Your First Alert¶

Congratulations on connecting your SIEM! This guide explains what happens when your first alert arrives and how to interpret the AI triage results.

What Happens When an Alert Arrives¶

When Parapet Security receives an alert from your SIEM, it goes through a multi-stage AI pipeline:

graph TD
    A[Raw Alert Received] --> B[Secret Scrubbing]
    B --> C[AI Normalization]
    C --> D[Triage & Scoring]
    D --> E[Store in Dashboard]
    D --> F{Above Threshold?}
    F -->|Yes| G[Send Notification]
    F -->|No| H[Dashboard Only]

Stage 1: Secret Scrubbing¶

Before any AI processing, Parapet Security automatically removes sensitive data:

API keys and tokens
Passwords and credentials
Credit card numbers
Social Security Numbers
Private keys

This ensures your sensitive data never reaches our AI models.

Stage 2: AI Normalization¶

Our AI converts any alert format to a standard schema:

Before (Raw Wazuh Alert)After (Normalized)

{
  "rule": {
    "level": 12,
    "description": "Possible SSH brute force attack",
    "id": "5712"
  },
  "agent": {
    "name": "web-server-01",
    "ip": "192.168.1.100"
  },
  "data": {
    "srcip": "45.227.253.98"
  }
}

{
  "severity": "high",
  "category": "authentication",
  "title": "SSH Brute Force Attack Detected",
  "affected_entities": {
    "hosts": ["web-server-01"],
    "source_ips": ["45.227.253.98"]
  },
  "mitre_tactics": ["TA0006"],
  "mitre_techniques": ["T1110.001"]
}

Stage 3: Triage & Scoring¶

The AI analyzes the normalized alert and provides:

Severity Assessment - Critical, High, Medium, or Low
Confidence Score - How certain the AI is (0-100%)
Recommendations - Suggested response actions
MITRE ATT&CK Mapping - Tactics and techniques
False Positive Likelihood - Based on context and patterns

Viewing Your Alert¶

In the Dashboard¶

Navigate to Alerts in the left sidebar
Your most recent alert appears at the top
Click on it to view full details

Alert List View¶

The alert list shows key information at a glance:

Column	Description
Severity	Color-coded badge (Critical=Red, High=Orange, Medium=Yellow, Low=Blue)
Title	AI-generated summary of the alert
Source	Your SIEM platform (Wazuh, Elastic, etc.)
Category	Type of threat (Malware, Authentication, Network, etc.)
Time	When the alert was received
Status	Processing status (Pending, Triaged)

Alert Detail View¶

Click any alert to see the full analysis:

AI Triage Panel¶

┌─────────────────────────────────────────────────┐
│  Severity: HIGH          Confidence: 87%        │
├─────────────────────────────────────────────────┤
│  Category: Authentication                       │
│  False Positive Likelihood: Low (15%)           │
├─────────────────────────────────────────────────┤
│  MITRE ATT&CK:                                  │
│  • Tactic: Credential Access (TA0006)           │
│  • Technique: Brute Force - SSH (T1110.001)     │
└─────────────────────────────────────────────────┘

Recommendations¶

The AI provides actionable next steps:

Sample Recommendations

Immediate: Block source IP 45.227.253.98 at firewall
Investigation: Check auth logs for successful logins from this IP
Remediation: Enable SSH key-only authentication
Long-term: Consider implementing fail2ban

Affected Entities¶

See which assets are impacted:

Hosts: Servers, workstations, or devices
Users: User accounts mentioned in the alert
IPs: Source and destination IP addresses
Files: File paths or hashes (for malware alerts)

Raw Payload¶

View the original alert from your SIEM (with secrets redacted).

Understanding Severity Levels¶

Level	Color	Meaning	Response Time
Critical	Red	Active breach or immediate threat	Immediate
High	Orange	Serious threat requiring quick action	Within 1 hour
Medium	Yellow	Potential threat to investigate	Within 24 hours
Low	Blue	Informational or minor concern	When time permits

Understanding Confidence Scores¶

The confidence score indicates how certain the AI is about its triage:

Score	Meaning
90-100%	Very high confidence - clear threat indicators
70-89%	High confidence - strong signals present
50-69%	Moderate confidence - some ambiguity exists
Below 50%	Low confidence - manual review recommended

Low Confidence Alerts

Alerts with confidence below 50% aren't necessarily false positives. They may involve novel attack patterns the AI hasn't seen before. Always review low-confidence alerts manually.

What's Next?¶

Now that you understand how alerts work:

Set up notifications - Configure Slack or Email alerts
Customize thresholds - Adjust which alerts trigger notifications
Explore the dashboard - Learn filtering and search

Common Questions¶

Why is my alert showing as "Low" when my SIEM said "Critical"?¶

Parapet Security re-evaluates severity using AI analysis. Sometimes alerts that appear critical are actually false positives or less severe than the original SIEM rule suggests.

How long until my alert appears?¶

Most alerts appear within 10-30 seconds. High volumes may take up to 60 seconds.

Can I see the original SIEM alert?¶

Yes! The "Raw Payload" section in alert details shows the original alert (with secrets redacted).

What if I disagree with the AI triage?¶

You can mark alerts as false positives or update their status. Over time, this feedback helps improve the AI's accuracy.