Skip to content
Log in

Alert triage

Definition

The process of reviewing SIEM-generated alerts to determine which are genuine security events and which are false positives. In forensic investigations, alert triage also involves determining which suppressed or dismissed alerts may have indicated the incident at an earlier stage.

Related terms

Chain of custody
The documented chronological record of who collected, handled, transferred, and examined a piece of evidence. For digital evidence, chain of custody includes...
Log correlation
The process of matching related events from different log sources using shared attributes such as IP address, username, timestamp, or session ID....
Normalisation
The process of converting log data from different vendors and formats into a common schema so that fields can be compared across...
Retention policy
An organisation's rule specifying how long log data is stored before deletion or archiving. Policies are typically driven by compliance requirements and...
SIEM
Security Information and Event Management. A platform that ingests log streams from multiple sources, normalises them to a common schema, and applies...

Explained in

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account