Chapter 5: Triage & Investigation¶
Learning Objectives¶
By the end of this chapter, you will be able to:
- Apply a systematic triage workflow to prioritize alerts efficiently
- Conduct timeline analysis and root cause investigation
- Use pivot techniques to expand investigation scope
- Document findings in a structured incident report
- Leverage LLM copilots to accelerate investigation tasks
Prerequisites¶
- Chapter 3: SIEM querying fundamentals
- Chapter 4: Understanding of detection rules and ATT&CK mapping
- Familiarity with common attack patterns
Key Concepts¶
Alert Triage • Pivot Analysis • Timeline Reconstruction • Indicator of Compromise (IOC) • Root Cause Analysis • Incident Severity
Curiosity Hook: The Five-Minute Decision¶
3:42 AM. Alert: "Unusual PowerShell Execution" on SALES-WKS-042.
Tier 1 Analyst Decision Points: - Is this malicious or benign? - Should I escalate or close? - What additional data do I need?
Challenge: Make the right call in <5 minutes with incomplete information.
This chapter teaches: The systematic triage process that experienced analysts use to make fast, accurate decisions—and how AI copilots can accelerate every step.
5.1 The Triage Process¶
What is Triage?¶
Triage is the initial assessment of an alert to determine: 1. Validity: True positive or false positive? 2. Severity: Low, medium, high, critical? 3. Action: Close, escalate, or investigate further?
Triage Workflow (Tier 1)¶
[Alert Fired] → [Enrich Context] → [Assess Severity] → [Decision]
↓ ↓ ↓
Threat Intel Asset/User Close FP
Similar Alerts Criticality Escalate T2
User Baseline Scope Self-Investigate
Time Target: 3-6 minutes per alert for Tier 1 triage
Step 1: Gather Context (Enrichment)¶
Automated Enrichment (SIEM/SOAR): - Threat Intelligence: Is the IP/domain/hash known malicious? - Asset Data: What system is affected? (Criticality, owner, location) - User Data: Who is the user? (Department, recent activity, risk score) - Historical Data: Has this alert fired before for this user/system?
Example:
Alert: Brute Force Attempt
Target: admin_backup (service account)
Source IP: 45.33.32.156
Enrichment:
✅ IP on threat intel feed: "Mirai botnet scanner"
✅ Account criticality: HIGH (domain admin privileges)
✅ Historical: Zero failed logins in past 90 days
✅ Asset: Domain controller (critical infrastructure)
Assessment: HIGH SEVERITY → Escalate to Tier 2
Step 2: Assess Severity¶
Severity Matrix:
| Factor | Low | Medium | High | Critical |
|---|---|---|---|---|
| Asset Criticality | Workstation | Server | Database | Domain Controller |
| Data Sensitivity | Public | Internal | Confidential | Restricted/PII |
| Threat Intel Match | None | Generic IOC | Known APT | Active campaign |
| Scope | Single user | Department | Multiple departments | Enterprise-wide |
| Confirmation | Suspected | Likely | Confirmed | Active compromise |
Example Calculation: - Asset: Domain Controller (Critical) - Threat Intel: Known botnet (High) - Scope: Single system (Medium) - Overall Severity: HIGH → Escalate
Step 3: Decision Tree¶
Is the activity malicious?
├─ NO → Close as False Positive (document reason)
├─ UNKNOWN → Gather more data or escalate
└─ YES → Is it contained?
├─ YES (single system, low impact) → Tier 1 remediation (isolate, reset password)
└─ NO (widespread, high impact) → Escalate to Tier 2
5.2 Investigation Workflow (Tier 2)¶
Goal¶
Determine: - What happened? (Timeline of events) - How did it happen? (Attack vector) - What is the impact? (Scope, data accessed) - Is it still happening? (Active threat)
The 5 W's Framework¶
- Who: Which user/account/system was involved?
- What: What actions were taken? (Process execution, file access, network connections)
- When: Timeline of events (initial access to current state)
- Where: Which systems/locations? (lateral movement, exfiltration destinations)
- Why: Attacker objective (ransomware, espionage, credential theft)
Investigation Phases¶
Phase 1: Scoping - Identify affected systems and users - Determine timeframe of compromise
Phase 2: Timeline Reconstruction - Build chronological sequence of events - Identify initial access vector - Map attacker actions to ATT&CK techniques
Phase 3: Impact Assessment - What data was accessed or exfiltrated? - Were credentials compromised? - Is threat still active?
Phase 4: Root Cause Analysis - How did the attacker gain initial access? - What vulnerabilities or misconfigurations enabled the attack?
5.3 Pivot Techniques¶
What is Pivoting?¶
Pivoting is the process of using one piece of evidence to discover related evidence, expanding the investigation scope.
Common Pivot Patterns¶
1. User → Other Systems
Use case: User account compromised. Where else did they log in?2. IP Address → Other Connections
Use case: Suspicious IP detected. What else did it connect to?3. Process → Child Processes
Use case: Malicious PowerShell detected. What did it spawn?4. File Hash → Other Systems
Use case: Malware hash identified. Where else does it exist?5. Time Window → Related Events
index=* host="WEB-SRV-01" earliest="2026-02-15T14:00:00" latest="2026-02-15T15:00:00"
| stats count by sourcetype, event_type
5.4 Timeline Analysis¶
Building a Timeline¶
Tools: - SIEM: Query events in chronological order - Plaso/Log2Timeline: Automated timeline generation from forensic artifacts - Spreadsheet: Manual timeline for complex incidents
Example Timeline:
| Time (UTC) | Host | Event | Details | ATT&CK |
|---|---|---|---|---|
| 14:05:23 | WKS-042 | Email received | Phishing attachment opened | T1566.001 |
| 14:06:01 | WKS-042 | Process created | invoice.exe executed | T1204.002 |
| 14:06:15 | WKS-042 | Network connection | Outbound to 45.33.32.156:443 | T1071.001 |
| 14:12:34 | WKS-042 | Process created | powershell.exe -enc <base64> | T1059.001 |
| 14:13:02 | WKS-042 | File created | C:\temp\creds.txt | T1005 |
| 14:18:45 | FILE-SRV-01 | Authentication | User jsmith RDP login | T1021.001 |
| 14:22:10 | FILE-SRV-01 | File access | Mass file share enumeration | T1083 |
Analysis: Phishing → execution → C2 → credential theft → lateral movement → reconnaissance. Likely ransomware or data exfiltration preparation.
Timeline Visualization¶
Techniques: - Swimlane diagrams: Separate timelines per system/user - Heatmaps: Visualize event density over time - Graph analysis: Map relationships (user → system → file → network)
5.5 Root Cause Analysis¶
The "5 Whys" Technique¶
Example: 1. Why did ransomware encrypt files? → User executed malicious attachment 2. Why did user execute attachment? → Email appeared legitimate (spoofed sender) 3. Why did email bypass filters? → Email gateway lacked attachment sandboxing 4. Why was sandboxing not enabled? → Budget constraints, configuration oversight 5. Why was there no compensating control? → User training was outdated, no phishing simulations
Root Cause: Combination of technical gap (no sandboxing) and human factor (training gap).
Remediation: - Enable email sandboxing - Deploy phishing-resistant MFA - Conduct quarterly phishing simulations - Implement EDR behavioral detection for malicious attachments
5.6 LLM Copilots in Investigation¶
Use Case 1: Query Generation¶
Analyst Input:
"Show me all PowerShell executions on this host in the last 24 hours"
LLM Copilot Output:
index=endpoint host="WKS-042" process_name="powershell.exe"
earliest=-24h
| table _time, user, command_line, parent_process
| sort _time
Benefit: Reduces query syntax errors, speeds up data retrieval.
Use Case 2: ATT&CK Mapping¶
Analyst Input:
"User executed certutil.exe with -urlcache flag. What ATT&CK technique is this?"
LLM Copilot Output:
Technique: T1105 - Ingress Tool Transfer
Tactic: Command and Control
Description: Certutil can download files from remote URLs, commonly abused by attackers to retrieve payloads.
Recommended Actions:
1. Check downloaded file hash against threat intel
2. Investigate parent process that invoked certutil
3. Search for subsequent executions of the downloaded file
Benefit: Instant context without manual ATT&CK lookup.
Use Case 3: Runbook Suggestions¶
Analyst Input:
"Detected possible lateral movement via PsExec. What should I check next?"
LLM Copilot Output:
Recommended Investigation Steps:
1. Identify source and destination systems
2. Verify account credentials used (check for privilege escalation)
3. Search for PsExec on source system (staged attack tool?)
4. Review authentication logs for unusual account usage patterns
5. Check destination system for:
- New services created
- New scheduled tasks
- Files dropped in temp directories
6. Correlate with EDR alerts for malware execution
SIEM Query Template:
index=windows_auth Logon_Type=3 earliest=-1h
| where match(Process_Name, "(?i)psexec")
| stats count by Account_Name, Source_Host, Dest_Host
Benefit: Structured guidance for junior analysts, reduces decision paralysis.
5.7 Incident Documentation¶
Why Document?¶
- Handoff: Tier 1 → Tier 2 → Incident Response Team
- Compliance: Legal/regulatory requirements
- Lessons Learned: Improve detections and processes
- Metrics: Track MTTR, incident trends
Incident Report Template¶
# Incident Report: INC-2026-0234
---
## Exam Prep & Certifications
!!! tip "Relevant Certifications"
The topics in this chapter align with the following certifications:
- **[CompTIA Security+](../certifications/index.md)** — Domains: Security Operations, Threats and Vulnerabilities
- **[CompTIA CySA+](../certifications/index.md)** — Domains: Security Operations, Threat Management
- **[GIAC GCIH](../certifications/index.md)** — Domains: Detection, Hacker Tools and Techniques
- **[CISSP](../certifications/index.md)** — Domains: Security Operations, Security Assessment and Testing
[View full Certifications Roadmap →](../certifications/index.md)
## Summary
- **Severity:** HIGH
- **Status:** Contained
- **Detected:** 2026-02-15 14:30 UTC
- **Analyst:** Alice Chen (Tier 2)
## Description
Ransomware infection detected on WKS-042 following phishing email. Lateral movement to FILE-SRV-01 attempted but blocked by EDR.
## Timeline
| Time | Event | System | Details |
|------|-------|--------|---------|
| 14:05 | Initial access | WKS-042 | Phishing email opened |
| 14:06 | Execution | WKS-042 | Malware executed |
| 14:18 | Lateral movement | FILE-SRV-01 | RDP connection (blocked) |
## Indicators of Compromise (IOCs)
- File hash: `5d41402abc4b2a76b9719d911017c592`
- C2 IP: `45.33.32.156`
- Domain: `malicious-update.xyz`
## Impact Assessment
- **Systems affected:** 1 workstation
- **Data compromised:** None (blocked before encryption)
- **User accounts:** jsmith (credentials reset)
## Root Cause
Phishing email bypassed email gateway due to lack of attachment sandboxing.
## Remediation Actions
- ✅ Isolated WKS-042 from network
- ✅ Reimaged WKS-042
- ✅ Reset jsmith credentials
- ✅ Blocked C2 IP on firewall
- ✅ Added file hash to EDR blocklist
- 🔄 Pending: Enable email sandboxing (IT ticket #5678)
## Lessons Learned
- Detection: Phishing email not detected by gateway → deploy advanced email security
- Response: EDR blocked lateral movement → effective defense in depth
- Training: User clicked malicious link → schedule phishing simulation
Interactive Element¶
MicroSim 5: Investigation & Pivot Practice
Practice pivoting through logs to uncover the full scope of a simulated breach.
Common Misconceptions¶
Misconception: Triage Is Just Closing False Positives
Reality: Effective triage identifies true threats quickly and ensures proper escalation. Closing FPs is part of it, but recognizing subtle true positives is the critical skill.
Misconception: More Context = Better Decisions
Reality: Context helps, but too much data causes paralysis. Focus on high-signal enrichment (threat intel, asset criticality, baseline behavior) over exhaustive data collection.
Misconception: LLM Copilots Replace Analyst Judgment
Reality: Copilots accelerate tasks (query writing, runbook lookup) but cannot replace human critical thinking, intuition, and contextual understanding. Always validate LLM suggestions.
Practice Tasks¶
Task 1: Triage Decision¶
Alert:
Type: Failed Login Attempt
User: finance_scanner
Source IP: 10.0.5.22
Failed Attempts: 3
Time: 2026-02-15 09:15 UTC
Enrichment: - IP 10.0.5.22: Internal scanner appliance (IT-approved) - Account: Service account for vulnerability scanning - Historical: 2-5 failed logins weekly (normal due to password rotation lag)
Question: What is your triage decision?
Answer
Decision: Close as False Positive
Reasoning: - Source IP is known, authorized scanner - Service account with expected behavior pattern (scanning tools often hit authentication failures) - Failure count (3) is within normal range - No threat intel match, no abnormal indicators
Action: Close alert, document as "Expected service account behavior - vulnerability scanner."
Task 2: Build a Timeline¶
Given Events:
Event 1: 10:00 - User jdoe RDP login to DB-SERVER-03
Event 2: 10:05 - Process created on DB-SERVER-03: sqlcmd.exe
Event 3: 10:07 - Large file created: C:\temp\customer_data.csv (2.1 GB)
Event 4: 10:12 - Outbound HTTPS connection to dropbox.com
Event 5: 10:15 - File upload detected: customer_data.csv
Question: Reconstruct the attack timeline and map to ATT&CK techniques.
Answer
| Time | Event | ATT&CK Technique | Analysis |
|---|---|---|---|
| 10:00 | RDP login | T1021.001 (Remote Desktop) | Initial access or lateral movement |
| 10:05 | sqlcmd execution | T1059 (Command/Script Interpreter) | Database query execution |
| 10:07 | CSV file created | T1005 (Data from Local System) | Data collection/staging |
| 10:12 | HTTPS to Dropbox | T1071.001 (Web Protocols) | C2 or exfiltration prep |
| 10:15 | File upload | T1567.002 (Exfiltration to Cloud Storage) | Data exfiltration |
Analysis: Likely data exfiltration incident. User (possibly compromised) logged into database server, queried data, staged it locally, and uploaded to cloud storage.
Next Steps: - Verify jdoe account legitimacy (compromised or insider threat?) - Check DB access logs for query content - Attempt Dropbox account takedown/notification - Review jdoe's recent activity for other anomalies
Task 3: Pivot Analysis¶
Scenario: You identified a malicious file hash abc123def456 on workstation WKS-001.
Question: What pivot queries would you run to determine if the threat spread?
Answer
Pivot 1: Search for file hash on all systems
Goal: Identify all systems with the malicious file.Pivot 2: Search for network connections from WKS-001
index=firewall src_host="WKS-001" earliest=<time_of_infection>
| stats count by dest_ip, dest_port
| lookup threat_intel ip as dest_ip
Pivot 3: Search for user activity from compromised system
index=windows_auth src_host="WKS-001" earliest=<time_of_infection>
| stats values(dest_host) by user
Pivot 4: Search for similar file characteristics (if hash not found elsewhere)
Goal: Find variants by file path pattern and size.Self-Assessment Quiz¶
Question 1: What is the primary goal of Tier 1 triage?
Options:
a) Conduct full forensic investigation
b) Quickly determine if an alert is a true positive and assess severity
c) Write incident reports for compliance
d) Develop new detection rules
Show Answer
Correct Answer: b) Quickly determine if an alert is a true positive and assess severity
Explanation: Tier 1 triage focuses on fast assessment (TP vs FP) and appropriate escalation. Full investigations are Tier 2, reports are post-incident, and detection engineering is a separate function.
Question 2: What is 'pivoting' in the context of investigation?
Options:
a) Changing the investigation to a different incident
b) Using one piece of evidence to discover related evidence
c) Escalating an incident to management
d) Rotating analysts to avoid fatigue
Show Answer
Correct Answer: b) Using one piece of evidence to discover related evidence
Explanation: Pivoting expands investigation scope by following leads (e.g., from a malicious IP, find all systems it contacted).
Question 3: In timeline analysis, what does the 'initial access' timestamp represent?
Options:
a) When the analyst first saw the alert
b) When the attacker first gained entry to the environment
c) When the incident was escalated
d) When the malware was created
Show Answer
Correct Answer: b) When the attacker first gained entry to the environment
Explanation: Initial access is the first point of compromise, the beginning of the attack timeline.
Question 4: Which of the following is a high-signal enrichment data point for triage?
Options:
a) The color scheme of the SIEM dashboard
b) Threat intelligence match on an IP address
c) The analyst's coffee preference
d) The length of the alert description
Show Answer
Correct Answer: b) Threat intelligence match on an IP address
Explanation: Threat intel matches provide direct evidence of known malicious infrastructure, a high-value signal for triage decisions.
Question 5: What is the '5 Whys' technique used for?
Options:
a) Generating SIEM queries
b) Root cause analysis to identify underlying issues
c) Calculating alert severity scores
d) Tuning detection rule thresholds
Show Answer
Correct Answer: b) Root cause analysis to identify underlying issues
Explanation: The 5 Whys iteratively asks "why" to drill down from symptoms to root causes, enabling effective remediation.
Question 6: How should analysts use LLM copilot suggestions during investigations?
Options:
a) Always implement suggestions without review
b) Ignore all suggestions as unreliable
c) Validate suggestions and use them to accelerate tasks
d) Only use suggestions after the investigation is complete
Show Answer
Correct Answer: c) Validate suggestions and use them to accelerate tasks
Explanation: LLMs are tools to speed up query writing, runbook lookup, and context gathering, but analysts must verify outputs for accuracy and relevance.
Summary¶
In this chapter, you learned:
- Triage workflow: Enrich context, assess severity, make escalation decisions in 3-6 minutes
- Investigation phases: Scoping, timeline reconstruction, impact assessment, root cause analysis
- Pivot techniques: Expand investigation scope by following evidence trails (user → systems, IP → connections, file hash → other hosts)
- Timeline analysis: Build chronological attack sequences mapped to ATT&CK
- Root cause analysis: Use "5 Whys" to identify underlying vulnerabilities
- LLM copilots: Accelerate query generation, ATT&CK mapping, and runbook guidance
- Documentation: Structured incident reports for handoff, compliance, and lessons learned
Next Steps¶
- Next Chapter: Chapter 6: Threat Intelligence - Learn to operationalize threat intel for detection and investigation
- Practice: Try the Investigation Pivot MicroSim to build pivoting skills
- Review: Analyze a recent incident in your environment using the 5 W's framework
- Template: Adopt the incident report template for your SOC
Chapter 5 Complete | Next: Chapter 6 →