Useful Links
Computer Science
Cybersecurity
Security Event Triage
1. Foundations of Security Event Triage
2. The Triage Workflow
3. Key Data Sources for Triage
4. Core Triage Analysis Techniques
5. Tools of the Triage Analyst
6. Prioritization Frameworks and Models
7. Common Alert Types and Triage Approaches
8. Documentation and Communication
9. Developing Triage Expertise
Key Data Sources for Triage
Network-Based Sources
Intrusion Detection/Prevention Systems (IDS/IPS)
Signature-Based Alerts
Anomaly-Based Alerts
Firewall Logs
Allow and Deny Events
Rule Matching
Web Application Firewall (WAF) Logs
Application Layer Attacks
Blocked Requests
NetFlow and Packet Captures (PCAP)
Flow Analysis
Deep Packet Inspection
DNS Logs
Domain Lookup Patterns
Suspicious Domain Detection
Proxy Logs
Web Access Patterns
Blocked URL Attempts
Host-Based Sources
Endpoint Detection and Response (EDR)
Process Monitoring
File Integrity Monitoring
Antivirus/Antimalware Alerts
Malware Detection Events
Quarantine Actions
Host-based Intrusion Detection Systems (HIDS)
File and Registry Monitoring
Policy Violation Detection
Operating System Logs
Windows Event Logs
Security Events
System Events
Application Events
Linux Syslog
Authentication Logs
System Activity Logs
Kernel Messages
Application Logs
Web Server Logs
Database Logs
Custom Application Logs
Cloud and Identity Sources
Cloud Security Posture Management (CSPM)
Misconfiguration Detection
Compliance Monitoring
Cloud Access Security Broker (CASB)
Cloud Application Usage
Data Movement Monitoring
Identity and Access Management (IAM) Logs
Authentication Events
Privilege Changes
Single Sign-On (SSO) Logs
Login Success and Failure
Federation Events
Other Sources
Email Security Gateway Logs
Spam and Phishing Detection
Attachment Scanning
Data Loss Prevention (DLP) Alerts
Sensitive Data Movement
Policy Violations
Threat Intelligence Platforms (TIP)
Aggregated Threat Data
IOC Management
Previous
2. The Triage Workflow
Go to top
Next
4. Core Triage Analysis Techniques