Investigating an Alert
When EDR detects suspicious activity on an endpoint, it creates an alert. This guide walks you through how to review, triage, and investigate alerts effectively.
Viewing open alerts
- Log in to https://cyberprotect.bamboozle.me.
- Click Monitoring then Alerts in the left sidebar.
- Filter by Status: Open to see alerts that have not yet been reviewed.
- Sort by Severity to prioritize Critical and High alerts first.
[SCREENSHOT: Alerts list filtered to open alerts sorted by severity]
Opening an alert
Click on any alert to open the alert detail view. This shows:
- Alert summary — what was detected, on which device, and at what time
- Severity and confidence — how serious the threat is and how certain the detection is
- Affected process — the application or process involved in the suspicious activity
- MITRE ATT&CK mapping — which attack technique this alert corresponds to
- Timeline — a chronological view of events leading up to and following the detection
[SCREENSHOT: Alert detail view with summary, severity and timeline]
Understanding the MITRE ATT&CK framework
Bamboozle EDR maps detections to the MITRE ATT&CK framework, a globally recognized knowledge base of adversary tactics and techniques. The framework is organized into stages:
| Stage | Description |
|---|---|
| Initial Access | How the attacker got into the system |
| Execution | How malicious code was run |
| Persistence | How the attacker maintained access |
| Privilege Escalation | How the attacker gained higher permissions |
| Defense Evasion | How the attacker avoided detection |
| Credential Access | How credentials were stolen or abused |
| Discovery | How the attacker learned about the environment |
| Lateral Movement | How the attacker moved to other systems |
| Collection | How data was gathered |
| Exfiltration | How data was removed from the environment |
| Impact | The damage caused |
Understanding which stage an alert falls into helps you assess how far along an attack may be.
[SCREENSHOT: MITRE ATT&CK technique mapping in the alert detail view]
Reviewing the process tree
The process tree shows the sequence of processes involved in the suspicious activity — which process started which, and what actions each took. This is key to understanding whether an alert represents a genuine threat or a false positive.
- In the alert detail view, click Process tree or Investigation view.
- Review the chain of processes. Legitimate software generally has predictable, clean process trees.
- Hover over any process to see additional details including the full file path, hash, and command line arguments used.
[SCREENSHOT: Process tree view showing suspicious process chain]
Signs of a genuine threat
- An unusual parent process launching cmd.exe or PowerShell
- Processes running from temporary folders such as %TEMP% or %APPDATA%
- Processes with randomly generated names
- Network connections to unusual IP addresses or domains
- Attempts to access credential stores or the Windows registry
Signs of a false positive
- A known and trusted application doing something slightly unusual
- Security or IT management software performing expected administrative tasks
- A scheduled task or script that runs regularly
Acknowledging an alert
If you are actively investigating an alert, acknowledge it so your team knows it is being handled:
- In the alert detail view, click Acknowledge.
- Optionally add a comment explaining who is investigating and what has been found so far.
[SCREENSHOT: Acknowledge button and comment field in alert detail view]
Next steps after investigation
Once you have reviewed an alert you have three options:
- Resolve — if the activity was benign or has been remediated, mark the alert as resolved.
- Escalate — if you need help, contact Bamboozle Support with the alert details.
- Take action — if the threat is confirmed, proceed to Responding to an Incident.