AI Triage

POST/api/v1/ai/triage

Automatically triage security alerts using AI. Classifies severity, extracts indicators, maps to MITRE ATT&CK techniques, and provides actionable recommendations for SOC analysts.

Permission

ai:read

Credits

10 per request

Plans

Starter, Professional, Enterprise

Timeout

Up to 30 seconds

Request Body

{
  "alert": {
    "title": "Multiple Failed Login Attempts Detected",
    "description": "50 failed SSH login attempts from 185.220.101.42...",
    "timestamp": "2026-04-03T14:22:00Z",
    "source_ip": "185.220.101.42",
    "dest_ip": "10.0.1.15",
    "dest_port": 22,
    "event_count": 50
  },
  "source": "splunk",
  "format": "json"
}

Field	Type	Description
alert	object	The alert object containing title, description, timestamps, and any relevant fields from your SIEM (required)
source	string	SIEM source: `"splunk"`, `"sentinel"`, `"elastic"`, `"qradar"`, or `"generic"` (optional — default: generic)
format	string	Alert format: `"cef"`, `"leef"`, `"json"`, or `"syslog"` (optional — default: json)

Response

{
  "data": {
    "severity": "high",
    "confidence": 92,
    "classification": "brute_force",
    "summary": "Brute-force SSH attack detected from known Tor exit node 185.220.101.42 targeting production server srv-prod-01. 50 failed authentication attempts in a 5-minute window indicate an active credential stuffing or password spraying campaign.",
    "indicators": [
      { "type": "ip", "value": "185.220.101.42", "role": "attacker" },
      { "type": "ip", "value": "10.0.1.15", "role": "target" },
      { "type": "port", "value": "22", "role": "target_service" }
    ],
    "attack_mapping": [
      {
        "technique_id": "T1110.001",
        "name": "Brute Force: Password Guessing",
        "tactic": "Credential Access",
        "confidence": 95
      },
      {
        "technique_id": "T1110.003",
        "name": "Brute Force: Password Spraying",
        "tactic": "Credential Access",
        "confidence": 78
      }
    ],
    "recommendations": [
      "Block source IP 185.220.101.42 at the perimeter firewall immediately",
      "Review authentication logs on srv-prod-01 for any successful logins from this IP",
      "Enable account lockout policies if not already configured",
      "Consider implementing SSH key-based authentication and disabling password auth",
      "Check if the target account credentials have appeared in recent breach databases"
    ]
  },
  "meta": {
    "request_id": "req_t1r2i3a4-...",
    "credits_used": 10,
    "credits_remaining": 490,
    "processing_time_ms": 3420
  }
}

Field	Type	Description
data.severity	string	"info", "low", "medium", "high", or "critical"
data.confidence	number	Confidence score from 0 to 100 indicating how certain the triage assessment is
data.classification	string	Alert classification label (e.g. brute_force, phishing, malware, data_exfiltration, lateral_movement)
data.summary	string	Human-readable summary of the triage analysis explaining what happened and why it matters
data.indicators	array	Extracted indicators of compromise with type, value, and role (attacker, target, target_service)
data.attack_mapping	array	MITRE ATT&CK technique mappings with technique_id, name, tactic, and confidence
data.recommendations	array	Ordered list of actionable recommendations for responding to the alert
meta.request_id	string	Unique request identifier for support and debugging
meta.credits_used	number	Credits consumed (10 per triage request)
meta.credits_remaining	number	Remaining credit balance after this request
meta.processing_time_ms	number	Server-side processing time in milliseconds

Code Examples

cURL

curl -X POST https://api.dfir-lab.ch/v1/ai/triage \
  -H "Authorization: Bearer sk-dfir-your-key-here" \
  -H "Content-Type: application/json" \
  -d '{
    "alert": {
      "title": "Multiple Failed Login Attempts Detected",
      "description": "50 failed SSH login attempts from 185.220.101.42 against host srv-prod-01 within 5 minutes",
      "timestamp": "2026-04-03T14:22:00Z",
      "source_ip": "185.220.101.42",
      "dest_ip": "10.0.1.15",
      "dest_port": 22,
      "event_count": 50
    },
    "source": "splunk",
    "format": "json"
  }'

Python

import requests

response = requests.post(
    "https://api.dfir-lab.ch/v1/ai/triage",
    headers={
        "Authorization": "Bearer sk-dfir-your-key-here",
        "Content-Type": "application/json",
    },
    json={
        "alert": {
            "title": "Multiple Failed Login Attempts Detected",
            "description": "50 failed SSH login attempts from 185.220.101.42 against host srv-prod-01 within 5 minutes",
            "timestamp": "2026-04-03T14:22:00Z",
            "source_ip": "185.220.101.42",
            "dest_ip": "10.0.1.15",
            "dest_port": 22,
            "event_count": 50,
        },
        "source": "splunk",
        "format": "json",
    },
)

data = response.json()
triage = data["data"]
print(f"Severity: {triage['severity']} (confidence: {triage['confidence']})")
print(f"Classification: {triage['classification']}")
print(f"Summary: {triage['summary']}")

for mapping in triage["attack_mapping"]:
    print(f"  ATT&CK: {mapping['technique_id']} - {mapping['name']}")

Important Notes

The alert object is flexible — pass any fields your SIEM provides. The AI model extracts context from all available fields. More context yields better triage results.
Setting the correct source helps the model understand SIEM-specific field names and alert structures for more accurate classification.
AI triage is not cached — each request consumes 10 credits. Results are generated fresh for every alert submitted.

Back to API Docs