Humorously, this is why we cannot have great names – I suck at naming things. The Context Triage Framework or CTF is an attempt to holistically bring automation to SOC analyst triaging as well as compiling a library that is applied for triage from expert knowledge.
From attempting to bring it to several projects, I have a few observations.
Pros
- It doesn’t require expert knowledge across everything.
- Simple easy to follow instructions work best.
- The more people use it, the better the feedback becomes.
Cons
- This is another source of tech debt. API calls, log schemas, and of course rotational log sources.
- Shadow tech, builders and engineers need to be kept on track and introduce shadow tech when they abandon the assigned task for another – especially when such isn’t reported.
- Sometimes that expert knowledge doesn’t translate well.
- Tasks need to be crafted for yes/no actionable steps.
