Knowledge Base

Security Alert Intake and Initial Triage

Turn an alert into a reliable evidence question before calling it an incident.

Why intake matters

Detection rules, EDR, SIEM correlation, cloud and identity alerts, user reports, vendor notices, and threat-intelligence notifications are inputs to investigation. An alert describes observed or inferred activity; it is not automatically a finding, confirmed compromise, or incident. Intake preserves the original signal and records what must be checked next.

Minimum alert record

  • Source, rule or notification name, time observed, and time received.
  • Asset, identity, application, network location, service owner, and business context.
  • Relevant event identifiers, source links, confidence, and evidence location.
  • Known activity status, initial hypothesis, assigned analyst, and review time.

Initial triage workflow

  1. Describe what happened without interpreting it too early. Capture the alert, timestamps, entity, and source reliability.
  2. Check whether the behavior is expected: approved change, scheduled task, known administrator activity, test environment, or prior case.
  3. Preserve volatile evidence that could roll over, including relevant logs, EDR context, identity events, and cloud audit records where available.
  4. Assess whether activity is ongoing, which owner must respond, and whether immediate harm or a critical service is involved.
  5. Escalate with known facts, assumptions, evidence gaps, and the next action. Severity describes potential impact; priority also includes evidence strength, ongoing activity, and business context.

False positives and escalation

A false-positive hypothesis should be tested and documented, not assumed because an alert is inconvenient. Escalate when evidence suggests active harm, a sensitive asset or identity is involved, scope may expand quickly, required evidence is volatile, or ownership and containment decisions cannot wait. Do not claim compromise without supporting local evidence.

Fictional example

An identity alert shows a new session from an unusual location. Triage records the account, sign-in time, device, conditional-access result, and recent credential changes. The analyst asks the owner about travel and preserves sign-in events before deciding whether the activity is expected, suspicious, or requires containment.