Security Incident Analysis

The Scenario

Your IDS flagged 400 alerts overnight. Most are probably false positives, but buried in there could be a real attack. You need to triage quickly — which alerts need investigation and which can be dismissed?

---

The Prompt

I am a network security engineer triaging IDS alerts from our Snort/Suricata sensor. Analyze these alerts and tell me:

1. Which are likely FALSE POSITIVES and why
2. Which need IMMEDIATE INVESTIGATION and why
3. Suggested next steps for each critical alert

[2024-03-18 01:23:45] ALERT: ET SCAN Nmap SYN Scan - src:185.220.101.42 dst:10.1.1.0/24 - 500 packets in 30s
[2024-03-18 01:24:12] ALERT: ET POLICY curl User-Agent - src:10.1.5.22 dst:api.github.com:443
[2024-03-18 02:15:00] ALERT: ET TROJAN Possible Cobalt Strike Beacon - src:10.1.3.15 dst:45.77.65.211:443
[2024-03-18 02:15:33] ALERT: ET DNS Query to .tk domain - src:10.1.3.15 dst:8.8.8.8
[2024-03-18 03:00:01] ALERT: ET SCAN Potential SSH Brute Force - src:103.45.67.89 dst:10.1.1.1:22 - 200 attempts
[2024-03-18 04:12:00] ALERT: GPL SNMP public community string attempt - src:10.1.2.5 dst:10.1.2.1

---

What AI Gives You

• CRITICAL: Cobalt Strike beacon + .tk DNS from same host (10.1.3.15) — possible compromised machine, investigate immediately
• HIGH: Nmap scan from known Tor exit node — block at firewall, check for successful connections
• MEDIUM: SSH brute force — verify fail2ban is working, check auth logs
• LOW/FP: curl to GitHub (developer activity), SNMP community string (internal monitoring tool)

---

Review and Validate

• AI does not have access to your network context — a "false positive" might be real in your environment
• Always verify source IPs against your asset inventory
• For the critical alert, isolate the host before investigating

---

Try It Yourself

Export alerts from your SIEM or IDS dashboard and paste the top 20 into AI for triage.