Skip to content
GOVERN Admin

Alert Triage Workflow

The alert triage workflow is the core SOC procedure. Every new alert moves through a defined lifecycle from detection to resolution.

Alert Lifecycle

New → Acknowledged → Investigating → [Escalated →] Resolved
                                   ↘ Closed (false positive)

1. New

An alert enters the queue in New state. It appears at the top of the alert feed sorted by severity.

SLA clock starts when the alert is created.

2. Acknowledged

Pressing A or clicking Acknowledge assigns the alert to the current analyst and starts the investigation timer.

Action: Acknowledge within the SLA window for the severity level.

3. Investigating

The analyst is actively working the alert. The investigation panel is open. Evidence is being collected.

Actions:

  • Open related logs: L
  • Run a linked playbook: P
  • Add investigation notes: N
  • View AI system context: C

4. Escalated

The alert requires senior analyst or IR team involvement.

Escalation triggers:

  • Confirmed security incident (prompt injection, data exfiltration)
  • Alert affects a critical AI system
  • Alert has not progressed in 2× SLA time
  • Policy violation at board-reportable severity

Action: Press E to escalate. Select escalation path (SOC Lead, IR Team, CISO).

5. Resolved

The alert has been addressed. The AI system behavior has returned to normal or the threat has been contained.

Required before resolution:

  • Root cause documented
  • Affected systems identified
  • Remediation action taken or scheduled
  • SIEM/ticketing system updated

Action: Press R to resolve. Fill resolution form.

Closed (False Positive)

The alert was not a genuine governance violation or security event.

Action: Press X to close. Select false positive reason from dropdown. Optionally suppress similar alerts for 24h.

Triage Decision Tree

1. Read the alert summary and severity
2. Is this a known benign pattern? → Close as false positive
3. Is this policy violation or security event?
   - Policy violation → investigate per playbook, no escalation required
   - Security event → immediate escalation
4. Acknowledge the alert
5. Open investigation panel (Tab or click)
6. Review:
   - Alert context (what was the AI input/output?)
   - Historical alerts for this system
   - System assessment score
   - Recent score changes
7. Determine root cause
8. Take remediation action or escalate
9. Document and resolve

Investigation Panel

The investigation panel opens when you select an alert. It contains:

SectionContent
SummaryAlert type, severity, system affected, time
EvidenceThe triggering input/output, policy that fired
ContextAI system details, assessment score, recent events
HistoryPrevious alerts for this system (last 30 days)
NotesAnalyst investigation notes (markdown)
ActionsAcknowledge, Escalate, Resolve, Close, Suppress
PlaybooksLinked response playbooks for this alert type

Resolution Form

When resolving an alert, complete the resolution form:

  • Root cause — what caused the alert?
  • Impact — what systems or data were affected?
  • Remediation — what action was taken?
  • Prevention — is a policy or rule change needed?
  • Ticket ID — linked incident ticket (optional)

Resolution data feeds into the weekly SOC metrics report and SIEM correlation.