A practical checklist for alert triage and analyst notes.
This checklist helps new analysts slow down, preserve evidence, and write triage notes that can be reviewed later. It is deliberately simple because first-line SOC work rewards consistency.
1. Confirm the alert context
- Record alert name, source, timestamp, user, host, IP address, and any ticket ID.
- Check whether the alert is new, repeated, or part of a known maintenance window.
- Do not decide severity before looking at the supporting evidence.
2. Preserve the useful evidence
- Capture relevant logs, URLs, hashes, sender details, process names, command lines, and screenshots.
- Keep raw evidence separate from your interpretation.
- For suspicious email, save the original message when possible so headers and attachments are preserved.
3. Test the obvious benign explanations
- Look for expected software updates, scheduled jobs, admin activity, user travel, or known vendor tools.
- Compare the event to normal behavior for the user, host, or application.
- Write down uncertainty instead of hiding it.
4. Escalate with a readable summary
- State what happened, what evidence supports it, what is still unknown, and what you recommend next.
- Include direct links or references to the evidence, not just a conclusion.
- Keep the summary short enough that the next analyst can act on it quickly.
Track practice work
Use the Cyber Command Center timer and notes to practice this checklist during labs, CTF writeups, phishing reviews, and incident-response exercises.
Open the tracker or read the cybersecurity study roadmap.