Skip to content
SmiKar Software

Investigating an Alert

4 min read

The canonical workflow for triaging one alert from the SOC analyst's perspective. Follow this rhythm and most alerts close in under five minutes.

1. Filter the noise out

Open the Alerts page on the Burrow dashboard. The default Active tab is now an honest "needs my attention" queue — alerts the Triage AI judged not real are auto-filtered out, so you start your shift only with things that have not been resolved by either an operator or by the AI's own verdict. (If you ever need to review what the AI dismissed, switch to the Dismissed tab.)

Apply two filter chips at the top:

  • Severity — Critical + High to start your shift; expand to Medium once Critical and High are clear.
  • Has disposition — set to No so you only see alerts no one has worked yet.

The default lookback window is 24 hours; widen it if you're catching up after time off.

2. Read the alert top to bottom

Click any alert row. The right-side drill drawer opens. Read in this order:

  1. WHY THIS MATTERS — the AI narrative. Two or three sentences explaining what the rule caught and why it's unusual for this user. The numbers in this paragraph have been verified against the underlying alert. If the AI tried to invent a number, the AI safety check rejected it and you're reading a plain template — the deterministic facts are still correct.
  2. KEY METRICS — the deterministic evidence table. Counts, bytes, distinct files / sites, geographies. These come straight from Microsoft's audit feed.
  3. TOP EVIDENCE — a sample of the individual events that contributed: timestamp, IP, operation, file or object.

For most alerts these three together are enough to make a call.

3. Compare against the user's baseline

Click the user's name in the drawer. The Identity dossier opens. Look at the Profile tab:

  • The AI summary card at the top — 2–4 sentence description of the user's typical behaviour.
  • The behavioural baseline line — today's event count, the user's mean and standard deviation, today's z-score, today's status (normal / high / low / outlier).
  • Top apps, top geographies, typical hours.

The question to answer: is this alert new behaviour for this user, or does it fit their pattern?

4. (Optional) ask the per-alert Chat

Inside the drill drawer is a Chat tab. Type a free-form question like "Did Shane do anything like this in the last 30 days?" The AI answers with the user's profile plus recent events as context. Every Q&A is persisted to that alert, so the next SOC shift sees prior conversations and doesn't repeat investigations.

5. (Optional) widen the context with Forage

If you need more than the dossier shows, open Forage and search the user for the last 24 hours. Filter by op class (Download, Delete, Share, Permission, Label, Access) to narrow.

6. Decide

In the drawer, click one of:

  • Real — escalates, keeps the alert visible, feeds the daily pattern detector.
  • Not real — closes the alert, suppresses future emails for the same (user, category) pair, and feeds the tuning advisor (which may later suggest raising the threshold for that rule on that user).
  • Maybe — keeps the alert open for the next shift.

The disposition is recorded against the (user, category) pair, logged on the History page with your analyst identity, and visible to the next shift.

7. (When appropriate) add an entity exception

If you can see on first read that the same (user, category) pair is permanent noise — a service account, a known scheduled job, a vendor automation — you have two fast paths straight from the Alerts page row without opening the Exceptions form:

  • Suppress pair icon (shield-with-slash) — creates a suppress exception for this user + category. Future alerts of the pair stop firing.
  • Downgrade pair icon (down-arrow-circle) — creates a downgrade exception. Future alerts of the pair drop one severity tier before the email gate decides.

Either click stamps your operator identity on the exception and writes a row to the History page. These are distinct from Dismiss, which only acts on the single alert in front of you. See Suppress and Downgrade pair actions for the full behaviour, the Downgrade caveat, and how to reverse.

For more complex patterns (wildcards across multiple users, a whole tenant of bots, an app@sharepoint* style match), open the Exceptions page and Add Exception manually. See Entity exceptions for the full pattern syntax.

See also

Need help? support@smikar.com.

Previous
How an Alert Flows Through Burrow
Next
Per-Alert AI Chat

More in Squirrel

See all pages →
Per-Alert AI Chat
Reading the Evidence Box (Deterministic vs AI)
Using the Identity Dossier
Admin Audit Log - Who Changed What
Exporting the Suppression Journal for Audit
MITRE ATT&CK Technique Reference