Home > SOC Analysis

Triage Process (L1 → L2 → L3)

The triage process defines how SOC teams handle alerts as they move from first-level analysis to deep investigation and threat containment.
It ensures every alert is handled efficiently, escalated properly, and investigated with increasing technical depth.
A well-structured triage process prevents alert fatigue, reduces false positives, and ensures true incidents are escalated quickly.

This chapter explains each triage level in full-scale SOC depth, covering responsibilities, workflows, tools, escalation criteria, and real investigation examples.

Overview of SOC Triage Levels

Triage is divided into three levels:

  • L1 (Initial Triage / Monitoring) → quick validation

  • L2 (Advanced Analysis / Investigation) → deep log analysis

  • L3 (Threat Hunting / IR / Expert Analysis) → root-cause + complete remediation

Each level has different access, responsibilities, and technical requirements.

L1 Triage (Alert Monitoring & First Validation)

L1 analysts are the first responders in the SOC.
Their job is to validate alerts quickly, filter false positives, and escalate only meaningful threats.

Primary Responsibilities

  • Monitor SIEM alerts in real time

  • Validate whether an alert is true or false

  • Gather initial context

  • Check if the user or host is legitimate

  • Review basic logs (authentication, proxy, EDR summaries)

  • Open tickets and escalate when needed

  • Follow pre-built playbooks

L1 does not perform deep investigations — they confirm whether something requires investigation.

What L1 Checks

1. Alert accuracy

Check if the detection triggered on something benign.

Example:

PowerShell alert triggered by IT admin → false positive

2. Basic log context

  • Failed vs successful logins

  • Known admin activity

  • Expected scripts

  • User behavior baseline

3. Reputation checks

  • Domain reputation

  • IP reputation

  • Hash reputation

4. User verification

Confirm if activity is:

  • Expected

  • Approved

  • Part of routine operations

5. Determine escalation need

If anything looks suspicious → escalate to L2.

L1 Escalation Criteria

L1 MUST escalate when:

  • Malware execution found

  • Outbound C2 traffic observed

  • Multiple failed → successful login attempts

  • Unknown PowerShell execution

  • DNS tunneling indicators

  • Lateral movement footprints

  • Unauthorized admin activity

  • Any alert involving critical systems

If unclear → escalate.

L2 Triage (Deep Investigation & Analysis)

L2 analysts are investigators responsible for performing detailed analysis using all available logs and tools.
Once L1 escalates, L2 performs full root-cause analysis and determines whether an incident exists.

Primary Responsibilities

  • Deep log analysis across all sources

  • Build full attack timeline

  • Confirm compromise

  • Identify root cause

  • Evaluate attacker movement (lateral movement, privilege escalation)

  • Check for persistence

  • Verify scope of breach

  • Recommend containment actions

  • Communicate with L3/IR if needed

L2 owns the investigation and determines what exactly happened.

What L2 Analyzes

L2 checks logs such as:

  • Windows Security logs

  • Sysmon

  • PowerShell logs

  • Linux auth logs

  • Cron/service logs

  • Firewall events

  • IDS/IPS alerts

  • Proxy and DNS logs

  • EDR telemetry

  • Cloud logs (AWS/Azure/GCP)

L2 Workflow (Full SOC Example)

  1. Start with the L1 alert
    Example: encoded PowerShell execution.

  2. Check surrounding logs
    Sysmon:

    WINWORD.exe → powershell.exe

  3. Check DNS logs

    beacon.randomdomain.biz

  4. Check firewall logs

    outbound 443 → 91.22.113.10

  5. Check persistence

    HKCU\Run\Updater = C:\Users\Public\bd.exe

  6. Check lateral movement

    4624 LogonType 3 from infected host

  7. Determine if full incident
    If malware executed + C2 → incident confirmed.

  8. Recommend immediate containment

    • Isolate endpoint

    • Disable account

    • Block malicious domain/IP

L2 creates the full analytical story.

L3 Triage (Expert Analysis, Threat Hunting, Incident Response)

L3 analysts are senior SOC members who perform:

  • Advanced IR

  • Malware analysis

  • Forensics

  • Threat hunting

  • Detection engineering

  • TTP mapping (MITRE ATT&CK)

  • Rule tuning

  • Architecture-level improvements

L3 focuses on eliminating root cause, improving defenses, and responding to complex intrusions.

Primary Responsibilities

  • Perform deep forensic analysis

  • Memory analysis for fileless malware

  • Malware reverse engineering

  • Analyze persistence mechanisms in detail

  • Investigate lateral movement paths

  • Map entire attack to ATT&CK

  • Develop new SIEM rules

  • Tune false positives

  • Lead containment and eradication

  • Handle major incidents (ransomware, APT attack)

L3 essentially “closes the loop” and ensures the SOC learns from each incident.

L3 Investigation Activities

1. Memory Forensics

Identify:

  • Injected threads

  • Suspicious DLLs

  • Reflective loading

2. Disk Forensics

Inspect:

  • Persistence entries

  • Dropped payloads

  • Hidden directories

  • Deleted file recovery

3. Network Forensics

  • PCAP review

  • Beacon pattern correlation

  • C2 protocol decoding

4. Threat Hunting

Look for:

  • Unseen attacker movement

  • Dormant implants

  • Unexplained anomalies

5. Detection Engineering

Build new detection rules based on the incident.

How Alerts Flow from L1 → L2 → L3

Example: Encoded PowerShell Alert

L1

Checks:

Is this normal admin activity?
Was the script legitimate?

Finds it suspicious → escalates.

L2

Finds:

  • PowerShell spawned by Office

  • Downloaded payload

  • C2 communication

  • Persistence

  • Lateral movement attempt

Confirms incident → escalates to L3.

L3

Finds:

  • Memory injection

  • DNS tunneling

  • Mapped to ATT&CK techniques

  • Creates new detection rules

  • Leads eradication and recovery

L3 resolves the full incident.

When to Escalate

L1 → L2

When activity is:

  • Suspicious

  • Unknown

  • Malicious

  • Outside playbook

  • Involves critical assets

L2 → L3

When activity requires:

  • Malware reversing

  • Memory forensics

  • Threat hunting

  • Root cause identification

  • High-risk containment

  • Detection tuning

Tools Used by Each Level

L1 Tools

  • SIEM dashboard

  • Ticketing platform

  • Threat intel portals

  • Basic endpoint tools

  • WHOIS/IP reputation tools

L2 Tools

  • Sysmon logs

  • Linux logs

  • Cloud logs

  • EDR dashboards

  • Proxy/DNS logs

  • Firewall/IDS

  • Timeline reconstruction tools

L3 Tools

  • Memory forensics (Volatility)

  • Disk forensics (Autopsy, FTK)

  • PCAP analysis (Wireshark)

  • Malware sandboxing

  • Detection engineering platforms

  • ATT&CK mapping tools

Intel Dump

  • L1 validates alerts, filters false positives, and escalates suspicious activity.

  • L2 performs deep log analysis, confirms compromise, identifies scope, and recommends containment.

  • L3 handles root cause, forensics, malware analysis, threat hunting, and detection engineering.

  • Triage moves from simple verification (L1) to full investigation (L2) to expert remediation (L3).

  • Each level uses different tools and has distinct responsibilities.

  • Proper triage flow prevents missed alerts, speeds detection, and reduces incident impact.

HOME COMMUNITY CAREERS DASHBOARD