Investigation Guide

How to investigate an alert like an analyst

The repeatable workflow behind every SOC Mission — the same loop real analysts run every shift.

1. Triage the alert

Read the detection carefully. What fired, on which host, for which user, and why? Assign a preliminary severity and rule out obvious false positives before diving deep.

2. Gather context

Pivot from the alert to raw telemetry. Pull process trees, authentication events, and recent activity for the host and user to understand what 'normal' looks like.

3. Enrich indicators

Check hashes, domains, and IPs against threat intelligence. A single enriched IOC often turns an ambiguous alert into a clear verdict.

4. Build a timeline

Order the evidence chronologically. Reconstructing the sequence of events reveals the attacker's path and the true scope of the incident.

5. Decide & escalate

Reach a verdict: true positive or false positive. If it's real, contain what you can and escalate with a clear, evidence-backed summary.

6. Document & learn

Write concise notes on what you found and how. Good documentation feeds detection engineering and makes your next investigation faster.

Analyst tips

Principles that separate good analysts from great ones

1

Always establish a baseline of normal before calling something malicious.

2

One strong indicator beats ten weak ones — prioritize high-fidelity evidence.

3

Map observed behavior to MITRE ATT&CK to communicate clearly.

4

When in doubt, escalate with evidence rather than sitting on uncertainty.

Start your SOC analyst journey today

Create a free account, investigate your first live alert, and get instant feedback from the AI Senior Analyst.