SIEM Alert Investigation

Investigate a cluster of SIEM alerts and determine whether they represent a genuine threat, a false positive, or a coordinated attack pattern requiring escalation.

Prompt

I need help investigating the following cluster of SIEM alerts: Environment context: - SIEM platform: - Affected systems: - User context: - Recent changes: Please: 1. Triage the alert cluster — genuine threat, false positive, or inconclusive 2. Reconstruct the likely attack chain or user behaviour timeline 3. Map any suspicious activity to MITRE ATT&CK techniques 4. Identify the most critical data points that support or undermine your assessment 5. Recommend the next 3 investigative steps with specific queries or log sources to check 6. Advise on escalation — should this go to Tier 2/3, legal, or management, and why? 7. Draft a brief incident ticket summary I can log immediately Before starting, identify any gaps in the information I've provided and ask me to fill them.

Continue with GoogleContinue with LinkedIn

Sign in to save the prompt

Copy to ClaudeCopy to ChatGPTOpen Gemini

Continue with GoogleContinue with LinkedIn

Sign in to save the prompt