skip to Main Content
This website use cookies which are necessary to its functioning and required to achieve the purposes illustrated in the privacy policy. To learn more or withdraw consent please click on Learn More. By continued use of this website you are consenting to our use of cookies.


Alert Triage

Alert triage is the process of going through cybersecurity alerts and investigating them to determine the potential threat severity
Alert triage is the process of going through cybersecurity alerts and investigating them to determine the potential threat severity. An alert triage is also known as a cybersecurity alert triage or simply triage. The alert triage process must ultimately determine whether or not the alert should be escalated to the next tier of incident response.

A security alert is an advisory, bulletin, or vulnerability note generated, usually by software and embedded processes, through automation and security controls within the security operations center. Alerts are triaged by the security operations (SecOps) analysts. The data volumes are generally such that they can only process a small fraction of the alerts received. If internal processes dictate, the analyst will flag the alert for escalation and additional investigation and triage. At the next tier, a more focused security investigation will review the alert, related data, related threat intelligence data, and more to determine relative risk and the appropriate response. All of this alert triage requires the need for speed. This remediation process must ideally be done in minutes, not hours, to minimize risk best. 

Because of high alert volumes, the need for effective triage of alerts is more crucial than ever before. SecOps teams are overrun with mountains of alerts to triage each year. Combined with an average of over 35+ security controls, the incident response and investigation effort has grown each year. Consider that a response to a single alert might require coordination across a multitude of security controls. In addition, SIEM rules for alert classification and escalation are generally noisy – the more alerts in the system, the more likely they will be false. The lack of decision support automation also makes the alert triage process deal with very high noise levels, all of which cause rapid and effective triage more difficult. Optimizing prioritization is essential to determine the appropriate subsequent actions to take during the alert triage process.

There is also a benefit to your alert triage process by determining the best triage strategy. Different organizations necessarily use different prioritization strategies. For example, your triage process may be data-driven – data repositories protected by security controls such as data loss prevention. As a result, these alerts may receive different priorities in the triage process. Similarly, most organizations use a threat-driven approach to alert prioritization and triage. Threat intelligence provides the spectrum of tactics, techniques, and procedures which cyber attackers might use – these can be mapped to alerts to assist with the triage and escalation process greatly. Finally, organizations can also use an asset-based approach to prioritization of alerts and subsequent triage. It is a fact that certain assets may require more protection than others. For example, a robotic surgery platform used in actual patient surgery might require the highest levels of security and oversight. Therefore, these alerts might escalate faster, at higher priority levels, as part of the alert triage process.

Incident response to alerts 

Most organizations have a well-organized playbook that overviews incident response after detection, triage, and escalation of alerts. After escalation, the next steps include containment, remediation, recovery, and then future assessment:

  • Detection. Anomalous or malicious behavior must be identified and flagged immediately. Once detected, it is vital to know what type of alert, the potential severity, and other potential impacts (compliance).
  • Containment. Containment aims to stop the breach, spread of malware, and malicious command and control software as quickly as possible by shutting down applications and systems and disconnecting the impacted areas from networks.
  • Remediation. Now that systems are isolated, you can identify and remove malicious code and artifacts from your systems. You will need repair and, in some cases, completely rebuild system servers and endpoints. Backup systems will be used and need to be rechecked before resuming normal operations.
  • Recovery. Once the threat has been eliminated, the goal is to resume normal organizational operations as soon as possible. 

Assessment. Your team will want to document everything carefully. You will need to understand how to prevent this sort of attack in the future and determine the changes to your cybersecurity strategy, security controls, and processes necessary to address these risks.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.

Back To Top