Documentation rendue
Cette page rend le Markdown et Mermaid du module directement depuis la source publique de documentation.
Overview#
The Alert Triage module implements an intelligent alert prioritization and routing system with AI-powered predictive scoring. It automatically evaluates incoming security alerts, assigns priority scores based on configurable rules and machine learning models, and routes alerts to the appropriate analysts for investigation. The system supports continuous improvement through a human-in-the-loop feedback mechanism.
Key Features#
- Predictive Priority Scoring - Automated alert prioritization using a combination of AI analysis and rule-based evaluation, producing a 0-100 priority score for each alert.
- Risk Assessment - Multi-factor risk scoring with confidence metrics on a 0.0-1.0 scale, providing quantified risk levels for every triaged alert.
- Intelligent Routing - Role-based alert assignment to analysts based on workload, expertise, and organizational hierarchy.
- Configurable Triage Rules - Organization-specific rules with priority adjustments and confidence weighting, stored as flexible conditions that can be activated or deactivated without deletion.
- Human-in-the-Loop Feedback - Analysts provide feedback on triage accuracy (correct, incorrect, partial), enabling continuous model improvement and rule performance tracking.
- Batch Processing - Bulk triage processing for high-volume alert environments with fault-tolerant execution that continues on individual failures.
- Manual Priority Override - Supervisors and analysts can apply manual priority adjustments with documented reasoning for audit trail compliance.
- Transparent Scoring - Every triage decision includes a breakdown of applied rules with individual priority adjustments and confidence scores for full auditability.
- Programmable API Access - Full API support for triaging alerts, routing decisions, rule management, feedback recording, and queue retrieval.
Triage Lifecycle#
- Pending - Alert is triaged and scored, waiting for analyst assignment.
- Routed - Alert has been assigned to a specific analyst for investigation.
- Resolved - Alert investigation is complete and triage is closed.
Role-Based Permissions#
- Analyst - Can triage alerts, route to peers, and resolve triages.
- Supervisor - Full analyst permissions plus the ability to create, update, and delete triage rules.
- Administrator - Full platform access for all triage operations and rule management.
Use Cases#
- Security Alert Prioritization - Automatically score and rank incoming security alerts so analysts focus on the highest-risk items first, reducing mean time to response.
- Analyst Workload Management - Route triaged alerts to analysts based on capacity and expertise, with a priority-ordered queue showing the most critical pending items.
- Triage Quality Improvement - Collect analyst feedback on AI predictions to identify underperforming rules and continuously improve triage accuracy over time.
- High-Volume Alert Processing - Batch-process hundreds or thousands of alerts during surge periods, with fault-tolerant execution and detailed performance logging.
Integration#
The Alert Triage module integrates with other Argus modules:
- Alert Management - Triaged alerts flow into the core alert management pipeline for status tracking, decision-making, and workflow execution.
- AI Analysis - AI-powered condition evaluation enhances rule-based scoring with natural language understanding and contextual awareness.
- Investigation Management - Routed alerts connect to investigation workflows for structured follow-up and case creation.
- Audit Trail - All triage decisions, routing actions, manual overrides, and feedback records are logged for compliance and accountability.
Last Reviewed: 2026-02-09