooks we’ve built that we hope can help those unfamiliar with investigation-specific types of threats.

Threat Family Specific Playbooks

Playbooks written with the experience of worn-out cyber analysts who have been there.

See Salem in action

Schedule a demo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.  View our Privacy Policy for more information.

DenyAccept All