Your EDR Fired an Alert. Here Is What to Do in the Next 60 Minutes.

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
An EDR alert is information. It is not yet a confirmed incident. The 60-minute window immediately after an alert fires determines whether you identify and contain an active threat, or spend four hours investigating a misconfigured backup agent.
The triage sequence below is designed for a single analyst working a single alert. It applies regardless of which EDR platform you use: CrowdStrike, Microsoft Defender for Endpoint, SentinelOne, or any other: because the questions are the same even when the interface differs.
Step 1: Classify the Alert Type Before Reading the Details (Minutes 0-5)
The first thing to look at is not the alert details: it is the alert category. EDR platforms classify detections into technique categories that tell you immediately how serious the situation is before you read a single process name.
Highest urgency (respond immediately, assume active threat):
- Credential access or credential dumping (T1003)
- Defense evasion via process injection or tampering (T1055, T1562)
- Lateral movement via remote services (T1021)
- Command and control with active outbound connection (T1071)
- Ransomware behavior or mass file modification
High urgency (investigate within 15 minutes):
- Persistence mechanism installed (T1053 scheduled task, T1547 registry run key)
- PowerShell or scripting host executing encoded or obfuscated commands (T1059)
- Living-off-the-land binary (LOLBIN) used suspiciously (certutil, mshta, regsvr32)
- Suspicious parent-child process relationship
Medium urgency (investigate within 60 minutes, false positive more likely):
- Network scan activity from a workstation
- Reconnaissance commands (whoami, net user, ipconfig with suspicious context)
- Generic malware detection with no active behavior observed
Classify the alert into one of these tiers in the first five minutes. This determines your investigation tempo for everything that follows.
Step 2: Pull Process Tree and Network Context (Minutes 5-20)
Every major EDR platform provides a process tree view for the alerted event. Pull it immediately. This is the single most important data source for determining true positive vs. false positive.
What to read in the process tree:
Start from the top of the tree: the parent process: and work down.
- Parent process: What launched the process that triggered the alert? A Word document launching PowerShell is a red flag. A scheduled task launching PowerShell at 2 AM with a known script hash is likely legitimate. The parent context resolves most ambiguity.
- Command line: What was the full command line for the alerted process? An encoded base64 PowerShell command is suspicious.
powershell.exe -File C:\Scripts\backup.ps1with a known hash is probably your backup agent. - Child processes: Did the suspicious process spawn children? A process that spawned
cmd.exe,wscript.exe, ornet.exeis behaving like malware. A process that spawned nothing after execution is lower risk. - File writes: Did the process write any files? Where? An executable writing a new executable to
%APPDATA%or%TEMP%is a stage-two dropper pattern.
What to check for network context:
Pull the network connections for the alerted endpoint over the past 30 minutes. Look for:
- Connections to IP addresses in unusual geographies for this endpoint
- Connections to known-bad infrastructure (your threat intel feed or your EDR's built-in enrichment)
- Long-duration connections (minutes or hours) to unfamiliar IPs: indicators of C2 beaconing
- DNS queries to dynamically generated domain names (high entropy, random-looking TLDs)
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Step 3: True Positive or False Positive? (Minutes 20-35)
You now have the process tree, command line, parent process, and network connections. Answer these four questions to determine whether this is a true positive:
Question 1: Is the behavior expected from this host? A developer workstation running obfuscated PowerShell is expected. A receptionist's workstation doing the same thing at 11 PM is not. Endpoint role matters. Check what type of machine this is and who uses it.
Question 2: Does the hash match a known-good file? Most EDR platforms enrich alerts with file hash reputation data. If the alerted process has a hash that appears in VirusTotal with 0/70 detections and has been seen on millions of machines, it is almost certainly a legitimate application that triggered a noisy rule. If the hash is unique or has high detection rates, it is suspicious.
Question 3: Has this alert fired before on this host? A recurring alert that has been closed as a false positive 15 times is probably still a false positive. An alert that has never fired before on this host for this process is more likely genuine. Check alert history before concluding.
Question 4: Is there a corresponding suspicious event in another log source? An EDR alert corroborated by a firewall block for the same endpoint at the same timestamp is much more likely to be a true positive than an isolated EDR alert. Check your SIEM for events from the same host in the same time window.
If you cannot answer all four confidently by minute 35: Treat it as a true positive and contain. The cost of a false containment is a brief user disruption. The cost of missing a true positive is an uncontained breach.
Step 4: Contain or Close (Minutes 35-60)
If true positive:
Contain the endpoint immediately using your EDR's network isolation feature. This severs the endpoint's network connections while maintaining your EDR connectivity so you can continue investigating remotely. Do not have the user reboot or shut down.
Document the containment time, the reason for containment, and who authorized it. This timestamp starts your incident timeline.
Escalate according to your incident response runbook. If you do not have one, follow the escalation path: your manager, your IR firm or insurer, and the system owner in that order.
While escalation is in progress, continue pulling artifacts from the isolated endpoint: additional process tree nodes, any files the malicious process created, scheduled tasks modified, registry keys changed, and network connections it attempted.
If false positive:
Document what the process was, why it triggered the alert, and why it is legitimate. This documentation is your justification for creating a suppression rule.
Create a targeted suppression: suppress by file hash plus parent process plus command line pattern: never suppress by process name alone. A suppression for powershell.exe blocks all PowerShell detections. A suppression for powershell.exe with hash abc123 launched by Task Scheduler with command line backup.ps1 suppresses exactly one legitimate behavior.
Check whether this false positive is likely affecting other endpoints: if the same legitimate software runs across your fleet, the alert is firing everywhere. Address the suppression fleet-wide.
If uncertain after 60 minutes:
Contain and escalate. Uncertainty at the 60-minute mark means the alert is sufficiently ambiguous that you need more investigation time than a single analyst's triage window provides. Contain now, investigate at the right tempo with the right resources.
The bottom line
EDR triage is a four-step sequence: classify the technique category first to set your urgency level, pull the process tree and network context, answer the four true-positive questions, then either contain and escalate or document and close. If you cannot definitively determine false positive within 60 minutes, default to containment. The cost of containing a false positive is a brief service disruption. The cost of releasing a true positive is an active breach.
Frequently asked questions
What is the first thing to do when an EDR alert fires?
Look at the alert category before reading the details. Credential dumping, process injection, and lateral movement alerts require immediate response. PowerShell execution and reconnaissance alerts give you more time. The category determines your investigation tempo before you read a single process name.
How do I tell if an EDR alert is a true positive or false positive?
Answer four questions using the process tree: Is this behavior expected from this host? Does the file hash appear in threat intel as malicious? Has this alert fired and been closed as FP before? Is there a corroborating event in another log source? If you cannot answer all four confidently within 60 minutes, treat it as a true positive and contain.
When should I escalate an EDR alert to the IR team?
Escalate immediately if the alert indicates any of the following: credential dumping (LSASS access, SAM hive reads), lateral movement (network connections to internal hosts from an alerted endpoint), ransomware indicators (mass file modifications, shadow copy deletion), or persistence mechanisms (scheduled task creation, registry run key modification by a non-software-installer process). Any alert where the true-positive determination cannot be made within 60 minutes should also escalate. Default to escalating too early rather than too late.
What should I document when closing an EDR alert as a false positive?
Document five things: the alert rule or signature name, the process and command line that triggered it, the specific reason you determined it was a false positive (file hash reputation, known-good software, endpoint role), whether a tuning action is needed to prevent recurrence, and who made the determination. Undocumented false-positive closures are invisible to future analysts who will investigate the same alert again without the benefit of your prior determination.
How do I contain an endpoint from within an EDR console?
Most EDR platforms have a network isolation capability (CrowdStrike calls it 'Contain Host,' Defender for Endpoint calls it 'Isolate device,' SentinelOne calls it 'Disconnect from Network'). This blocks all network communication on the endpoint except to the EDR cloud infrastructure, so the agent remains reachable for forensic investigation while the endpoint cannot communicate with C2 or lateral movement targets. Isolation does not replace a forensic disk image: collect memory and disk evidence before or immediately after isolation, as some attackers trigger data destruction when network connectivity is lost.
How do I build an EDR alert suppression rule that does not create a detection blind spot?
Suppression rules are necessary for managing false positive volume, but poorly constructed suppressions silently disable detection for entire attack categories. The safest suppression approach combines multiple specific conditions rather than suppressing on a single broad attribute. The most dangerous suppression pattern is suppressing by process name alone: suppressing all alerts for powershell.exe, for example, eliminates coverage for every PowerShell-based attack technique. The correct approach is suppressing the specific combination of attributes that characterizes the known-good behavior: process name plus file hash plus parent process plus command line pattern, with all conditions required simultaneously. Before creating any suppression, document the alert rule name, the specific false positive scenario that triggered it, the suppression logic applied, and the date it was added. Review your full suppression list quarterly to identify suppressions that are no longer relevant because the triggering software was removed or upgraded. For any suppression that covers a high-severity technique category, require a second analyst to review and approve before enabling it. If your EDR platform supports it, set an expiration date on suppressions so they require active renewal rather than persisting indefinitely. A suppression that nobody remembers adding and nobody has reviewed in two years is a detection gap that looks like a configuration decision.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
