Signal Triage (SIG)

signal triage is the primary analyst workspace start here for every new signal 1\) open signal triage navigate to application records > signal triage open a signal record from the list 2\) signal analysis tab the signal analysis tab is your main workspace for investigating each signal from here you can identify the signal, take quick actions, and review all key fields in one place identification and quick actions at the top of the record you can claim assign the signal to yourself as the current owner use this when you are ready to start investigating claiming also sets the time assigned timestamp for tracking re assign owner transfer ownership to another analyst or team when needed for expertise or workload balancing escalate to case create a case linked to this signal when you need sustained investigation and evidence management you will also see the signal tracking id (for example, "sig 21") with an option to copy the link, timestamps for when the signal was created and last updated (and by whom), and sla status when sla is configured (for example, how much sla time has been used, with visual indication as you approach the limit) key fields on the signal record the record shows essential information about the signal's origin and current state time of first evidence when the first piece of evidence was collected helps you understand the investigation timeline first created / last updated when the signal was created and last modified useful for tracking how long a signal has been in the queue current owner who is responsible for investigating this signal empty means unassigned organization which organizational unit owns this signal helps with multi tenant environments signal type whether this is an alert, phishing email, or manual triage entry different types may have different workflows signal source which system generated the alert (for example, "splunk", "crowdstrike", "email gateway") helps you understand the alert's origin and reliability intelligence verdict the aggregated threat intelligence verdict (malicious, suspicious, benign, unknown) based on observable enrichment calculated from your ti providers and gives you an immediate risk assessment status and classification fields these fields help you classify and prioritize the signal manual verdict your final assessment after investigation (malicious, suspicious, benign, unknown) this is what you set after reviewing all evidence the ai verdict is a recommendation; your manual verdict is the authoritative decision status current workflow state (processing, new, in progress, blocked, escalated, closed) use this to track where the signal is in your investigation process priority urgency level (p0 p4) p0 is most urgent set this based on severity and business impact severity technical severity (critical, high, medium, low, informational, unknown) reflects the technical risk level of the threat classification final disposition (true positive, false positive, unknown) use this to track whether the alert was valid and to improve future detection once a signal is escalated to a case, manual verdict , status , priority , severity , and classification become read only on the signal record edit these fields from the linked case management record; updates sync back to the signal for consistency ai alert analysis panel this is the heart of ai soc's capabilities the panel provides ai powered analysis and investigation guidance signal summary section at the top of the panel, you'll see signal name the name or title of the signal investigation summary a detailed narrative explaining the ai's analysis, including evidence considered, enrichment status, threat intelligence results, and context from knowledge base articles and historical data confidence score a numeric value (0 100) indicating how confident the ai is in its assessment ai verdict the ai's assessment (malicious, suspicious, benign, unknown) displayed with an icon action buttons verdict analysis view detailed analysis supporting the ai verdict threat intelligence analysis review threat intelligence findings mitre analysis see mitre att\&ck technique and tactic mappings reanalyze button re run ai analysis if new evidence is added or conditions change escalated to case status shows if the signal has been escalated to a case (for example, "escalated to case 2") generate remediation plan button create remediation steps for confirmed malicious threats investigation plan section after generating a plan, you'll see preparation stage initial steps to gather and prepare data (for example, parsing observables) analysis stage investigation steps to analyze the threat (for example, enriching observables, checking endpoints) determination stage final steps to reach a verdict (for example, generating ai analysis) each step shows the step description the tool/component that will execute it review button preview what the step will do run button execute just this step run all steps button available for each stage to execute all steps in that phase at once + add additional step link below each stage to add custom steps to the plan automation section at the bottom, you'll find signal automation title and description explaining that hero can help set up automation option 1 create a triage rule button to create a routing rule that automatically processes similar signals option 2 create a playbook button to have hero help build a playbook for automated processing note reminder to update knowledge base articles associated with the case to better inform hero when creating playbooks the ai uses threat intelligence, knowledge base articles, and historical patterns to generate relevant investigation steps you can modify the plan, add steps, remove steps, or run steps in any order evidence areas these areas provide context and evidence to support your investigation knowledge base articles automatically linked articles that match observable patterns or alert characteristics these provide immediate context about similar threats and investigation procedures review these first to understand common patterns threat intelligence enrichment results for all observables extracted from the signal shows verdicts and risk scores from multiple ti providers click through to see detailed enrichment data correlation related signals that may be part of the same incident helps you identify broader attack campaigns and avoid duplicate investigations rules which routing rules processed this signal and what actions were taken useful for understanding how the signal was automatically handled other tabs additional tabs provide more detailed views triage rule tab shows which routing rules evaluated this signal and their results knowledge base tab quick access to linked kb articles without leaving the signal metrics tab signal level performance metrics and summaries timeline tab shows significant milestones in the signal lifecycle (for example, threat intel returned, correlation completed, priority set, signal resolution) the timeline is informational; clicking a milestone does not trigger an action cases also have a timeline audit tab complete change history showing who did what and when support tab manual actions and troubleshooting tools 2a) signal types and lifecycle signal type can be alert, phishing, or triage new signals typically move from processing to new, then progress through the rest of your workflow states as they are claimed and resolved 2b) processing status and status fields processing status means threat intel enrichment and signal evaluation (correlation, kb linking, hero ai analysis) have not yet completed when both complete, the pending signal resolution flow sets the signal to new , closed , or escalated do not expect generate plan or an ai verdict until the signal has left processing threat intelligence status shows whether enrichments are pending or complete for the signal rule processing status indicates whether routing rules have been evaluated correlation status shows if correlation is pending, processing, or complete; correlation runs on a schedule and can also be run manually when needed 2c) correlation timing correlation runs on a schedule (every 10 minutes by default) and evaluates older signals in batches records are typically eligible for correlation after a short delay (about 5 minutes) so ingestion and enrichment can complete first each run evaluates the oldest eligible signals in a batch (up to 100 at a time) to avoid reprocessing newer records 2a) triage checklist confirm the signal source is expected and matches the alert type validate severity and priority align with the alert context check intelligence verdict and observables before taking action review correlation to avoid duplicate investigations 3\) triage rule tab review the rule processed reference table (tracking id, rule name, rule application , rule order , target) check rule status fields such as rule processing status , rule matched , and rule last processed 4\) knowledge base tab review linked kb guidance without leaving the signal record 5\) metrics tab review signal level metrics and summaries relevant to triage 6\) timeline tab review event history and signal activity 7\) audit tab review record changes and user actions 8\) support tab the support tab provides manual actions and visibility controls use it to run one off operations and to avoid accidental edits when reviewing manual actions (expand this section in the ui to run any of the following) correlate run correlation for this signal to find related signals and cases use when you want to refresh or trigger correlation without waiting for the scheduled run ai signal analysis run hero ai analysis on the signal (for example, to refresh verdict or summary) check threat intelligence results refresh or open threat intelligence enrichment results for the signal's observables run rules engine re run routing rule evaluation for this signal use when rules have changed or you want to re match the signal to playbooks claim signal assign the signal to yourself as the current owner use when you are starting investigation escalate to case create a case linked to this signal and open it for sustained investigation and evidence handling after escalation, manual verdict, status, priority, severity, and classification are read only on the signal and must be edited from the case record other support tab options read only when enabled, prevents accidental edits while you review signal details turn off when you need to update fields or run actions the support tab also includes visibility toggles for sections such as signal data, signal metadata, case data, hero ai features, alert data, and phishing email data use these to show or hide areas on the record where to look first confirm signal source , severity , and classification validate intelligence verdict and observables quality use generate plan to build investigation steps commonly used fields status and manual verdict to capture disposition severity , priority , and classification to rank urgency signal type , signal source , and organization to confirm origin intelligence verdict and observables to validate evidence current owner , sla, first created, last updated for tracking ai soc panel behavior shows ai verdicts, threat analysis, and mitre context generates investigation and remediation plans and lets you run or review steps supports automation actions to create triage rules and playbooks supports role based visibility and action control for summary, plan, remediation, automation, generate/modify/execute, and marketplace access ai alert analysis panel configuration configure these options in the ai alert analysis panel settings on the signal record layout each option can be enabled/disabled and limited to specific roles (use to allow all roles) summary section show or hide the top summary area plan section show or hide the investigation plan area remediation section show or hide remediation steps and the generate remediation plan button automation section show or hide actions for creating triage rules and playbooks generate plan allow or hide the generate plan button users can still view an existing plan even if this is disabled modify plan allow or prevent editing plan steps (reorder, delete, mark done, and select different tools) execute plan allow or prevent running steps ( run / run all) existing results remain visible marketplace components control whether plan generation can suggest marketplace components and allow installation from the plan when disabled, only installed components are available remediation without malicious verdict optionally allow remediation plan generation even when the verdict is not malicious detailed workflow start with signal metadata and triage fields to confirm status, ownership, and severity review evidence areas in order knowledge base > threat intelligence > correlation > rules use generate plan to build the investigation steps, then run the preparation and analysis steps first generate a verdict in determination, then decide whether to escalate to case if the signal pattern repeats, use create a triage rule or create a playbook in automation