Alert Triage
The process of evaluating, prioritizing, and routing security alerts to determine which require investigation and which are false positives.
Definition
Alert triage is the first-response stage of the SOC workflow. When a SIEM or detection tool fires an alert, a Tier 1 analyst must assess its severity, determine whether it represents a genuine threat or a false positive, gather initial context, and decide whether to escalate, close, or route the case. In high-volume environments, analysts may process hundreds of alerts per shift.
Why It Matters
Alert fatigue is one of the most significant operational problems in security operations. When analysts are overwhelmed by volume, genuine threats are missed. Effective triage directly determines how quickly an organization can contain real incidents, and poor triage is a primary reason that breaches go undetected for days or weeks.
How It Works
An analyst receives an alert with metadata — source IP, destination, rule name, raw log data. They enrich the alert by querying threat intelligence sources, reviewing asset context, and correlating with other recent alerts. Based on this context, they assign a severity and recommended action: close as benign, monitor, or escalate to Tier 2 for full investigation. MITRE ATT&CK technique mapping helps identify the potential impact and likely next attacker steps.
DFIR Platform
AI Triage
The DFIR Lab AI Triage feature accepts raw alert data and returns severity assessments, recommended next steps, MITRE ATT&CK technique mapping, and investigation guidance — purpose-built to accelerate Tier 1 SOC analyst workflows and reduce mean time to triage
View DocumentationRelated Concepts
Try these concepts in practice
Free tier with 100 credits/month. No credit card needed.