User Guide: Alerts Processing Workflow
User Guide: Alerts Processing Workflow
Release: 1.4.0
Overview
Alerts are temporary intake records used for quick triage. When a new security email arrives or an alert is triggered, an Alert record is created in the SOC Workspace. Your job as an operator is to review each alert and route it to the appropriate record type - then clear it from the queue. All actual investigation and follow-up work happens in Tasks, Incidents, or Requests, not in the Alert itself.
Key principle: Process alerts quickly. Do not add extended communications or work logs to Alert records.
The Four Alert Outcomes
When you open an alert, you must choose one of four actions:
|
Action |
When to Use |
Result |
|
Create Physical Security Incident (PSI) |
Clear security incident requiring investigation |
Alert becomes parent of the new PSI |
|
Create Security Request |
User requesting access, a badge, or a service |
Alert becomes parent of the new Request |
|
Create Physical Security Task |
Need clarification before deciding next steps |
Alert becomes parent of the new Task |
|
Mark as Processed / Ignored |
Not actionable, duplicate, or spam |
Alert closed with no child record |
Note: Creating any of these outcomes automatically marks the Alert as "Processed" and removes it from your active queue.
Processing an Alert
Option 1: Create a Physical Security Incident (PSI)
Use when the alert represents a clear security event requiring immediate response.
- Open the Alert
- Click "Create PSI"
- Review the pre-filled fields (short description, description, event time, detect time copied from the Alert)
- Add or modify any additional incident details
- Submit the Physical Security Incident
What happens automatically:
- PSI is created with the Alert data pre-filled
- The Alert is marked as "Processed" and removed from your queue
- Full traceability is maintained (you can navigate from the PSI back to the originating Alert)
Option 2: Create a Security Request
Use when the alert represents a request for a service (badge access, access level change, etc.).
- Open the Alert
- Click "Create Request"
- Select the appropriate catalog item from the request catalog
- Complete the required fields for that request type
- Submit the Security Request
Important: The Alert is marked as "Processed" the moment you click "Create Request" - not when you finish filling out the catalog form.
Option 3: Create a Physical Security Task
Use when you need more information before deciding whether to create an Incident or Request.
- Open the Alert
- Click "Create Task"
- Review the pre-filled Alert data
- Add task details: what information you need, who should provide it, and any specific questions
- Submit the Physical Security Task
After submitting, navigate to the Physical Security Tasks queue to continue working.
Option 4: Mark as Processed / Ignored
Use when the alert is not actionable (spam, duplicate, or known false positive).
- Open the Alert
- Click "Mark as Processed" or "Ignore"
- The Alert is closed with no child record created
Working with Physical Security Tasks
After creating a task from an alert, use the task to gather information and determine the correct next step.
From a Physical Security Task, you can escalate to:
- A Physical Security Incident (if the situation warrants investigation)
- A Security Request (if the situation is a service request)
To escalate:
- Open the Physical Security Task
- Click the appropriate button: "Create PSI" or "Create Request"
- Complete the new record
- The Task retains its relationship to both the original Alert and the new Incident or Request
Traceability
All records created from an alert are linked:
Alert → Physical Security Task → Physical Security Incident
Alert → Physical Security Incident
Alert → Security Request
You can navigate this chain from any record to see the full history of how an alert was processed.