AS-301g · Module 3

AI Alert Triage

3 min read

Good news, everyone! AI-specific alerts require AI-specific triage skills. A SOC analyst who is expert at triaging network intrusion alerts may not know what to do with "Agent CLOSER made 47 tool calls in 3 minutes to the CRM API." Is that an attack? A legitimate batch operation? A bug? AI alert triage requires context about normal agent behavior that traditional SOC training does not provide.

Do This

Create triage runbooks specific to each AI detection rule — the analyst should know what normal looks like for each alert type
Include agent behavioral baselines in the triage documentation — without them, every anomaly looks suspicious
Escalate AI alerts to analysts trained in AI-specific threats — generic SOC analysts need supplemental training for AI alerts

Avoid This

Route AI alerts through the same generic triage workflow as infrastructure alerts — they require different context
Expect analysts to determine normal agent behavior from raw logs — provide pre-computed baselines
Ignore AI alerts because the team does not know how to investigate them — that is a training gap, not a de-prioritization decision