Automated Alert Triage

The alert triage problem

A SOC analyst's day looks like this: open alert queue, read alert, copy IOCs into threat intel tools, check context in the SIEM, check if the asset is critical, check if the user is a VIP, decide if it's real or noise, document the decision, move to the next alert. Repeat hundreds of times.

Most of that work is mechanical. The enrichment steps are the same every time. The triage logic follows the same decision tree. Yet analysts do it manually, alert after alert, shift after shift.

The result: alert fatigue, slow response times, inconsistent decisions, and burned-out analysts.

Automating triage with OpenSOAR

OpenSOAR automates the repetitive parts of alert triage while keeping analysts in control of the decisions that matter.

Step 1: Auto-enrichment

When an alert arrives, OpenSOAR automatically enriches it with context from your threat intelligence sources, asset inventory, and identity provider — all in parallel.

from opensoar import add_current_alert_comment, playbook, update_current_alert

@playbook(
    trigger="webhook",
    conditions={"severity": ["medium", "high", "critical"]},
)
async def auto_enrich(alert):
    results = await asyncio.gather(
        check_virustotal(alert.get("file_hash")),
        check_abuseipdb(alert.get("source_ip")),
        lookup_asset(alert.get("hostname")),
        lookup_user(alert.get("username")),
    )

    await update_current_alert(
        status="in_progress",
        determination="suspicious",
        reason="Parallel enrichment completed; ready for analyst review",
    )
    await add_current_alert_comment(
        f"Enrichment complete: {combine_results(results)}"
    )

By the time an analyst opens the alert, all the context is already there. No manual lookups needed.

Step 2: AI triage and summarization

OpenSOAR exposes AI endpoints that can summarize an alert and suggest severity, determination, confidence, and reasoning. That gives analysts a much better first-pass view without forcing a separate workflow layer.

curl -X POST http://localhost:8000/api/v1/ai/triage \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"alert_id":"'$ALERT_ID'"}'

curl -X POST http://localhost:8000/api/v1/ai/summarize \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"alert_id":"'$ALERT_ID'"}'

Step 3: Confidence-based routing in your playbooks

• High confidence benign: resolve or down-rank with documented reasoning
• High confidence suspicious or malicious: move to in_progress and escalate cleanly
• Mixed or uncertain: leave the alert for analyst review with enrichment and AI context already attached

The important point is that OpenSOAR gives you the building blocks. Your actual routing thresholds and escalation logic stay in code you control.

Step 4: AI-assisted analysis

For the alerts that still need humans, AI summaries and reasoning give analysts a head start on investigation instead of forcing them to parse raw payloads first.

Results

• 80%+ reduction in manual triage time
• Consistent decisions — every alert is triaged by the same logic
• Faster MTTR — critical alerts are escalated in seconds, not hours
• Better analyst retention — analysts work on interesting investigations, not repetitive lookups

Common alert sources

OpenSOAR ingests alerts from any source via webhooks, and playbooks can enrich them against the systems your team already uses:

• SIEMs: Elastic Security, Splunk, Microsoft Sentinel
• EDR: CrowdStrike, SentinelOne, Microsoft Defender
• Cloud: AWS GuardDuty, Azure Security Center, GCP Security Command Center
• Email: Proofpoint, Mimecast, Microsoft Defender for Office 365
• Network: Suricata, Zeek, Palo Alto firewalls

Ready to automate your alert triage? Deploy OpenSOAR free →