Useful Links
Computer Science
Cybersecurity
Security Event Triage
1. Foundations of Security Event Triage
2. The Triage Workflow
3. Key Data Sources for Triage
4. Core Triage Analysis Techniques
5. Tools of the Triage Analyst
6. Prioritization Frameworks and Models
7. Common Alert Types and Triage Approaches
8. Documentation and Communication
9. Developing Triage Expertise
Core Triage Analysis Techniques
Analyzing Network Traffic
Source and Destination IP Addresses
Internal vs. External Traffic
Known Malicious IPs
Geographic Analysis
Port and Protocol Usage
Unusual Port Activity
Protocol Anomalies
Service Identification
Payload Analysis (Superficial)
Suspicious Content Patterns
File Type Identification
Encoding Detection
User-Agent Strings
Unusual or Malicious User-Agents
Application Identification
Connection Patterns
Frequency and Duration
Data Volume Analysis
Analyzing Endpoint Activity
Process Execution and Parent-Child Relationships
Suspicious Process Trees
Unusual Parent-Child Combinations
Process Injection Detection
File Modifications and Hashes
Unexpected File Changes
Hash Comparison with Known Malware
File Creation and Deletion Patterns
Registry Changes
Persistence Mechanisms
Unauthorized Modifications
Startup Program Changes
Command Line Arguments
Malicious Command Patterns
Obfuscation Techniques
Parameter Analysis
PowerShell and Shell Script Analysis
Script Content Review
Execution Context
Encoded Command Detection
Network Connections from Endpoints
Outbound Connection Analysis
Unusual Communication Patterns
Analyzing User Behavior
Login Patterns
Time-Based Analysis
Location-Based Analysis
Frequency Analysis
Privilege Escalation Attempts
Unauthorized Access Attempts
Lateral Movement Indicators
Administrative Action Monitoring
Unusual Access Patterns
Access to Sensitive Data
Data Download or Exfiltration
Off-Hours Activity
Account Activity Anomalies
Multiple Concurrent Sessions
Impossible Travel Scenarios
Threat Intelligence Correlation
Matching IOCs against Feeds
Automated IOC Matching
Manual Verification
IOC Aging and Relevance
Understanding Attacker TTPs
Tactics, Techniques, and Procedures Analysis
Mapping to MITRE ATT&CK Framework
Leveraging Open-Source Intelligence (OSINT)
Public Threat Reports
Community Intelligence Sharing
Social Media Intelligence
Previous
3. Key Data Sources for Triage
Go to top
Next
5. Tools of the Triage Analyst