SOC Alert Triage

The alert triage is the basis of the SOC team. The first response to any alert is to perform the triage. The triage is focused on analyzing the specific alert. This determines the severity of the alert and helps us prioritize it. The alert triage is all about answering the 5 Ws. What are these 5 Ws?

Scenario: Alert - Malware detected on Host: Kudzanai's PC

• What? : A malicious file was detected on one of the hosts inside the organization’s network.
• When? : The file was detected at 13:24 on October 31, 2024.
• Where?: The file was detected in the directory of the host: "Kudzanai's PC".
• Who? : The file was detected for the user Kudzanai.
• Why? : After the investigation, it was found that the file was downloaded from a pirated software-selling website. The investigation with the user revealed that they downloaded the file as they wanted to use a software for free.

Alert Investigation

When monitoring SIEM, analysts spend most of their time on dashboards as it displays various key details about the network in a very summarized way. Once an alert is triggered, the events/flows associated with the alert are examined, and the rule is checked to see which conditions are met. Based on the investigation, the analyst determines if it's a True or False positive. Some of the actions that are performed after the analysis are:

• Alert is False Alarm. It may require tuning the rule to avoid similar False positives from occurring again.
• Alert is True Positive. Perform further investigation.
• Contact the asset owner to inquire about the activity.
• Suspicious activity is confirmed. Isolate the infected host.
• Block the suspicious IP.