This article provides additional information on how you can meet the requirement for the CAF control – C1.d Triage of Security Alerts.
Structured Alert Triage Process
- A structured process should be in place to assess, classify and respond to security alerts generated by monitoring tools such as:
-
SIEM
-
EDR/XDR
-
RMM alerts
-
firewalls
-
- All alerts should be reviewed, investigated and categorised by severity using the organisation’s documented Incident Management Plan and procedures.
SOPs and Runbooks
-
Clear SOPs or runbooks should be maintained for common alert types, such as:
-
malware detections
-
suspicious login attempts
-
privilege escalations
-
endpoint isolation
-
-
These procedures should be reviewed regularly and updated based on real incident experience.
Validating and Categorising Alerts
- During triage, analysts should validate alerts by correlating:
-
event logs
-
user behaviour
-
system context
-
- This ensures the organisation can distinguish false positives from genuine security incidents.
- Triage outcomes and actions taken should be recorded to support trend analysis and continuous improvement.
Effective and Repeatable Triage
This structured approach ensures that:
-
alerts are assessed appropriately
-
high-risk incidents are prioritised for containment
-
the organisation maintains an effective, repeatable triage process aligned with industry best practice and regulatory requirements.