Listen to this Post

Introduction:
In the high-stakes environment of a Security Operations Center (SOC), the SIEM console is the nerve center, pulsating with alerts. However, the critical challenge for Tier 1 analysts isn’t just seeing alerts but accurately interpreting them. The fundamental metrics of True Positive, False Positive, True Negative, and False Negative define not only the efficacy of detection rules but also the analyst’s skill in separating the signal from the noise. Mastering this triage process is the bedrock of effective cybersecurity defense, turning raw data into actionable intelligence and preventing alert fatigue from blinding the team to real threats.
Learning Objectives:
- Understand the four core SIEM alert outcomes (TP, FP, TN, FN) and their operational impact.
- Develop a practical, step-by-step methodology for initial alert triage and investigation.
- Learn command-line and tool-specific techniques to gather context and validate alerts, reducing false positives and identifying false negatives.
You Should Know:
- The Four Pillars of Alert Judgment: Defining the Battlefield
Every SIEM alert falls into one of four categories, forming the basis of all SOC metrics. A True Positive (TP) is a correctly identified attack. A False Positive (FP) is an alert triggered by benign activity, constituting investigative “noise.” A True Negative (TN) is the silent majority—normal traffic that rightly raises no alarm. The most dangerous category is the False Negative (FN), a real attack that evades detection, often due to insufficient logging, poor rule tuning, or novel tactics.
Step-by-step guide:
Step 1: Categorize Incoming Alerts. As an alert appears, consciously ask: “Does the initial evidence strongly suggest malice?” If yes, it’s a potential TP. If it looks benign, it’s a candidate for FP.
Step 2: Document Your Rationale. Begin your investigation notes by stating your initial hypothesis (e.g., “Potential FP: Internal scan from authorized IP”).
Step 3: Escalate with Context. When escalating a potential TP, always include the category and the preliminary evidence that supports it.
- The L1 Triage Playbook: Your First 5 Minutes
The initial investigation is crucial. Your goal is to gather enough context to either dismiss the alert (FP), escalate it (TP), or request more information.
Step-by-step guide:
- Correlate with Asset Inventory: Identify the source and destination IPs/hostnames. Are they critical assets (Domain Controller, database server)?
- Check Timestamps & Frequency: Is this a one-off event or part of a burst? Use SIEM time-range queries.
- Enrich with Threat Intel: Paste the indicator (IP, hash, domain) into internal threat intel platforms or trusted OSINT sources like VirusTotal or AlienVault OTX.
- Review Raw Logs: Drill down from the alert to view the original log entries. The SIEM normalization might hide crucial details.
3. Hands-On Investigation: Linux Command-Line Forensics
For alerts involving Linux systems, immediate remote investigation via SSH is key. Use these commands to gather context.
Step-by-step guide:
Check Current & Past Logins: `last` and `lastb` show successful and failed login attempts.
Review Process List: `ps aux –sort=-%cpu | head -20` lists top CPU-consuming processes. Look for unknown binaries.
Examine Network Connections: `ss -tulpn` or `netstat -tulpn` shows listening ports and associated processes.
Search Auth Logs: `sudo grep “Failed password” /var/log/auth.log | tail -50` checks for recent SSH brute-force attempts.
Analyze Suspicious Files: For a file path from an alert, check its hash and attributes: `sha256sum stat <file_path>.
4. Hands-On Investigation: Windows Event Log Analysis
For Windows-based alerts, the Event Viewer is your primary tool, often accessed remotely via PowerShell.
Step-by-step guide:
Pull Security Logs Remotely: Use PowerShell to filter for critical Event IDs from a target machine.
Get-WinEvent -ComputerName "TARGET-PC" -FilterHashtable @{LogName='Security'; ID=4625, 4688} -MaxEvents 20 | Format-List -Property TimeCreated, Message
(Event ID 4625 = failed logon, 4688 = new process creation).
Check for Persistence: Look for unauthorized run keys or scheduled tasks.
Use Built-in Tools: Run `netstat -ano` on the target to map connections to Process IDs (PIDs).
5. The Art of Tuning: Reducing False Positives
FP reduction is a core L1 responsibility. When you identify a recurring FP, document it for rule tuning.
Step-by-step guide:
- Identify the Pattern: Determine the exact condition triggering the FP (e.g., “Alert ‘Suspicious Admin Activity’ triggers for Joe from IT every morning at 9 AM”).
- Gather Evidence: Collect logs showing the benign activity (e.g., Joe’s legitimate admin logon events).
- Propose an Exclusion: Draft a tuning recommendation. Example: “Add an exception to rule RULE_XYZ for user ‘joe.it’ when sourced from the IT VLAN (10.10.10.0/24).”
- Submit via Process: Follow your SOC’s playbook to submit the tuning request to the engineering team. Never disable rules yourself.
-
Hunting the Hidden: Proactive Checks for False Negatives
While FNs are by definition missed, proactive hunting can uncover gaps. This involves looking for activity that should have triggered an alert but didn’t.
Step-by-step guide:
- Review Top Attacker TTPs: Consult the MITRE ATT&CK Framework. Pick a common technique, like T1036 (Masquerading).
- Craft a Proactive Search Query: In your SIEM, search for indicators of that TTP that your current rules might miss. E.g., search for processes executing from user Temp directories:
process.name: ".exe" AND file.path: "/tmp/" OR file.path: "C:\\Users\\\\AppData\\Local\\Temp\\". - Analyze Results: If you find matches that aren’t alerted on, you’ve identified a potential FN scenario. Document and escalate this detection gap.
7. Leveraging Automation: Introduction to SOAR Playbooks
Modern SOCs use Security Orchestration, Automation, and Response (SOAR) platforms to handle repetitive triage steps automatically.
Step-by-step guide:
- Understand the Trigger: A SOAR playbook activates when a specific SIEM alert is generated (e.g., “Malware Hash Detected”).
- Follow Automated Steps: The playbook may automatically: a) Enrich the file hash across 3 threat intel feeds, b) Query the endpoint tool to see if the file exists on other systems, c) Generate a ticket, and d) Provide you with a consolidated dashboard of all this data.
- Your Role: The playbook does the data gathering. Your job is to review the automated findings and make the final judgment call: isolate host, dismiss, or escalate further.
What Undercode Say:
- Triage is a Scientific Process, Not Guessing. The difference between a junior and a proficient L1 analyst is the structured, repeatable methodology they apply to every alert, leveraging tools and commands to replace intuition with evidence.
- Your Primary Value is Noise Reduction and Signal Clarification. The SOC’s efficiency depends on L1 analysts accurately filtering out FPs and enriching TPs with vital context before escalation, enabling senior analysts to focus on deep compromise assessment and response.
The systematic approach to alert judgment is what transforms a reactive helpdesk into a proactive security team. The future of L1 work lies not in the elimination of analysts by AI, but in their evolution. As SOAR and AI-driven analytics handle more initial data correlation, the L1 analyst’s role will shift towards supervising these automated systems, investigating complex edge cases, and continuously refining the detection logic—moving from pure triage to becoming a tuner and trainer of the security ecosystem itself. The analyst who masters the fundamentals of alerts, commands, and investigation today is building the critical thinking skills necessary to manage the autonomous SOC of tomorrow.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Varun Bhatt – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


