← Back to docs
Recipe

Security alert triage

A repeatable workflow for classifying, prioritizing, and resolving security alerts generated by Meridian's runtime detection engine.

Step 1 — Ingest

Alerts land in the dashboard feed with a severity tag, timestamp, and affected process tree. Confirm the alert source is a trusted Meridian sensor before proceeding.

Step 2 — Classify

  • CRITICAL — kernel tamper, credential dump, loader injection confirmed
  • HIGH — suspicious memory region, unsigned module load
  • MEDIUM — anomaly in ETW telemetry, threshold breach
  • LOW — informational, policy flag

Step 3 — Investigate

Drill into the alert's forensic snapshot: VAD tree, loaded modules, syscall trace, and parent process chain. Cross-reference hashes against the Meridian threat intel feed.

Step 4 — Resolve

Mark the alert as remediated, false positive, or escalated. Attach notes and any exported evidence. Escalated alerts automatically notify the on-call channel.

Pro tip: Set up auto-triage rules in Automation to classify low-severity alerts without manual review.