SOC alert triage

One alert per line: type indicator (type = ip / url / hash)