Performing Alert Triage with Elastic SIEM
Overview
Alert triage in Elastic Security is the systematic process of reviewing, classifying, and prioritizing security alerts to determine which represent genuine threats. Elastic's AI-driven Attack Discovery feature can triage hundreds of alerts down to discrete attack chains, but skilled analyst triage remains essential. A structured triage workflow typically takes 5-10 minutes per alert cluster using Elastic's built-in tools.
Prerequisites
- Elastic Security deployed (version 8.x or later)
- Elastic Agent or Beats configured for endpoint and network data collection
- Detection rules enabled and generating alerts
- Elastic Common Schema (ECS) compliance across data sources
- Analyst access to Kibana Security app with appropriate privileges
Alert Triage Workflow
Step 1: Initial Alert Assessment (2 minutes)
When viewing an alert in Elastic Security, review the alert details panel:
Alert Details Panel:
- Rule Name and Description
- Severity and Risk Score
- MITRE ATT&CK Mapping
- Host and User Context
- Process Tree (for endpoint alerts)
- Timeline of related eventsKey Fields to Examine First
| Field | Purpose | ECS Field |
|---|---|---|
| Rule severity | Initial priority assessment | kibana.alert.severity |
| Risk score | Quantified threat level | kibana.alert.risk_score |
| Host name | Affected system | host.name |
| User name | Affected identity | user.name |
| Process name | Executing process | process.name |
| Source IP | Origin of activity | source.ip |
| Destination IP | Target of activity | destination.ip |
| MITRE tactic | Attack stage | threat.tactic.name |
Step 2: Context Gathering (3 minutes)
Query Related Events with ES|QL
FROM logs-endpoint.events.*
| WHERE host.name == "affected-host" AND @timestamp > NOW() - 1 HOUR
| STATS count = COUNT(*) BY event.category, event.action
| SORT count DESCFind All Activity from Suspicious User
FROM logs-*
| WHERE user.name == "suspicious-user" AND @timestamp > NOW() - 24 HOURS
| STATS count = COUNT(*), unique_hosts = COUNT_DISTINCT(host.name) BY event.category
| SORT count DESCCheck for Related Alerts from Same Source
FROM .alerts-security.alerts-default
| WHERE source.ip == "10.0.0.50" AND @timestamp > NOW() - 24 HOURS
| STATS alert_count = COUNT(*) BY kibana.alert.rule.name, kibana.alert.severity
| SORT alert_count DESCInvestigate Lateral Movement from Same IP
FROM logs-system.auth-*
| WHERE source.ip == "10.0.0.50" AND event.outcome == "success"
| STATS login_count = COUNT(*), hosts = COUNT_DISTINCT(host.name) BY user.name
| WHERE hosts > 3Step 3: Threat Intelligence Enrichment (2 minutes)
Check indicators against threat intelligence:
FROM logs-ti_*
| WHERE threat.indicator.ip == "203.0.113.50"
| KEEP threat.indicator.type, threat.indicator.provider, threat.indicator.confidence, threat.feed.nameCheck File Hash Against Known Threats
FROM logs-endpoint.events.file-*
| WHERE file.hash.sha256 == "abc123..."
| STATS occurrences = COUNT(*) BY host.name, file.path, user.nameStep 4: Classification Decision (2 minutes)
| Classification | Criteria | Action |
|---|---|---|
| True Positive | Confirmed malicious activity | Escalate to incident, begin containment |
| Benign True Positive | Expected behavior matching rule | Document in alert notes, acknowledge |
| False Positive | Rule triggered on benign activity | Mark as false positive, create tuning task |
| Needs Investigation | Insufficient data for determination | Assign for deeper investigation |
Step 5: Documentation and Escalation (1 minute)
For each triaged alert, document:
- Classification decision with rationale
- Evidence artifacts examined
- Related alerts or investigations
- Recommended next steps
Detection Rules for Triage
Pre-Built Detection Rules
Elastic Security includes 1000+ pre-built detection rules organized by:
- MITRE ATT&CK Tactic: Initial Access, Execution, Persistence, etc.
- Platform: Windows, Linux, macOS, Cloud
- Data Source: Endpoint, Network, Cloud, Identity
Custom Alert Correlation Rule
{
"name": "Multiple Failed Logins Followed by Success",
"type": "threshold",
"query": "event.category:authentication AND event.outcome:failure",
"threshold": {
"field": ["source.ip", "user.name"],
"value": 5,
"cardinality": [
{
"field": "user.name",
"value": 3
}
]
},
"severity": "high",
"risk_score": 73,
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access"
},
"technique": [
{
"id": "T1110",
"name": "Brute Force"
}
]
}
]
}AI-Assisted Triage
Elastic AI Assistant Integration
- Open alert in Elastic Security
- Click AI Assistant panel
- Use quick prompts:
- "Summarize this alert" - Get initial assessment
- "Generate ES|QL query to find related activity" - Expand investigation
- "What are the recommended response actions?" - Get playbook guidance
- "Is this likely a false positive?" - Get AI confidence assessment
Attack Discovery
Elastic's Attack Discovery automatically:
- Groups related alerts into attack chains
- Maps alerts to MITRE ATT&CK kill chain stages
- Filters false positives using ML models
- Prioritizes based on business impact
- Provides narrative summary of the attack
Triage Prioritization Matrix
| Risk Score | Severity | Asset Criticality | Response SLA |
|---|---|---|---|
| 90-100 | Critical | High | 15 minutes |
| 70-89 | High | High | 30 minutes |
| 70-89 | High | Medium | 1 hour |
| 50-69 | Medium | Any | 4 hours |
| 21-49 | Low | Any | 8 hours |
| 1-20 | Informational | Any | 24 hours |
Triage Metrics and KPIs
| Metric | Target | Measurement |
|---|---|---|
| Mean Time to Triage (MTTT) | < 10 minutes | Time from alert creation to classification |
| False Positive Rate | < 30% | False positives / total alerts |
| Escalation Rate | 10-20% | Escalated alerts / total alerts |
| Alert Coverage | > 80% | Triaged alerts / generated alerts per shift |
| Reclassification Rate | < 5% | Changed classifications / total classified |
Verification Criteria
Confirm successful execution by validating:
- [ ] All prerequisite tools and access requirements are satisfied
- [ ] Each workflow step completed without errors
- [ ] Output matches expected format and contains expected data
- [ ] No security warnings or misconfigurations detected
- [ ] Results are documented and evidence is preserved for audit
Compliance Framework Mapping
This skill supports compliance evidence collection across multiple frameworks:
- SOC 2: CC7.1 (Monitoring), CC7.2 (Anomaly Detection), CC7.3 (Incident Identification)
- ISO 27001: A.12.4 (Logging & Monitoring), A.16.1 (Security Incident Management)
- NIST 800-53: AU-6 (Audit Review), SI-4 (System Monitoring), IR-5 (Incident Monitoring)
- NIST CSF: DE.AE (Anomalies & Events), DE.CM (Continuous Monitoring)
Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.
Deploying This Skill with Claw GRC
Agent Execution
Register this skill with your Claw GRC agent for automated execution:
# Install via CLI
npx claw-grc skills add performing-alert-triage-with-elastic-siem
# Or load dynamically via MCP
grc.load_skill("performing-alert-triage-with-elastic-siem")Audit Trail Integration
When executed through Claw GRC, every step of this skill generates tamper-evident audit records:
- SHA-256 chain hashing ensures no step can be modified after execution
- Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
- Trust score impact — successful execution increases your agent's trust score
Continuous Compliance
Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.