Complete operational procedures for running SentinelMCP MDR operations.
This directory contains day-to-day operational guidance for security analysts, investigators, and forensic analysts across all tiers.
- Tier 1 Operations - Alert triage and routing procedures
- Escalation Checklist - When and how to escalate
- Quick Reference - 2-minute answers
- Best Practices - Operational best practices
- Investigation Workflow - Step-by-step procedures
- Tier Integration - Escalating to Tier 3
- Data Sources Guide - Available evidence
- Best Practices - Operational best practices
- Forensic Procedures - Evidence collection standards
- Case Management - Case documentation
- Chain of Custody - Legal requirements
- Best Practices - Operational best practices
| File | Purpose | Audience |
|---|---|---|
BEST_PRACTICES.md |
Best practices guide | All tiers |
TIER_INTEGRATION.md |
Automatic escalation framework | All tiers |
TIER1_OPERATIONS.md |
Alert handling procedures | Tier 1 analysts |
INVESTIGATION_WORKFLOW.md |
Investigation procedures | Tier 2 investigators |
FORENSIC_PROCEDURES.md |
Evidence collection | Tier 3 analysts |
DATA_SOURCES.md |
Available data sources | All investigators |
ESCALATION_CHECKLIST.md |
Quick escalation guide | All tiers |
CASE_MANAGEMENT.md |
Case documentation | Tier 2 & 3 |
CHAIN_OF_CUSTODY.md |
Legal evidence handling | Tier 3 |
| Severity | Tier 1 | Tier 2 | Tier 3 |
|---|---|---|---|
| 🔴 Critical | 30 sec | 5 min | 1 hour |
| 🟠 High | 2 min | 15 min | 4 hours |
| 🟡 Medium | 5 min | 30 min | 8 hours |
| 🟢 Low | 15 min | 4 hours | 24 hours |
- Receive → Alert ingestion from data sources
- Normalize → Standardize alert format
- Enrich → Add context and threat intelligence
- Route → Determine appropriate destination
- Decide → Route to Tier 2 or close as false positive
SLA: 5-15 minutes depending on severity
- Analyze → Collect evidence and determine scope
- Assess → Evaluate threat and impact
- Escalate? → Determine if Tier 3 investigation needed
- Report → Document findings
- Close → Archive or escalate
SLA: 30-60 minutes depending on severity
- Collect → Gather all evidence
- Preserve → Maintain chain of custody
- Analyze → Deep technical investigation
- Document → Complete forensic report
- Close → Case closure with remediation plan
SLA: 8-24 hours depending on severity
See TIER_INTEGRATION.md for:
- Automatic escalation triggers
- Manual escalation procedures
- Conditional escalation criteria
- SLA requirements
- Authority and approval flows
- Questions? Check FAQ
- Need definitions? See Glossary
- Having issues? See Troubleshooting
Last Updated: February 14, 2026 | Version: 1.0.2