# Triaging Alerts

#### **SOC Analyst Guide: Mastering Alert Triage**

This guide provides a step-by-step process for effectively triaging and investigating security alerts.

***

**1. First Steps: Accessing & Filtering the Dashboard**

Your primary view is the **Security Detections** dashboard. Before you start, ensure you are looking at the correct data.

* **Set Your Scope:** Use the **Header Controls** at the very top to filter the view.

  * **MSP/Tenant Filter:** If searching for a single tenant or an MSP, ensure the filter is set (e.g., `tenant: chsoc`). This prevents you from seeing irrelevant alerts.

  <figure><img src="/files/KS7CPPiMJSPMH8C4sxpQ" alt=""><figcaption></figcaption></figure>

  * **Time Filter:** Set an appropriate time frame (e.g., Last 24 hours, Last 7 days), or an absolute time to focus on the desired activity.

  <div align="left" data-full-width="false"><figure><img src="/files/itFKkgCdcbS5kmNBQQtL" alt=""><figcaption></figcaption></figure></div>
* **Search for Specific Alerts:** Need to find an alert containing a specific message?

  * Use the **Search Bar** with Lucene syntax.
  * **Example:** To find alerts mentioning "365", from the user named John and his IP:

    * `td.alert.message:*365*`

    **More complex example:** Find some connections from John on a certain service:
  * `user.name:john AND source.ip:`<sub>`2.2.2.2`</sub>` `` ``AND destination.port:(445 OR 446) `

  <figure><img src="/files/OAfmtVg6z5LWVOrY64i5" alt=""><figcaption></figcaption></figure>
* *Tip: Use asterisks (`*`) as wildcards and `AND` to connect keywords.*

***

**2. Prioritize: The "Security Detections by Severity" Table**

Don't get overwhelmed. Always start here to focus on the most critical threats.

* **Location:** The main table on the dashboard's top-left.
* **Action:** Review the list of alerts sorted by **Severity** (highest to lowest). Alerts with a severity of **15 are critical**.
* **Click on the Alert Name** (e.g., "Dark Web Leaks with Plain Text Password") to select it for investigation.

***

**3. Triage & Initial Investigation**

Once you've selected an alert, it's time to take ownership and gather context.

**A. Take Ownership:**

* Click **Start Triage**. This changes the alert's status to "Triaged," officially assigning it to you and telling the team you're handling it.

**B. Gather Context - Get the "Full Picture":**

1. **Check the Alert Feed:** The expanded view shows key details: time, source, target, and the **MITRE ATT\&CK technique** mapped to the activity.
2. **Review Top Indicators:** Look at the "Top Indicators" widget for related IOCs (IPs, hashes, domains).
3. **Consult the AI Assistant (Avesa):**
   * Click **AI Assistant**. Avesa analyzes historical data to provide insights, potential causes, and recommended next steps. Use it to guide your initial approach.

**C. Quick Actions (Interaction Menu):** Based on your initial assessment, you can:

* **Whitelist:** If it's a confirmed false positive. *Requires knowledge of **Lucene syntax**.*
* **Escalate:** If it's a severe, true positive. *You must provide a recipient email and a clear reason.*
* **Notify:** Send details to relevant stakeholders.

***

**4. Deep Dive Investigation**

If the alert is complex and requires more info, use these powerful tools:

* **For ANY Alert: Use `Hunt`**
  * This is your most important tool. Clicking **Hunt** opens a new dashboard pre-filtered for your specific alert, allowing you to search for related events and "follow the breadcrumbs" to see the full scope of the activity.
* **For Process-Related Alerts: Use `Process Tree`**
  * If the alert involves a Windows or Linux process, use this to visualize the entire execution chain (parent and child processes) to find the root cause.

***

**5. Finalize: Document & Collaborate**

**Documentation is not optional; it's critical for the team.**

* **Update the Alert:** Always click **Update** after your investigation.
  * **Add Notes:** Record what you found and what you did (e.g., "False positive: approved software update").
  * **Set the Status:** Accurately reflect the outcome (`Resolved`, `Escalated`, `Pending`).
* **Collaborate with Your Team:**
  * Use **SecOps Chat** to discuss complex alerts with colleagues and strategize your response.

***


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cybrhawksoc.gitbook.io/cybrhawk-docs/soc-analyst-guide/security-detections/triaging-alerts.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.