From alert to closure, end-to-end.

Ingest

Goal: get every alert worth looking at into a single queue.

Your SIEM, EDR, email gateway, custom scripts — anything that can POST JSON — sends alerts to /api/v1/alerts. Each request is authenticated with a per-source API key. Optional HMAC signing rejects tampered payloads. Idempotency keys prevent re-ingestion when your upstream retries.

On ingest, ir.mlab.sh:

• Normalizes the payload into a canonical alert schema.
• Deduplicates against the last N hours (configurable) by content hash.
• Extracts observables (IPs, domains, hashes, URLs, emails) from the raw payload.
• Applies enrichment rules: asset tagging, owner lookup, severity nudges.
• Drops everything matching an active suppression rule.

Output: a clean, deduplicated alert in the triage queue.

Triage

Goal: decide, fast, what's real and what's noise.

The triage queue is the analyst's main workspace. Saved filters scope by severity, source, asset criticality, age. Bulk actions handle the long tail of repeat false-positives. Every dismissal carries a reason code — you build a corpus of "what doesn't matter and why" over time.

Three outcomes per alert:

• Dismiss with a reason. Closes the alert.
• Link to an existing case. Same incident, more evidence.
• Escalate to a new case. Carries observables, severity, source.

Output: an alert that's either gone or attached to a case.

Investigate

Goal: build the picture — what happened, when, what was touched, who did it.

Cases are the unit of investigation. Each one has:

• A timeline with every action: status changes, comments, evidence, observables added, ATT&CK techniques tagged.
• An observables panel with cross-case correlation surfaced automatically.
• An evidence drawer for screenshots, PCAPs, logs, exports. Files live on your volume.
• A comments thread with @-mentions and markdown.

SLA timers count down by severity. Status transitions (open → investigating → contained → eradicated) are explicit, not implicit.

Output: a case with enough evidence to decide on resolution.

Resolve

Goal: close the case cleanly and feed the lessons back upstream.

Resolution requires a verdict (true positive, false positive, benign, duplicate) and a root cause when applicable. The case generates a Markdown / PDF report with the timeline, observables, evidence list, ATT&CK mapping and resolution narrative.

Post-resolution actions:

• Confirmed-bad observables can be marked for export to your TI platform (STIX/MISP).
• Confirmed-good observables can be added to suppression rules.
• Webhooks fire on resolution — hook into ticketing or incident commander workflows.
• Metrics roll into the dashboards: MTTA, MTTR, queue depth, top noisy sources.

Output: a closed case, a report, and a smarter triage queue for next time.