Use Case

Automated Alert Triage

Stop drowning in alerts. Automate enrichment, scoring, and routing so your team focuses on what matters.

The alert triage problem

A SOC analyst's day looks like this: open alert queue, read alert, copy IOCs into threat intel tools, check context in the SIEM, check if the asset is critical, check if the user is a VIP, decide if it's real or noise, document the decision, move to the next alert. Repeat hundreds of times.

Most of that work is mechanical. The enrichment steps are the same every time. The triage logic follows the same decision tree. Yet analysts do it manually, alert after alert, shift after shift.

The result: alert fatigue, slow response times, inconsistent decisions, and burned-out analysts.

Automating triage with OpenSOAR

OpenSOAR automates the repetitive parts of alert triage while keeping analysts in control of the decisions that matter.

opensoar — alert triage flow
$

Step 1: Auto-enrichment

When an alert arrives, OpenSOAR automatically enriches it with context from your threat intelligence sources, asset inventory, and identity provider — all in parallel.

auto_enrich.py 
@playbook(trigger="alert.created")
async def auto_enrich(alert):
    results = await asyncio.gather(
        check_virustotal(alert.file_hash),
        check_abuseipdb(alert.source_ip),
        lookup_asset(alert.hostname),
        lookup_user(alert.username),
    )
    alert.enrichment = combine_results(results)
    await save_alert(alert)

By the time an analyst opens the alert, all the context is already there. No manual lookups needed.

Step 2: Auto-scoring

Based on enrichment results, OpenSOAR calculates a risk score combining threat intel confidence, asset criticality, user risk, and alert source reliability.

Step 3: Auto-routing

  • Score > 80: Escalate immediately to senior analyst with full context
  • Score 40-80: Queue for analyst review with enrichment summary
  • Score < 20: Auto-resolve as false positive with documented reasoning

Analysts only see the alerts that need human judgment. The obvious false positives and the confirmed threats are handled automatically.

Step 4: AI-assisted analysis

For alerts in the middle range (score 40-80), OpenSOAR's AI triage assistant provides an analysis summary and recommended action, giving analysts a head start on investigation.

Results

  • 80%+ reduction in manual triage time
  • Consistent decisions — every alert is triaged by the same logic
  • Faster MTTR — critical alerts are escalated in seconds, not hours
  • Better analyst retention — analysts work on interesting investigations, not repetitive lookups

Common alert sources

OpenSOAR ingests alerts from any source via webhooks or polling:

  • SIEMs: Elastic Security, Splunk, Microsoft Sentinel
  • EDR: CrowdStrike, SentinelOne, Microsoft Defender
  • Cloud: AWS GuardDuty, Azure Security Center, GCP Security Command Center
  • Email: Proofpoint, Mimecast, Microsoft Defender for Office 365
  • Network: Suricata, Zeek, Palo Alto firewalls

Ready to automate your alert triage? Deploy OpenSOAR free →

One command. No credit card.

Apache 2.0 licensed. Self-host on your infrastructure. No feature gates, no per-action billing, no vendor lock-in. Your playbooks are yours.

$curl -fsSL https://opensoar.app/install.sh | sh
GitHub