Writing Alert Runbooks That Analysts Actually Use During Incidents

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Most alert runbooks are written once, filed in a wiki, and never read again. Detection engineers write them from memory of how they would investigate the alert themselves -- which means the runbooks are written for someone with deep knowledge of the detection logic, the data sources, and the environment. The analysts who receive the alerts during a busy shift have none of that context and cannot afford to read through four pages of background before starting to investigate.
Runbooks fail for predictable reasons: they describe the alert mechanics instead of the triage decision, they list evidence sources without explaining how to interpret what those sources show, they do not specify what a benign finding looks like, and they provide escalation criteria that require judgment the analyst does not have.
The runbooks that analysts actually use during incidents share a specific structure: they answer the question "is this real?" in the first section, they show what evidence to collect and what to look for in each piece of evidence, they define a yes/no decision tree with explicit criteria, and they tell the analyst exactly what to do next in each case. Analysts use these runbooks not because they are required to but because following the runbook is faster than figuring out the investigation from scratch.
This guide covers what belongs in every runbook, what format makes runbooks usable under pressure, how to test whether a runbook works before an incident, and how to maintain runbooks as detections evolve.
Why Most Alert Runbooks Fail
Alert runbooks fail when they are written as documentation rather than decision support. The distinction matters because documentation answers "what is this?" while decision support answers "what should I do right now?"
Too much background, not enough decision. A runbook that opens with three paragraphs explaining what PowerShell is, why encoded commands are suspicious, and how the detection was built is not useful to an analyst who needs to determine in the next 10 minutes whether to escalate or close the alert. Put the triage decision tree at the top, not background information.
Evidence sources listed without interpretation. "Check the process tree in the EDR" is not useful. "Check the process tree in the EDR -- if the parent process is Word.exe or Excel.exe, the user opened a malicious document; if the parent is cmd.exe spawned by a scheduled task, look for scheduled task persistence" is useful. Evidence sources without interpretation guidance require the analyst to have the same mental model as the detection engineer.
Escalation criteria that require judgment. "Escalate if suspicious" or "escalate if it looks real" puts the decision-making burden on the analyst without providing the criteria. The analyst who is unsure escalates everything to be safe (alert fatigue for the escalation path) or escalates nothing (missed incidents). Escalation criteria should be explicit: "Escalate if the parent process is a productivity application AND the encoded command contains a download from an external URL."
No false positive disposal procedure. A runbook that tells analysts how to investigate a real alert but does not tell them how to close a false positive creates inconsistency. Different analysts close false positives differently, and without a documented disposal procedure, the SIEM accumulates unclosed alerts.
Seven Required Fields for an Actionable Runbook
Every alert runbook should contain seven fields in this order, optimized for reading under time pressure.
1. Alert name and trigger condition. One sentence: what the detection rule fires on and what SIEM/EDR/platform generates it. Analysts who work across multiple tools need to know where to start. Example: "This alert fires in Microsoft Sentinel when Windows Event ID 4104 logs a PowerShell script block with base64-encoded content exceeding 500 characters."
2. What benign looks like. Before anything else, tell the analyst what a false positive looks like for this specific alert. Example: "Common false positives include Microsoft Intune management scripts, ConfigMgr deployment commands, and scheduled tasks from endpoint management tools. Check the parent process first -- if it is MEM.exe or ccm.exe, this is likely a false positive."
3. What malicious looks like. One to three specific indicators that distinguish a real finding. Example: "Malicious indicators include encoded commands downloading from external URLs (confirm by decoding the base64 payload), network connections from PowerShell.exe to external IPs after execution, and child processes (cmd.exe, mshta.exe, wscript.exe) spawned by the PowerShell process."
4. Required evidence to collect. List exactly what to collect and from where, in the order the analyst should collect it. "1. Process tree from EDR for the powershell.exe process. 2. Network connections from the same host in the 10 minutes surrounding the event. 3. Decoded base64 payload (use CyberChef From Base64 recipe). 4. User authentication activity from Entra ID for the logged-in user in the past 24 hours."
5. Triage decision tree. A branching yes/no structure with explicit criteria at each branch point. Written as conditions, not judgments. See the sample runbook section for the format.
6. Escalation criteria and procedure. The specific conditions that require escalation, who to escalate to, and what information to include in the escalation. "Escalate to Tier 2 if: (a) the decoded payload contains an external download URL, OR (b) the PowerShell process spawned network connections within 60 seconds of execution. Include: host name, user name, decoded payload, and process tree screenshot."
7. False positive disposal procedure. Exactly how to close a confirmed false positive. Which fields to fill in the ticket, what comment to add, and whether to add any exception to prevent the same alert from firing again for the same source. Consistent disposal prevents alert backlog and enables accurate FP rate tracking.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Sample Runbook: PowerShell Encoded Command Alert
This sample demonstrates the seven-field format applied to a common detection.
Alert: PowerShell Encoded Command Execution Platform: Microsoft Sentinel | Rule: PSEncodedCommand-001
What benign looks like:
- Parent process is MEM.exe, ccm.exe, or a known IT management tool
- Endpoint management scripts from Intune (check for
OMA-DMorIntunestrings in user data) - Scheduled maintenance tasks (verify in Task Scheduler on the host)
What malicious looks like:
- Decoded payload downloads from an external URL (
IEX,Invoke-Expression,DownloadString,WebClient) - Child processes (cmd.exe, mshta.exe, wscript.exe, csc.exe) spawned after execution
- Network connections from powershell.exe to external IPs within 60 seconds
Required evidence (collect in order):
- From EDR: Process tree for the powershell.exe PID
- From EDR: Network connections for the same host, 5 minutes before and after the event
- Decode the payload: copy the base64 string from the alert, go to CyberChef, use "From Base64" recipe
- From Entra ID: Sign-in logs for the user name in the alert, past 24 hours
Triage decision tree:
Is the parent process a known IT management tool (MEM.exe, ccm.exe)?
- YES: Check if the decoded payload matches known management scripts. If yes, close as FP. If no, continue.
- NO: Continue.
Does the decoded payload contain IEX, Invoke-Expression, DownloadString, or an external URL?
- YES: ESCALATE immediately. Do not wait for network connection confirmation.
- NO: Continue.
Did powershell.exe spawn any child processes (cmd.exe, mshta.exe, wscript.exe, csc.exe)?
- YES: ESCALATE.
- NO: Continue.
Did powershell.exe make network connections to external IPs?
- YES: ESCALATE.
- NO: MONITOR. Add to watchlist for 24 hours. If no additional activity, close as low confidence.
Escalation procedure: Escalate to Tier 2 on-call via Slack #soc-escalation. Include: host name, user name, decoded payload text, and process tree screenshot. Ticket must include all four items before paging.
False positive disposal: If confirmed FP: Set ticket status to Resolved, Resolution = False Positive, add comment with the specific reason (e.g., "Intune management script -- parent process MEM.exe confirmed"). No exception needed unless this fires more than twice per week for the same host.
Triage Decision Tree Format
The triage decision tree is the most important part of the runbook because it is what the analyst uses under time pressure. The format must be unambiguous -- no "maybe" branches, no judgment calls without explicit criteria.
Use yes/no branches only. Every branch point should be answerable with yes or no based on observable data. "Is the parent process cmd.exe?" is answerable. "Does this look like lateral movement?" is not.
Lead with the most discriminating check. Order branches so the most reliable false positive indicator comes first. This lets analysts quickly dispose of the majority of benign alerts before doing deeper investigation for the minority that look real.
Provide the specific lookup for each branch. Every branch point should tell the analyst exactly where to find the answer: which tool, which field, which time range. "Check the parent process" is not actionable. "In the EDR alert detail, look at the Parent Process Name field" is actionable.
Terminate every branch. Every path through the decision tree must end with a clear action: escalate, monitor, close. Branches that end with "investigate further" or "use your judgment" are incomplete.
Timebox each step. At the top of the decision tree, state the total time budget for triage. "Complete triage in under 15 minutes. If any evidence step takes longer than 5 minutes, escalate and continue investigation." This prevents analysts from spending 45 minutes on a single alert while the queue grows.
Runbook Quality Testing
The only reliable test for a runbook is giving it to someone who has never seen it before and timing how long it takes them to reach a triage decision.
Cold-read test procedure. Select an analyst who did not write the runbook. Give them the runbook and a sample alert (use a historical alert from your SIEM or create a synthetic one). Measure: (1) How long until they start investigating (time to understand the runbook). (2) How long to reach a triage decision. (3) Whether they reached the correct decision based on the sample alert. (4) How many questions they asked. A runbook that produces correct decisions in under 15 minutes without questions passes the cold-read test.
Friction points reveal runbook failures. When the test analyst asks a question, the answer to that question should become part of the runbook. When they spend extra time looking something up, that lookup process should be documented. Questions and hesitations are debugging data for the runbook, not failures by the analyst.
Test with real false positives, not just true positives. Most alerts are false positives. A runbook that guides analysts to correct escalation decisions on true positives but sends them in circles on false positives is not complete. Test the runbook against confirmed false positive examples and verify that the disposal procedure is reached cleanly.
Measure runbook effectiveness with ongoing metrics. After deployment, track per-alert: mean time to triage (from alert creation to analyst decision), escalation rate (what percentage of alerts are escalated vs. closed), false positive escalation rate (what percentage of escalated alerts turn out to be FP), and analyst disagreement rate (do different analysts reach different conclusions from the same alert). Significant disagreement between analysts on the same alert type indicates the runbook's criteria are ambiguous.
Maintenance Workflow Triggered by Alert Metrics
Runbooks are not static documents. They require maintenance as detections change, new false positive patterns emerge, and the environment evolves.
Trigger: false positive rate above 40%. When more than 40% of an alert type is false positive, the runbook's disposal procedure needs to be faster and the detection may need tuning. Review the false positive patterns and update the "What benign looks like" section with the specific new FP patterns. If the same FP pattern is generating alerts repeatedly, add an exclusion to the detection rule rather than requiring analysts to repeatedly execute the same disposal procedure.
Trigger: false negative confirmed. When an incident postmortem reveals that an alert fired but was incorrectly closed as a false positive, the runbook's decision tree failed. Review the triage path the analyst took, identify which branch point led to the wrong conclusion, and add discriminating criteria or additional evidence steps at that branch point.
Trigger: escalation path changes. When the team structure, on-call rotation, or tooling changes, the escalation section becomes stale. Assign one team member ownership of each runbook and require them to verify escalation path accuracy quarterly.
Trigger: detection rule changes. When the detection logic is modified (new threshold, new exclusions, new data sources), the runbook must be updated to reflect the new trigger condition and any changed false positive patterns.
Quarterly audit. Even without a specific trigger, review all runbooks quarterly: confirm that the evidence sources listed still exist and are accessible, verify that the escalation contacts are current, and check whether new false positive patterns should be documented based on recent tickets.
The bottom line
Alert runbooks that analysts use under incident pressure share a specific structure: the triage decision tree comes first, the benign indicator identification comes before the malicious indicator investigation, every branch point specifies exactly where to look and what to look for, and the false positive disposal procedure is as detailed as the escalation procedure. The cold-read test -- giving an unfamiliar analyst the runbook and a sample alert, then measuring time to correct decision -- is the only reliable quality gate. Maintain runbooks when the false positive rate exceeds 40%, when a false negative is confirmed in an incident postmortem, or when escalation paths or detection logic changes. A runbook that cannot pass the cold-read test in under 15 minutes is not a runbook -- it is background reading.
Frequently asked questions
What is the difference between an alert runbook and an incident response playbook?
An alert runbook is specific to a single detection alert type and covers the first 15 minutes of investigation: triage, evidence collection, and the escalate-or-close decision. An incident response playbook covers a broader incident category (ransomware, account compromise, data exfiltration) and guides the full response lifecycle from detection through containment, eradication, recovery, and lessons learned. Runbooks feed into playbooks: a suspicious PowerShell alert runbook might escalate to an endpoint compromise playbook if the triage confirms real activity.
How long should an alert runbook be?
One to two pages for most alerts. A runbook that is longer than two pages will not be read during triage under time pressure. If the investigation is complex enough to require more than two pages of guidance, the runbook should cover triage only (the first 15 minutes) and reference a separate investigation guide for the deeper analysis phase. The goal of the runbook is to reach the escalate-or-close decision quickly, not to document the full investigation.
Who should write alert runbooks?
Detection engineers should draft runbooks as part of the detection creation process, but the draft should be reviewed and edited by a Tier 1 analyst before publication. Detection engineers know how the detection works and what distinguishes real from benign. Analysts know what information is actually accessible during triage, where time is lost in the investigation workflow, and what questions arise during real investigations. The combination produces a runbook that is technically accurate and operationally usable.
How do you handle alerts where the triage cannot be completed in 15 minutes?
For complex detections where full triage requires more than 15 minutes, split the runbook into two phases. Phase 1 (under 15 minutes): the minimum investigation to determine whether to escalate or continue investigating. Phase 2 (Tier 2 investigation): the deeper analysis that confirms or rules out the finding. The Phase 1 decision is escalate vs. monitor -- not escalate vs. close. Analysts with complex alerts default to escalation with the evidence collected so far, rather than spending extended time trying to reach a definitive conclusion before escalating.
Should runbooks be stored in the SIEM or in a separate wiki?
Runbooks should be linked directly from the SIEM alert interface where possible -- analysts should not have to open a separate browser tab and search a wiki to find the relevant runbook during triage. Many SIEM platforms support adding runbook links to alert rules. If the SIEM does not support inline runbook links, create a bookmark or shortcut that analysts can access from the SIEM alert UI within one click. The more friction between an analyst and the runbook, the less likely the runbook will be used.
What metrics indicate a runbook needs updating?
Four metrics indicate runbook maintenance is needed: false positive rate above 40% (runbook disposal procedure too slow or detection needs tuning), false positive escalation rate above 20% (escalation criteria too broad), analyst disagreement rate above 15% (decision tree criteria are ambiguous), and mean triage time above 20 minutes (runbook too complex or evidence sources poorly documented). Track these per-alert-type in your ticketing system and trigger a runbook review when any metric exceeds its threshold.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
