Security Event Triage

  1. The Triage Workflow
    1. Stage 1: Alert Ingestion and Aggregation
      1. Centralized Logging
        1. Log Collection Methods
          1. Log Normalization
          2. Alert Queues
            1. Queue Management
              1. Prioritization in Queues
              2. Automated Data Collection
                1. Integration with Security Tools
                  1. Data Parsing and Enrichment
                2. Stage 2: Initial Assessment
                  1. Quick Review of Alert Details
                    1. Reviewing Alert Metadata
                      1. Identifying Alert Source
                      2. Identifying Key Data Points
                        1. Source and Destination Information
                          1. Timestamps and Event Sequence
                          2. Initial Hypothesis Formation
                            1. Assessing Potential Threat
                              1. Determining Next Steps
                            2. Stage 3: Data Enrichment and Contextualization
                              1. Gathering Additional Information
                                1. Querying Additional Logs
                                  1. Requesting Context from Stakeholders
                                  2. Internal Context
                                    1. Asset Criticality
                                      1. Business Function of Asset
                                        1. Asset Owner Identification
                                        2. User Roles and Permissions
                                          1. Privileged vs. Standard Accounts
                                            1. Recent Role Changes
                                            2. Network Topology
                                              1. Network Segmentation
                                                1. Asset Location in Network
                                              2. External Context
                                                1. Threat Intelligence Feeds
                                                  1. Real-Time Threat Data
                                                    1. Historical Threat Data
                                                    2. Geolocation Data
                                                      1. IP Geolocation
                                                        1. Country and Region Analysis
                                                        2. Reputation Services
                                                          1. IP Reputation
                                                            1. Domain Reputation
                                                              1. Hash Reputation
                                                                1. Blacklists and Whitelists
                                                                  1. Reputation Scoring
                                                              2. Stage 4: Analysis and Verification
                                                                1. Identifying Malicious Patterns
                                                                  1. Signature-Based Detection
                                                                    1. Behavioral Analysis
                                                                    2. Differentiating from Benign Activity
                                                                      1. Baseline Behavior Comparison
                                                                        1. False Positive Identification
                                                                      2. Stage 5: Categorization and Disposition
                                                                        1. True Positive
                                                                          1. Confirmed Malicious Activity
                                                                            1. Criteria for Confirmation
                                                                            2. False Positive
                                                                              1. Benign Triggers
                                                                                1. Documentation of False Positives
                                                                                2. Benign True Positive
                                                                                  1. Authorized but Suspicious Activity
                                                                                    1. Business Justification Review
                                                                                    2. Informational
                                                                                      1. Non-Actionable Alerts
                                                                                        1. Logging for Reference
                                                                                      2. Stage 6: Prioritization
                                                                                        1. Assigning Severity Levels
                                                                                          1. Severity Criteria
                                                                                            1. Impact vs. Likelihood Assessment
                                                                                            2. Assessing Potential Impact
                                                                                              1. Data Sensitivity
                                                                                                1. Business Process Disruption
                                                                                                2. Determining Urgency
                                                                                                  1. Time Sensitivity
                                                                                                    1. Ongoing vs. Past Events
                                                                                                  2. Stage 7: Escalation and Documentation
                                                                                                    1. Creating Incident Tickets
                                                                                                      1. Ticket Creation Standards
                                                                                                        1. Required Information Fields
                                                                                                        2. Summarizing Findings
                                                                                                          1. Executive Summaries
                                                                                                            1. Technical Summaries
                                                                                                            2. Handoff to Incident Response Team
                                                                                                              1. Escalation Triggers
                                                                                                                1. Communication Protocols
                                                                                                                2. Closing Non-Critical Alerts
                                                                                                                  1. Closure Criteria
                                                                                                                    1. Documentation of Closure

                                                                                                                Previous

                                                                                                                1. Foundations of Security Event Triage

                                                                                                                Go to top

                                                                                                                Next

                                                                                                                3. Key Data Sources for Triage