Explain Alert

Break down security alerts step-by-step to understand what triggered them, assess their threat level, and determine the right investigation path. Perfect for junior analysts or when dealing with unfamiliar alert types.

⚡ Takes ~2–3 minutes 📊 Output: Summary + IOCs 🔒 No login required

No setup needed — just paste and run

  • Unfamiliar alert type received
  • Junior analyst needs alert context
  • Quick alert explanation needed
1

Alert Deconstruction

You are a senior SOC analyst explaining a security alert to a junior analyst. Assume an enterprise environment unless I specify otherwise. Paste up to 50 log lines or one complete alert. If more data exists, focus on the first alert only. Break it down as follows: 1. What system or tool generated this alert? 2. What specific behavior triggered it? 3. List the most important fields and explain each in plain language 4. What was the affected system doing at the time? 5. Is this alert type commonly a false positive, or is it high-signal and rare? Output format: ALERT OVERVIEW - Source Tool: - Alert Name / Event Type: - Key Trigger Behavior: KEY FIELDS EXPLAINED | Field | Value | What It Means | Why It Matters | Do not guess values. Only use what is present in the alert provided. If a field is missing, note it as "Not provided." [PASTE YOUR ALERT OR LOG ENTRY HERE]
2

Threat Context

Based on the alert from Step 1, determine the potential attacker objective. First, analyze the behavior pattern in the alert before producing findings. Then identify whether this behavior could relate to: - Initial Access - Credential Access - Privilege Escalation - Lateral Movement - Persistence - Command and Control - Exfiltration For each relevant tactic: - Explain which specific field or behavior supports this possibility - Rate likelihood: High / Medium / Low Then list the top 3 legitimate false positive scenarios that could produce the exact same alert. If no clear threat context exists, state: "Insufficient data to determine threat context." If no MITRE mapping is confident, state: "No confident MITRE mapping for this alert."
3

Investigation Checklist

Generate a targeted investigation checklist for this specific alert. For each item provide: - Exact log source to check (e.g. Windows Security Event Log) - Specific event IDs or field values to look for (e.g. Event ID 4625 — failed logon) - What a malicious result looks like vs a benign result Also provide: - 2-3 SIEM queries for the tool that generated this alert (Use realistic field names. Mark uncertain fields as [field_name]. If unsure, provide pseudocode.) - Other systems or users that may be affected - IOCs to hunt across the environment ⚠️ Mark the top 2 investigation steps as HIGH PRIORITY. Base everything on the actual alert data. Do not give generic SOC advice.
4

SOC Ticket Summary

Write a professional SOC ticket summary based on all previous analysis. Include: - What the alert detected (one sentence) - Whether it appears malicious, suspicious, or benign and why - The key evidence supporting that conclusion - Recommended next action and who owns it Length: 3-4 sentences maximum. Format: suitable for pasting directly into a SIEM ticket or case management system. Severity: Critical / High / Medium / Low / Informational Disposition: True Positive / False Positive / Needs Investigation IOCS | IOC Type | Value | Context | If no IOCs are identified, state: "No IOCs identified."

Example Output

Here's what you can expect after completing this workflow:

ALERT OVERVIEW =============== Source Tool: Microsoft Defender for Endpoint Alert Name: Possible credential dumping detected (LSASS memory access) Key Trigger Behavior: Mimikatz.exe accessed the memory space of lsass.exe (Local Security Authority Subsystem Service) KEY FIELDS EXPLAINED ===================== | Field | Value | What It Means | Why It Matters | |-------|-------|---------------|----------------| | Host | DESKTOP-7F3K2 | Affected workstation hostname | Identifies the compromised endpoint for isolation and forensics | | User | john.smith | Account logged in at time of event | Indicates whose credentials may be compromised | | Process | mimikatz.exe | Executable that performed the action | Well-known credential theft tool, strong indicator of malicious intent | | Target | lsass.exe | System process that was accessed | LSASS stores credentials in memory; accessing it is a hallmark of credential dumping | | Time | 2024-01-15 14:32:07 UTC | When the activity occurred | Timeline for correlation with other events | THREAT CONTEXT =============== Primary Tactic: Credential Access (High Likelihood) - Mimikatz is explicitly designed to dump credentials from LSASS memory - This is textbook T1003.001 - OS Credential Dumping: LSASS Memory - No legitimate business software should access LSASS in this manner SOC TICKET SUMMARY =================== Severity: CRITICAL Disposition: True Positive - Malicious Activity Confirmed Alert: Microsoft Defender detected mimikatz.exe accessing LSASS memory on DESKTOP-7F3K2 under user account john.smith at 14:32:07 UTC on 2024-01-15. This is a known credential dumping attack with extremely high confidence. DESKTOP-7F3K2 has been isolated from the network. Immediate actions: reset password for john.smith and all users who logged into this workstation in past 7 days, hunt for lateral movement using dumped credentials, and perform full forensic analysis of DESKTOP-7F3K2. IOCS IDENTIFIED ================ | IOC Type | Value | Context | |----------|-------|---------| | Filename | mimikatz.exe | Credential theft tool executed on DESKTOP-7F3K2 | | Compromised Host | DESKTOP-7F3K2 | Endpoint requiring forensic analysis and reimaging | | Compromised Account | john.smith | Account credentials potentially stolen, requires password reset | | Target Process | lsass.exe | Memory dumping target |

Generate SOC Investigation Summary

Populate a ready-to-paste investigation report for your ticket or incident log.

Copied!