Get Started Free

3.2 Working the Incident Queue

50 minutes · Module 3 · Free

Working the Incident Queue

The incident queue is the starting point of every shift. It shows all active incidents, sorted by severity and time, with filters for status, assignment, service source, and classification. Your job is to process this queue efficiently: triage new incidents, investigate the important ones, and resolve or escalate the rest.

Triage workflow

Triage is not investigation. Triage is the 60-second assessment that determines what happens next: investigate now, investigate later, or close as noise. Speed matters — you are trying to find the incidents that need immediate attention, not solve them all upfront.

INCIDENT TRIAGE WORKFLOWNew incidentappears in queueRead title +alert countCheck entitiesusers, devices, IPsDecide action60 seconds maxInvestigate nowQueue for laterClose / suppressHigh sev + VIP userActive compromiseMedium sev, needs reviewNot time-criticalKnown FP, test alertAlready remediated

Figure 3.2: Triage is a 60-second decision, not a 30-minute investigation. Read the title, check the entities, decide the action.

What to check in 60 seconds:

  1. Incident title — does it describe a known attack pattern? “Multi-stage AiTM phishing” demands immediate attention. “Suspicious inbox rule” needs investigation but is less urgent.
  2. Alert count and sources — multiple alerts from multiple products = higher confidence. A single alert from one product may be noise.
  3. Affected entities — is this a VIP user (executive, admin, finance)? Is it a critical device (domain controller, build server)?
  4. Time — how recent is the most recent alert? An incident that has been active for 6 hours without investigation is more urgent than one that just appeared.
VIP users change everything

A medium-severity alert for a regular user can wait. The same alert for your CFO, a domain admin, or a service account with privileged access cannot. Know your VIP list — if your SOC does not have one, create one. It is the single most effective triage acceleration tool.

Queue filters and sorting

The default queue shows all active incidents sorted by most recent. Useful filters:

  • Status: Active — incidents that need work (exclude resolved/redirected)
  • Severity: High — focus on the most critical first
  • Service source — filter to specific products when investigating a specific type of alert
  • Assigned to: Unassigned — find incidents nobody has picked up yet
  • Classification: Not set — incidents that have not been triaged

Incident classification

After investigation, classify the incident. This feeds back into the detection engine and is critical for tuning:

ClassificationMeaningAction
True PositiveConfirmed malicious activityDocument findings, remediate, close
Informational, expectedLegitimate activity that looks suspiciousClose, consider tuning the detection
False PositiveNot malicious, detection errorClose, create suppression rule
Skipping classification degrades your detections

Every incident you close without classifying is a missed opportunity to improve your detection quality. True positive classifications confirm the detection is working. False positive classifications signal that a rule needs tuning. If you close everything as "resolved" without classification, your detection quality never improves and alert fatigue gets worse.

Alert Tuning

Alert tuning is how you reduce noise over time. An untuned environment generates hundreds of alerts per day. A well-tuned environment generates dozens — and each one matters.

Suppression rules

When you identify a recurring false positive, create a suppression rule that automatically resolves future instances matching the same conditions. Conditions can include: specific alert title, specific user or device, specific IP range, or specific application.

Tuning workflow

  1. Investigate the false positive thoroughly — confirm it is genuinely benign, not just unfamiliar
  2. Identify the specific conditions that make it a false positive (e.g. “this alert fires for a specific service account that runs a scheduled job every hour”)
  3. Create a suppression rule scoped as narrowly as possible — suppress the specific condition, not the entire alert type
  4. Document why the suppression exists (in the rule description) so a future analyst understands the decision
Narrow suppression, not broad suppression

Suppressing all "suspicious inbox rule" alerts because one user creates legitimate rules is dangerous. Suppress the alert for that specific user only. Broad suppression creates blind spots that attackers can exploit.

Triage decision: new incident in the queue

A medium-severity incident appears: "Suspicious sign-in followed by inbox rule creation." It has 2 alerts from 2 products. No VIP users involved. What is your first step?
What do you check first?

Check your understanding

1. An incident contains 8 alerts. After investigation, 6 are genuine and 2 are false positives. What should you do with the false positive alerts?

Delete them
Ignore them
Classify them as false positive and create a narrow suppression rule to prevent recurrence

2. Why should suppression rules be scoped narrowly rather than broadly?

Narrow rules are easier to manage
Broad suppression creates blind spots — if you suppress all "suspicious inbox rule" alerts because one user creates legitimate rules, you miss attackers creating malicious rules
Microsoft requires narrow rules

3. During triage, what factor should make you escalate a medium-severity incident to immediate investigation?

The incident has more than 5 alerts
The incident was created more than 24 hours ago
The affected user is a VIP (executive, domain admin, finance, service account with privileged access)
← 3.3 Advanced Hunting 3.1 Portal Layout and Incident Hierarchy →