Alert Triage

Alert Triage

The Alert Triage AI automatically analyzes incoming security alerts and assigns priority scores based on threat indicators, asset criticality, and historical patterns. This reduces analyst workload by focusing attention on the most critical alerts first.

Key Features

• Multi-factor Scoring: Alerts are scored using threat indicators, asset criticality, user context, and environmental factors
• Context Enrichment: Automatic enrichment with threat intelligence feeds, asset inventory data, and historical patterns
• False Positive Reduction: Historical analysis and pattern matching to identify and suppress known false positives
• Automated Escalation: Rules-based escalation to higher severity levels when specific conditions are met
• MITRE ATT&CK Mapping: Automatic mapping of alerts to MITRE ATT&CK techniques and tactics

How It Works

1. Alert Ingestion — New alerts enter the triage queue from detection rules, NDR, and connected security tools
2. Context Gathering — The agent collects relevant context: asset criticality, user behavior history, related alerts, and threat intel
3. Severity Assessment — Multi-factor analysis produces a priority score and recommended severity level
4. Enrichment — Alert is enriched with IOC lookups, MITRE mapping, and similar historical alerts
5. Routing — High-priority alerts are surfaced immediately; lower-priority alerts are batched for review

Scoring Factors

Factor	Weight	Description
Threat Intel Match	High	IOC matches against known threat databases
Asset Criticality	High	Business importance of the affected asset
Historical Pattern	Medium	Similarity to previously confirmed threats
User Behavior	Medium	Deviation from normal user patterns
Environmental Context	Low	Time of day, network location, peer activity

Service Tier Capabilities

Capability	Detect	Respond	Hunt
Automated Triage	Yes	Yes	Yes
AI-Powered Analysis	Basic scoring	Advanced context	Premium + custom models
Custom Triage Rules	No	Limited	Yes
Historical Analysis Depth	7 days	90 days	2 years