Alert Triage: Thoughts and Lessons
Earlier today, I tried out TryHackMe’s ‘SOC L1: Alert Triage’ room. Here are four things that stuck out for me about the triage process:
- Prioritise Alerts
Alerts should be prioritised by severity and time (oldest first). You’ll want to address critical and older alerts before attending to low-severity or more recent ones. For instance, a critical-severity ransomware alert from last night is probably more important than a medium-severity brute-force alert from this morning.
- Playbooks are an Option
I used to think SOC analysts always carried out investigations entirely on their own 😂. While that may be true in some environments, more well-established teams often use playbooks (also known as workbooks). These are basically step-by-step manuals for handling specific alerts.
- Playbooks may not be an Option
Sometimes, there’s no playbook, or the alert you're handling isn’t documented. In such cases, you'll need to rely on your knowledge, experience, and research skills to determine the best course of action. Escalate if necessary and always leave thorough notes or comments, whether you reach a definitive conclusion or not.
- Context is Crucial
Always assess the full context when triaging. Factors such as the employee’s role, access time, IP address, file type, and process details can help distinguish a true positive from a false one.
For example, it may be a false positive if Jen from Finance accesses financial files via VPN from Italy. But it’s might lean towards a true positive if Mike from R&D does the same—especially if you saw him in the office this morning.
That’s all for now folks. See you in the next one! 👋
Cover Image by Tirachard Kumtanom.
