triaging-security-incident

# Triaging Security Incidents ## When to Use - A SIEM or EDR alert fires and requires human classification before escalation - Multiple concurrent alerts arrive and the SOC must prioritize response order - An end user reports suspicious activity and the incident needs initial categorization - A threat intelligence feed matches an IOC observed in the environment **Do not use** for routine vulnerability scanning results or compliance audit findings that do not represent active security incidents. ## Prerequisites - Access to SIEM platform (Splunk, Elastic, Microsoft Sentinel) with current alert data - Incident classification taxonomy aligned to NIST SP 800-61r3 categories - Predefined severity matrix mapping asset criticality to threat type - Contact roster for escalation paths (Tier 1 through Tier 3 and CIRT) - Asset inventory with business criticality ratings ## Workflow ### Step 1: Collect Initial Alert Data Gather all available context from the triggering alert before making classification decisions: - **Alert source**: Which detection system generated the alert (EDR, SIEM, IDS/IPS, firewall, user report) - **Timestamp**: When the event occurred and when it was detected (dwell time gap) - **Affected assets**: Hostnames, IP addresses, user accounts involved - **Alert fidelity**: Historical true-positive rate for this detection rule - **Raw evidence**: Log entries, packet captures, process execution chains ``` Example SIEM alert context: Source: CrowdStrike Fa...