SOC Alert Triage Playbook

The standard SOC process for triaging security alerts — 5-step methodology, disposition framework, severity scoring, and SLA targets for L1/L2 analysts.

Category: SOC Playbooks
Applies to: SOC Analysts (L1/L2), Shift Leads
Last reviewed: 2025

Overview

This playbook defines the standard process for triaging security alerts in the SOC. Consistent triage improves response speed, reduces false positive fatigue, and ensures high-priority alerts are escalated appropriately. Every analyst should follow this process for every alert.

The 5-Step Triage Process

Step 1 — Acknowledge and Context-Set

☐ Acknowledge the alert in your SIEM/SOAR within your SLA window
☐ Read the full alert: what fired, on what asset, at what time
☐ Identify the asset: hostname, IP, owner, criticality, business function
☐ Identify the user: name, department, role, recent activity, admin status
☐ Note the detection rule: what behavior triggered it?
☐ Check if the asset or user has open incidents or recent alerts

Time target: 2–5 minutes

Step 2 — Gather Evidence

Collect the minimum data needed to make a triage decision. Don't investigate — triage first.

☐ Pull surrounding log context (5–10 minutes before/after the alert)
☐ Check parent/child process chain if endpoint alert
☐ Retrieve associated network connections (source, destination, port, bytes)
☐ Check authentication events around the same time (logins, failures, new sessions)
☐ Query threat intel: are IPs, domains, or hashes known malicious?
☐ Check asset vulnerability data if exploit-related alert

Key tools: SIEM, EDR, threat intel platform, IPAM/CMDB

Step 3 — Classify the Alert

Assign one of four dispositions:

Disposition Meaning Action True Positive Real malicious activity confirmed Open incident, escalate True Positive — Benign Real activity, confirmed legitimate Close with documentation False Positive Rule fired incorrectly on benign activity Close, flag for tuning Needs More Data Cannot determine — more investigation needed Escalate to L2 or continue

Step 4 — Prioritize

If True Positive — use this scoring to prioritize:

Severity factors:
- Asset criticality (Crown Jewel, High, Medium, Low)
- User privilege level (Admin, Standard, Service Account)
- Active or historical threat? (Is it still happening?)
- Lateral movement indicators present?
- Data exfiltration indicators present?
- Known threat actor TTP match?

Priority levels:
- P1 — Critical: Active attack, crown jewel asset, or confirmed data exposure → respond NOW
- P2 — High: Confirmed malicious activity, standard asset → respond within 15 min
- P3 — Medium: Suspicious activity, unconfirmed → investigate within 1 hour
- P4 — Low: Low confidence, low impact → investigate within shift

Step 5 — Document and Act

☐ Write triage notes in the ticket: what you found, what you decided, why
☐ Attach evidence (log snippets, screenshots, hashes)
☐ If True Positive: open incident ticket, assign severity, notify IR lead
☐ If False Positive: document the reason, tag rule for tuning review
☐ If escalating: brief the receiving analyst verbally + in ticket

Minimum documentation for every alert:
- What triggered
- What asset/user
- What evidence was reviewed
- Disposition and rationale
- Time to triage

Alert Triage Quick Reference

EDR Alerts

Alert Type First Check Suspicious process Parent process, command line, file hash Network connection Destination reputation, process making connection Credential access LSASS access, mimikatz indicators, user context Persistence Registry keys, scheduled tasks, new services Lateral movement SMB, RDP, WMI, PsExec from this host

Network / Firewall Alerts

Alert Type First Check Outbound to threat intel hit Traffic volume, frequency, process Port scanning Source asset, internal or external DNS to suspicious domain Domain age, category, query volume Large data transfer Destination, protocol, user context

Identity / IAM Alerts

Alert Type First Check Failed logins Count, source IPs, target accounts Impossible travel Time delta, distance, MFA used? New admin rights Who granted, to whom, change ticket? MFA push spam User contacted? Attacker trying MFA fatigue?

Escalation Criteria — Escalate to L2/IR Lead if:

Active lateral movement detected
Domain controller or crown jewel asset involved
Data exfiltration indicators present
Attacker has admin or service account access
Ransomware-related indicators present
You cannot determine True/False Positive after 15 minutes
Any alert involving PII, financial, or health data systems

SLA Targets

Priority Acknowledge Triage Complete Escalate (if TP) P1 Immediate 5 min Immediate P2 5 min 15 min 15 min P3 15 min 1 hour 1 hour P4 1 hour 4 hours 4 hours