Review target
skills/secops/alert-triage/SKILL.md
Gap
The alert-triage skill has a solid collect/correlate/classify/escalate flow, but it does not define how to safely handle duplicate alerts, alert storms, or suppression requests before closing an alert as BTP/FP.
That leaves several practical risks:
- multiple tool notifications for the same raw event can inflate case count;
- alert storms across many users or hosts can be incorrectly collapsed as noise;
- stale prior dispositions can be reused after rule logic, asset criticality, or threat context changes;
- tuning recommendations can create broad permanent suppressions without owner, expiry, rollback, or detection-engineering follow-up;
- suppression can hide privileged users, critical assets, or later-stage ATT&CK activity.
Why this matters
SOC triage often sits between alert queue pressure and incident response. Bad de-duplication wastes analyst time, but bad suppression can hide real compromise. Triage output should distinguish duplicate notifications from distributed attack spread and make suppression auditable, scoped, reversible, and time-bound.
Proposed improvement
Add a de-duplication and suppression safety phase that requires:
- duplicate grouping keys with rule, raw event, user, host, process, source/destination, cloud account or tenant;
- cardinality checks across users, hosts, IPs, tenants, geographies, and time buckets;
- prior-disposition freshness checks including date, analyst, rule version, and asset context;
- suppression owner, expiry, exact scope, rollback path, compensating detection, and ticket ID;
- kill-chain coverage checks before suppressing recurring activity.
Also add output fields and edge-case fixtures for duplicate tool notifications, password spraying mistaken for noise, and broad admin suppressions.
Bounty category
Review issue + moderate skill improvement.
Review target
skills/secops/alert-triage/SKILL.mdGap
The alert-triage skill has a solid collect/correlate/classify/escalate flow, but it does not define how to safely handle duplicate alerts, alert storms, or suppression requests before closing an alert as BTP/FP.
That leaves several practical risks:
Why this matters
SOC triage often sits between alert queue pressure and incident response. Bad de-duplication wastes analyst time, but bad suppression can hide real compromise. Triage output should distinguish duplicate notifications from distributed attack spread and make suppression auditable, scoped, reversible, and time-bound.
Proposed improvement
Add a de-duplication and suppression safety phase that requires:
Also add output fields and edge-case fixtures for duplicate tool notifications, password spraying mistaken for noise, and broad admin suppressions.
Bounty category
Review issue + moderate skill improvement.