In the context of increasing frequency and complexity of cyberattacks, effective incident investigation has become a priority task in ensuring organizational information security. One of the key challenges in using SIEM systems for investigating computer incidents is the lack of formalized algorithmic approaches to the processing and analysis of security events. To address this issue, an algorithm has been developed to optimize the actions of specialists when analyzing suspicious activity in information systems. The algorithm covers the key stages of investigation – from event verification to the analysis of potential intruder actions. The results of the study demonstrate that formalizing investigation processes contributes to more effective incident response and reduces the time required for their resolution.