Security Operations Center (SOC) Tier-1 Alert Triage Workflow

The workflow ingests raw alerts from SIEM (Splunk, Sentinel), EDR (CrowdStrike, Microsoft Defender), and email security (Proofpoint, M365) platforms via APIs or syslog. An initial agent normalizes the data, extracting key fields (source IP, hash, filename, user) and tagging the alert type (phishing, endpoint detection, network anomaly) for consistent downstream processing. This eliminates manual log sifting and ensures all alerts enter the pipeline in a structured format.

An enrichment agent queries internal CMDBs for asset criticality, checks threat intelligence platforms (TIPs) for known-bad IOCs, and correlates with recent incidents. Using a rules engine and ML scoring, it filters out known false positives (e.g., internal tool traffic, approved administrative activity) and deprioritizes low-fidelity alerts. This reduces the alert volume presented to analysts by 40-60%, focusing effort on genuine threats.

For enriched alerts, a multi-agent system performs automated investigation. One agent may detonate a file hash in a sandbox (Cuckoo, ANY.RUN) via API and parse the behavioral report. Another may query EDR for related process trees or lateral movement attempts on the host. A third uses LLM reasoning to summarize findings and propose a severity score (Critical, High, Medium, Low) based on TTPs and business context.

Based on the triage outcome, the workflow either auto-closes low-risk alerts with an audit log or creates a standardized incident ticket in ServiceNow/Jira with all enrichment and investigation artifacts attached. For high-severity alerts, it triggers a pre-approved SOAR playbook—such as isolating a host via EDR API or blocking an IP at the firewall—and routes the ticket with a clear recommendation to a Tier-2 analyst queue. This ensures consistent response and accelerates containment.

Critical architecture controls include mandatory human review for any automated containment action before execution, configurable based on asset criticality. All agent decisions and evidence are logged to an immutable audit trail. Analysts have a dedicated UI to review, override, or escalate any automated triage decision, ensuring oversight and allowing the system to learn from corrections. Exception alerts are routed to a dedicated queue for manual investigation.

Built using an orchestration framework like LangGraph or Prefect to manage agent state and data flow. Agents are containerized for scaling. Integrations are managed via API clients for Splunk ES, Microsoft Graph Security API, CrowdStrike Falcon, and sandbox vendors. The workflow is deployed as a microservice, emitting metrics (alert volume, auto-triage rate, mean time to triage) to observability platforms like Datadog for continuous tuning and demonstrating ROI in analyst capacity and threat response speed.

Owns the business case for automation, focused on reducing mean time to detect (MTTD) and containing operational cost growth as alert volumes rise. Approves budget for the custom workflow build and defines key risk tolerances for automated decision-making, such as thresholds for auto-closing false positives versus escalating to Tier-2. Success is measured by analyst capacity leverage and reduction in critical alert backlog.

Responsible for the technical design and integration of the agentic workflow. This team selects the orchestration framework (e.g., LangGraph, custom Python), defines the data pipeline from SIEM (Splunk, Sentinel) and EDR platforms, and builds the connectors to sandbox APIs and threat intelligence feeds. They ensure the architecture supports observability, logging, and safe rollback capabilities.

Primary end-users and subject matter experts. They define the triage logic, false-positive patterns, and escalation criteria that the AI agents will codify. Their buy-in is critical; the workflow must act as a force multiplier, handling repetitive enrichment and filtering while presenting clear, contextualized cases for human review. They will pilot the system and provide feedback on alert quality and agent recommendations.

Provides the runtime environment and governance for the automation platform. Manages provisioning for sandbox VMs, secure network segmentation for agent execution, and access to required data sources (logs, CMDB). Ensures the workflow complies with internal change management, patch cycles, and disaster recovery policies. Critical for maintaining system reliability and security.

Ensures the automated workflow produces a defensible audit trail for all actions, especially alert closures and escalations. Defines retention policies for triage logs and agent decision rationale. Reviews the workflow design to ensure it aligns with regulatory requirements (e.g., for data handling, record-keeping) and does not create unacceptable liability from automated false negatives.

Brings specialized expertise in agentic workflow development and security automation patterns. Works alongside internal teams to accelerate build-out, provide best practices for prompt engineering and agent design, and assist with the integration of complex systems like SOAR platforms. Responsible for knowledge transfer and ensuring the delivered system is maintainable by the internal SOC engineering team.