0PricingLogin
Cyber Security Academy · Lesson

Alert Triage Workflow

Investigating and prioritizing alerts.

What Triage Means

Alert triage is the process of reviewing incoming alerts, deciding which are real and important, and routing them appropriately. The goal is to separate signal from noise quickly.

Every alert lands in one of three buckets:

  • True positive — real malicious or risky activity
  • False positive — benign activity that looks suspicious
  • Benign true positive — real but authorized or expected activity

The Alert Lifecycle

An alert moves through a predictable lifecycle. Knowing each stage keeps your work organized:

  • New — just generated by the SIEM or EDR
  • In progress — an analyst is investigating
  • Escalated — handed to Tier 2 or incident response
  • Closed — resolved as false positive, benign, or remediated

Each transition should be reflected in the ticket so others can see the state at a glance.

All lessons in this course

  1. The SOC and Its Tiers
  2. Alert Triage Workflow
  3. Playbooks and Ticketing
  4. SOC Metrics: MTTD and MTTR
← Back to Cyber Security Academy