CAF – C1.d Triage of Security Alerts

Structured Alert Triage Process

• A structured process should be in place to assess, classify and respond to security alerts generated by monitoring tools such as:

  • SIEM

  • EDR/XDR

  • RMM alerts

  • firewalls

• All alerts should be reviewed, investigated and categorised by severity using the organisation’s documented Incident Management Plan and procedures.

SOPs and Runbooks

• Clear SOPs or runbooks should be maintained for common alert types, such as:

  • malware detections

  • suspicious login attempts

  • privilege escalations

  • endpoint isolation

• These procedures should be reviewed regularly and updated based on real incident experience.

Validating and Categorising Alerts

• During triage, analysts should validate alerts by correlating:

  • event logs

  • user behaviour

  • system context

• This ensures the organisation can distinguish false positives from genuine security incidents.
• Triage outcomes and actions taken should be recorded to support trend analysis and continuous improvement.

Effective and Repeatable Triage

This structured approach ensures that:

• alerts are assessed appropriately

• high-risk incidents are prioritised for containment

• the organisation maintains an effective, repeatable triage process aligned with industry best practice and regulatory requirements.