How to do Incident Response Triage Right

3 Minute Read


Triage is the first post-detection incident response process any responder will execute to open an incident or false positive. Structuring an efficient and accurate incident response triage process will reduce analyst fatigue, reduce time to respond to and remediate incidents, and ensure that only valid alerts are promoted to “investigation or incident” status.

Every part of the triage process must be performed with urgency, as every second counts when in the midst of a crisis. However, triage responders face the serious challenge of filtering an unwieldy input source into a condensed trickle of events. Here are some suggestions for expediting analysis before data is validated:

  • Organization: Reduce redundant analysis by developing a workflow that will assign tasks to responders. Avoid sharing an email box or email alias between multiple responders. Instead use a workflow tool, like those in security orchestration, automation, and response (SOAR) solutions, to assign tasks. Implement a process to re-assign or reject tasks that are out of scope for triage.
  • Correlation: Use a tool such as a security information and even management (SIEM) to combine similar events. Link potentially connected events into one useful event.
  • Data Enrichment: Automate common queries your responders perform daily, such as reverse DNS lookups, threat intelligence lookups, and IP/domain mapping. Add this data to the event record or make it easily accessible.

Moving full speed ahead is the way to get through the initial incident response triage process, but a more detailed, measured approach is necessary during event verification. Presenting a robust case to be accurately evaluated by your security operations center (SOC) or cyber incident response team (CIRT) analysts is key. Here are a few tips for the verification:

  • Adjacent Data: Check the information adjacent to the event. For example, if an endpoint has a virus signature hit, look to see if there’s evidence the virus is running before calling for further response metrics.
  • Intelligence Review: Understand the context around the intelligence. Just because an IP address was flagged as part of a botnet last week doesn’t mean it still is part of a botnet today.
  • Initial Priority: Align with operational incident priorities and classify incidents appropriately. Make sure the right level of effort is applied to each incident.
  • Cross Analysis: Look for and analyze potentially shared keys, such as IP addresses or domain names, across multiple data sources for better data acuity.

Once an event is verified, the event becomes an investigation or an incident. All incidents must then be investigated and tracked by your SOC or CIRT teams as defined in your investigation process.

Swimlane’s SOAR platform can automate most of the incident response triage process, including assigning workflow tasks and data enrichment. This provides your team with the context they need to complete further analysis. Additional steps in the incident response process, like threat intelligence lookups and remediation steps can be automated, as well. Using SOAR, you can significantly improve your security operations efficiency, while reducing risk and increasing threat protection.

Want to see incident response triage automation in action? Watch our short video.
Ready for an in-depth look the benefits of automating your triage and broader incident response processes? Schedule a personalized demo with Swimlane.

*Adapted from an existing Syncurity blog post.

Automating Splunk Alert Triage Demo (4:11)

This use case video demonstrates the automated triage of security alert data received from Splunk. In this demonstration, data is acquired by Splunk, enriched by VirusTotal, and then actions are taken via a Symantec Endpoint Protection integration if deemed malicious.

Watch Now

Request a Live Demo