Triage - Can this be more louder? (To be continued, server down)

1. Overview

Similar to how we handled the SOC Workbook and Lookup, what we’re doing here is triaging an alert in Microsoft Sentinel. The real question is: how should a SOC analyst actually work through an alert to make the right call? After all, it can be just noise or false positive.

2. Description

2.1 alert triage

SOC can use these as metric to determin if an incident is serious

• severity (how bad it is?)
• timestamp and frequency (how often is it?)
• atk stage/context (again, how bad is it really?? )
• affected assets (impact) (seriously, How bad is it ???)

4. Extended Readings

• SIEM
• SOAR
• Splunk
• SImilar Product from GOOGLE