<img src="https://ws.zoominfo.com/pixel/JrRu3vUM8j33QSR7Bwxw" width="1" height="1" style="display: none;">

What is alert triage?

We Explain, You Take Action
Alert Triage

Alert triage is the first step in determining if a breach has occurred. When an alert is triggered analysts must quickly determine if the alert should be dismissed or escalated for further investigation.

The alert triage process involves collecting insights from internal data, logs, and alerts to gain a status and action on active and evasive threats. The goal of each investigation is to identify the activities involved and the intention of the attack, including timelines, compromised assets, etc. The quicker the system gains this information, the faster security analysts can act on and cease existing attacks within the network.


Many companies do not have a defined triage process.


This leads to alerts being mis-classified or missed entirely depending on the analyst.


A lack of formal process can also increase the amount of work in the SOC since steps may need to be repeated during the response process.


According to the SANS 2020 Network Visibility and Threat Detection Report 52% of organizations have good visibility into north-south traffic but only 16% report visibility into east-west traffic

Industry Pulse

1. Identify

The first step involves not only identifying the action behind the alert — and determining whether or not it’s malicious — but prioritizing the incident within the system. Network security monitoring and deeper investigation are keys here.

• How did the malware enter your network?
• What actions did it perform?
• Where is the malware?
• Did we get it all?

These are the questions to answer before proceeding with appropriate action. Infected endpoints are a crucial factor here. In order to cease and eliminate the threat, you need to know what occurred and where.

2. Contextualize

The second includes building context to prioritize the alert:

• Timeline, from entry to discovery and remediation.
• Is there external intelligence for this threat?
• What do the alerts tell you about the incident?
• What actions and damage caused?

3. Contain

Having a deep understanding of the attack, its intention and the affected assets enables your team to take action.

• Prioritize your highest-value targets and contain them as quickly as possible.
• Begin recovering the assets and resolving the issues in attacked areas.
• Malware removal and system restoration

If you have the right teams and tools in place, you should come to step three almost immediately. It’s all about informing and acting on every step of the process. That’s how you create an agile and efficient alert triage process.


Triage Alerts Faster
Triage Alerts Faster

Internal data, logs, and alerts possess critical insights into active threats. At the same time, factors like alert volume, false positives and a lack of insight has stretched SOC teams. The sheer volume of data inhibits security teams from making quick and informed decisions. ReversingLabs delivers only the right data in the right place to accelerate and prioritize alert triage.

Reduce False Positives With Trusted allow lists
Reduce False Positives With Trusted allow lists

ReversingLabs technology, such as automatic false-positive identification, uses only highly trusted whitelist tags and high-fidelity file reputation meta-data including threat severity, malware family, implant names, and APT actors to empower analysts to feel confident in what they see in the data.

What makes Reversinglabs sandbox solution different

ReversingLabs solutions, such as the Titanium Platform, deliver unprecedented levels of visibility into threat actor activity. Even challenging malware that other teams and software typically don’t identify fail to escape our sophisticated system. With ReversingLabs solutions, you can enrich your existing SIEM — while enhancing the daily lives (and productivity) of your SOC analysts. Plus, we can accelerate your existing alert triage process with insight and quick identification of every threat alert that enters your network.

Minimize SOC Alert Fatigue and Accelerate Triage

Minimize SOC Alert Fatigue and Accelerate Triage

This webcast will examine what it means to inject smarter intelligence, remove the noise, and bring greater confidence into the SOC, thereby reducing dwell times and minimizing exposure to breaches and data loss.

Watch the Webinar

Additional Resources

Learn More About Alert Triage



Applying YARA to Uncover Hidden Phishing Threats Months After the Attack

Play Webinar

Other definitions

Learn More Definitions

Back to Definitions Home