Incident Triage and Prioritization

Purpose and Scope

Incident triage is the process of quickly assessing alerts to determine their validity, severity, and appropriate response. This playbook covers triage frameworks, prioritization criteria, and workflows that enable analysts to handle alert volume efficiently while ensuring critical threats receive immediate attention.

Prerequisites

• Alert access: SIEM or alerting platform with queue visibility
• Asset inventory: Knowledge of critical systems and data
• Escalation procedures: Defined paths for different incident types
• Enrichment tools: Access to TI, EDR, identity systems for context

Triage Goals

Effective triage should:

• Quickly separate true positives from false positives
• Identify high priority incidents requiring immediate action
• Route incidents to appropriate responders
• Gather initial context for investigation
• Document decisions for audit and learning

Prioritization Framework

Priority Factors

Consider these factors when prioritizing:

• Asset criticality: Is a critical system or data at risk?
• User risk: Is a privileged or high value user involved?
• Threat severity: How damaging could this threat be?
• Detection confidence: How certain are we this is malicious?
• Attack stage: How far along is the attacker in their objectives?
• Spread potential: Could this affect other systems?

Priority Levels

• Critical (P1): Active compromise of critical systems, data exfiltration in progress, ransomware execution. Response: immediate.
• High (P2): Confirmed malicious activity, compromised credentials, malware on endpoint. Response: within 1 hour.
• Medium (P3): Suspicious activity requiring investigation, policy violations, potential reconnaissance. Response: within 4 hours.
• Low (P4): Informational alerts, minor policy violations, low confidence detections. Response: within 24 hours.

Triage Workflow

1. Initial Assessment (2 to 5 minutes)

• Read alert title and description
• Identify affected user, host, and data
• Check asset and user criticality
• Review detection rule and confidence
• Assign initial priority

2. Quick Enrichment (5 to 10 minutes)

• Query threat intelligence for IOCs
• Check for related alerts on same entity
• Review recent activity on affected systems
• Verify user's expected behavior
• Check if activity matches known good patterns

3. Determination

Decide on disposition:

• True positive: Escalate to investigation or response
• False positive: Close alert, document for tuning
• Requires investigation: Assign for deeper analysis
• Inconclusive: Gather more data, set follow up

4. Documentation

• Record disposition and rationale
• Note key findings from enrichment
• Document next steps if escalating
• Link related alerts or tickets

Triage Decision Tree

Is This Alert Valid?

1. Does the detected activity actually occur in the logs?
2. Is the activity from a legitimate user or system?
3. Is there a known business justification?
4. Does threat intelligence indicate malicious indicators?

How Urgent Is This?

1. Is a critical asset affected?
2. Is the attack active or historical?
3. Has data been accessed or exfiltrated?
4. Could the attacker move to other systems?

Common Triage Scenarios

Phishing Alert

• Did user click the link or open attachment?
• Did user enter credentials?
• Check for subsequent suspicious logins
• Check endpoint for malware execution

Malware Detection

• Was the file executed or just present?
• Did EDR block or quarantine?
• Is there evidence of persistence or C2?
• What is the malware family and capability?

Suspicious Login

• Is the location or device new for this user?
• Did the user authenticate successfully?
• What did the user access after login?
• Can the user confirm the activity?

Data Access Anomaly

• Is access outside user's normal role?
• What volume of data was accessed?
• Was data downloaded or transferred?
• Is the user's account potentially compromised?

Escalation Criteria

Escalate immediately for:

• Confirmed active attacker in environment
• Ransomware or destructive malware execution
• Data exfiltration in progress
• Compromise of privileged accounts
• Breach of critical systems or data
• Threats requiring executive notification

Tools for Efficient Triage

• SOAR playbooks: Automate enrichment and initial classification
• Risk scoring: Prioritize alerts by asset and user risk
• Alert correlation: Group related alerts to reduce noise
• Investigation notebooks: Standardized triage checklists
• Quick pivots: One click access to enrichment sources

Managing Alert Fatigue

• Prioritize tuning high volume, low value rules
• Use tiered alerting based on confidence
• Automate closure of known false positive patterns
• Rotate triage duties to avoid burnout
• Track metrics to identify improvement areas

Key Metrics

• Mean time to triage: Average time from alert to disposition
• Triage accuracy: Percentage correctly classified
• Escalation rate: Percentage escalated to investigation
• Queue depth: Backlog of untriaged alerts
• Alert volume: Alerts per analyst per shift

References

• NIST SP 800-61: Computer Security Incident Handling Guide
• SANS Incident Handler's Handbook
• MITRE ATT&CK: attack.mitre.org
• CISA Incident Response: cisa.gov/incident-response