Knogin
[Developers]

Alert Triage

An analyst arrives at the start of a shift to find 400 unreviewed security alerts. Some are critical; most are noise. Without a prioritisation system, she has to read each one to find out which. By the time she reaches t

Back to All Modules
Category: Api DomainsLast Updated: Feb 9, 2026
api-domainsaicompliancegeospatial

Overview#

An analyst arrives at the start of a shift to find 400 unreviewed security alerts. Some are critical; most are noise. Without a prioritisation system, she has to read each one to find out which. By the time she reaches the genuinely dangerous alerts, precious hours have passed.

The Alert Triage module ensures that never happens. Every incoming alert is automatically evaluated through a combination of configurable rules and AI scoring, receiving a 0-100 priority score before any analyst touches it. The highest-risk items surface first. Work gets routed to the right people based on expertise and capacity. And every triage decision feeds a feedback loop that makes the system more accurate over time.

Key Features#

  • Predictive Priority Scoring: Automated alert prioritisation using a combination of AI analysis and rule-based evaluation, producing a 0-100 priority score for each alert.
  • Risk Assessment: Multi-factor risk scoring with confidence metrics on a 0.0-1.0 scale, providing quantified risk levels for every triaged alert.
  • Intelligent Routing: Role-based alert assignment to analysts based on workload, expertise, and organisational hierarchy.
  • Configurable Triage Rules: Organisation-specific rules with priority adjustments and confidence weighting, stored as flexible conditions that can be activated or deactivated without deletion.
  • Human-in-the-Loop Feedback: Analysts provide feedback on triage accuracy (correct, incorrect, partial), enabling continuous model improvement and rule performance tracking.
  • Batch Processing: Bulk triage processing for high-volume alert environments with fault-tolerant execution that continues on individual failures.
  • Manual Priority Override: Supervisors and analysts can apply manual priority adjustments with documented reasoning for audit trail compliance.
  • Transparent Scoring: Every triage decision includes a breakdown of applied rules with individual priority adjustments and confidence scores for full auditability.
  • Programmable API Access: Full API support for triaging alerts, routing decisions, rule management, feedback recording, and queue retrieval.

Triage Lifecycle#

  1. Pending: Alert is triaged and scored, waiting for analyst assignment.
  2. Routed: Alert has been assigned to a specific analyst for investigation.
  3. Resolved: Alert investigation is complete and triage is closed.

Role-Based Permissions#

  • Analyst: Can triage alerts, route to peers, and resolve triages.
  • Supervisor: Full analyst permissions plus the ability to create, update, and delete triage rules.
  • Administrator: Full platform access for all triage operations and rule management.

Use Cases#

Security operations centres at banks and insurers automatically score and rank incoming security alerts so analysts focus on the highest-risk items first, reducing mean time to response without increasing headcount.

Law enforcement cyber units route triaged alerts to analysts based on specialisation, network intrusion alerts to one team, financial fraud indicators to another, with workload balancing preventing queue backlogs.

Intelligence agency SOC teams collect analyst feedback on AI predictions to identify underperforming rules and continuously improve triage accuracy, particularly for novel threat actor techniques not seen in training data.

Government CERT operations batch-process hundreds of alerts during surge periods such as major incident declarations, with fault-tolerant execution ensuring a single bad record does not halt the entire triage run.

Integration#

The Alert Triage module integrates with other Argus modules:

  • Alert Management: Triaged alerts flow into the core alert management pipeline for status tracking, decision-making, and workflow execution.
  • AI Analysis: AI-powered condition evaluation enhances rule-based scoring with natural language understanding and contextual awareness.
  • Investigation Management: Routed alerts connect to investigation workflows for structured follow-up and case creation.
  • Audit Trail: All triage decisions, routing actions, manual overrides, and feedback records are logged for compliance and accountability.

Open Standards#

  • GraphQL (June 2018 specification): All triage operations, including alert scoring, routing, rule management, feedback recording, and queue retrieval, are exposed exclusively through a typed GraphQL API built with Strawberry.
  • OAuth 2.0 (RFC 6749) and JSON Web Tokens (RFC 7519): Every API request is authenticated via RS256-signed JWTs verified against a JWKS endpoint; the integration layer accepts OAuth 2.0 Bearer tokens with scoped triage operation permissions.
  • NIST RBAC (ANSI INCITS 359): Role-based access control is enforced throughout; distinct permission sets for Analyst, Supervisor, and Administrator roles govern triage creation, routing, rule management, and manual override capabilities.
  • MITRE ATT&CK: Threat actor tactic and technique mapping informs AI-assisted priority scoring, allowing triage rules and sentiment analysis to classify alerts against the MITRE ATT&CK technique catalogue.
  • OASIS STIX 2.1: Triaged alerts that flow downstream into the alert management pipeline can be exported as STIX 2.1 bundles, enabling threat intelligence sharing with external SOC platforms and feeds.
  • JSON (RFC 8259): Triage rule conditions and scored-reason breakdowns are stored and exchanged as structured JSON documents, forming the canonical representation for rule logic and audit records.

Last Reviewed: 2026-02-09 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.