# Alerting [![[Pasted image 20251104230137.png]]](https://soc-expert.de/From+Logging+to+Alerting+and+Beyond) **Alerting** refers to the process of **notifying security teams** when specific conditions or patterns are detected in log data that may indicate a potential threat, anomaly, or policy violation. **Alerting** is the **output of detection logic**, such as correlation rules, anomaly detection, or threshold triggers, designed to bring attention to events that require investigation or action. ## Key Components of Alerting 1. **Trigger Conditions** - Based on rules or thresholds (e.g., 10 failed logins in 5 minutes). - Can be simple or complex (e.g., multi-step correlation across systems). 2. **Severity Levels** - Alerts are often categorized (e.g., low, medium, high, critical) based on risk or impact. 3. **Notification Channels** - Alerts can be sent via: - Email - SMS - Slack or Teams - SIEM dashboards - Ticketing systems (e.g., ServiceNow, Jira) 4. **Enrichment** - Alerts may include additional context (e.g., user info, geolocation, threat intelligence) to help analysts assess the situation. 5. **Response Actions** - Alerts can trigger automated responses (e.g., block IP, disable account) or initiate manual investigation. ## Example Alert Scenario **Use Case**: Brute-force login attempt **Trigger**: More than 10 failed login attempts from the same IP in 5 minutes **Alert**: - Severity: High - Message: “Possible brute-force attack from IP 192.168.1.10” - Action: Notify SOC team, block IP, create incident ticket --- ## Benefits of Alerting - **Early threat detection** - **Faster incident response** - **Improved visibility** - **Reduced risk of breaches** - **Supports compliance and audit readiness**