Skip to content

Commit 4bfc809

Browse files
benironsidebenironside
committed
Incorporates Nastasha's review
1 parent fabef51 commit 4bfc809

File tree

1 file changed

+19
-9
lines changed

1 file changed

+19
-9
lines changed

solutions/security/ai/triage-alerts.md

Lines changed: 19 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -67,35 +67,45 @@ This section shows an example workflow for triaging a specific alert.
6767

6868
**Scenario:** You are investigating an alert: "Multiple Failed Logins Followed by Success - user: jsmith"
6969

70-
**Step 1: Open Alert and Generate Initial Analysis**
70+
:::::{stepper}
71+
72+
::::{step} Open Alert and Generate Initial Analysis
7173
1. From the **Alerts** table, click **View details**.
7274
2. Click **Chat** to open AI Assistant. The alert information is automatically attached.
7375
3. Click the **Alert summarization** quick prompt. AI Assistant shared an initial alert assessment.
76+
::::
7477

75-
**Step 2: Assess Criticality and Context**
78+
::::{step} Assess Criticality and Context
7679
Ask AI Assistant:
80+
7781
- "Is user jsmith typically logging in from [this IP/location]?"
7882
- "Are there other suspicious activities from this user in the last 24 hours?"
7983
- "What's the risk score for the source IP?"
84+
::::
8085

81-
**Step 3: Investigate Related Activity**
86+
::::{step} Investigate Related Activity
8287
If AI Assistant flags concerns, investigate further. Ask AI Assistant to:
88+
8389
- "Generate an {{esql}} query to find all recent activity from user jsmith".
8490
- "Generate an {{esql}} query to find other users logging in from this IP".
91+
::::
8592

86-
**Step 4: Make a Determination**
93+
::::{step} Make a Determination
8794
Based on your initial AI-assisted analysis, determine whether you're dealing with a potential threat:
8895

8996
- **False Positive**: User was traveling, this is expected behavior.
9097
- Immediate action: Add note to alert, close as false positive.
9198
- Future action: Add a rule exception to prevent similar alerts.
92-
93-
- **True Positive**: Behavior indicates a potential attack.
94-
In response to a potential credential compromise, immediately:
99+
100+
- **True Positive**: Behavior indicates a potential attack. In response:
95101
- Escalate according to your organization's incident response plan.
96102
- Create a case to track the investigation.
103+
::::
97104

98-
**Step 5: Document Your Findings**
105+
::::{step} Document Your Findings
99106
1. From AI Assistant, click **Add to case** on key messages.
100107
2. Go to **Cases**, add your case notes.
101-
3. Go back to the alert and change its status to `Acknowledged`.
108+
3. Go back to the alert and change its status to `Acknowledged`.
109+
::::
110+
111+
:::::

0 commit comments

Comments
 (0)