Alert
It's a notification generated by a security solution when a specific event or sequence of events occurs. It's what saves SOC analysts from manually reviewing by highlighting only suspicious, anomalous events
Simplest used approach to prioritize alerts
- Filter the alerts
Make sure you don't take the alert that other analysts have already reviewed, or that is already being investigated by one of your teammates. You should only take new, yet unseen and unresolved alerts. - Sort by severity
Start with critical alerts, then high, medium, and finally low. This is because detection engineers design rules so that critical alerts are much more likely to be real, major threats and cause much more impact than medium or low ones. - Sort by time
Start with the oldest alerts and end with the newest ones. The idea is that if both alerts are about two breaches, the hacker from the older breach is likely already dumping your data, while the "newcomer" has just started the discovery.
Alert Triage is a process to review chosen alerts.
Alerts
| Alert | What does it suggest? |
|---|---|
| Root SSH Login from External IP | The attacker gained remote access (via SSH) to the system (Initial Access) |
| SUID Discovery | The attacker looked for ways to escalate privileges. |
| Kernel Module Insertion | The attacker installed a malicious kernel module for persistence. |