Chapter 5: Triage & Investigation - Quiz¶
Instructions¶
Test your knowledge of systematic triage workflows, pivot techniques, timeline analysis, root cause analysis, and LLM-assisted investigation.
Question 1: What is the primary goal of Tier 1 alert triage?
A) Conduct full forensic investigation of all alerts B) Quickly determine if an alert is a true positive and assess severity for appropriate action C) Write detailed incident reports for compliance D) Develop new detection rules based on alerts
Answer
Correct Answer: B) Quickly determine if an alert is a true positive and assess severity
Explanation: Tier 1 triage is about fast, accurate assessment:
Triage Goals (3-6 minutes per alert): 1. Validity: True positive or false positive? 2. Severity: Low, medium, high, critical? 3. Action: Close, escalate to Tier 2, or self-investigate?
NOT Tier 1: - Full forensic analysis (Tier 2/3) - Incident reports (post-incident activity) - Detection engineering (specialized role)
Reference: Chapter 5, Section 5.1 - What is Triage?
Question 2: What is 'pivoting' in the context of SOC investigation?
A) Changing the investigation to a different incident B) Using one piece of evidence to discover related evidence and expand investigation scope C) Escalating an incident to management D) Rotating analysts to avoid fatigue
Answer
Correct Answer: B) Using one piece of evidence to discover related evidence
Explanation: Pivoting expands investigation by following evidence trails:
Pivot Examples: 1. User → Systems: Find all systems the user authenticated to 2. IP → Connections: Find all internal systems that contacted this IP 3. File Hash → Hosts: Find all systems with this malware 4. Process → Children: Find all processes spawned by malicious parent 5. Time Window → Events: Find all activity on a host during compromise window
Example Pivot Query:
# Found malicious file hash on one system, pivot to find spread
index=endpoint file_hash="abc123def456"
| stats count by host, file_path, first_seen
Reference: Chapter 5, Section 5.3 - Pivot Techniques
??? question "Question 3: An alert shows: Failed login to 'admin_backup' service account from IP 45.33.32.156. Enrichment reveals: IP is on threat intel feed (Mirai botnet), zero historical failures for this account, target is domain controller. What severity?**
**A)** Low - single failed login is normal
**B)** Medium - service account but no successful login
**C)** High - threat intel match + critical account + critical asset
**D)** Critical - requires immediate shutdown of entire network
??? success "Answer"
**Correct Answer: C) High - threat intel match + critical account + critical asset**
**Explanation:** Severity assessment uses multiple factors:
**Factors:**
- **Threat Intel:** Known botnet (HIGH risk)
- **Account Criticality:** Domain admin service account (CRITICAL)
- **Historical:** Zero failures in 90 days (UNUSUAL)
- **Asset:** Domain controller (CRITICAL infrastructure)
- **Confirmation:** Attempted but not successful (mitigates to HIGH vs CRITICAL)
**Severity Matrix:**
| Factor | Level |
|--------|-------|
| Threat Intel | High |
| Account | Critical |
| Asset | Critical |
| Scope | Single system |
| Confirmation | Attempted |
**Overall: HIGH** → Escalate to Tier 2 for investigation
**Not CRITICAL** because no successful compromise confirmed (yet).
**Reference:** [Chapter 5, Section 5.1 - Step 2: Assess Severity](../chapters/ch05-detection-engineering-at-scale.md)
Question 4: In timeline analysis, what does 'initial access' represent?
A) When the analyst first saw the alert B) When the attacker first gained entry to the environment C) When the incident was escalated to Tier 2 D) When the malware was compiled
Answer
Correct Answer: B) When the attacker first gained entry to the environment
Explanation: Timeline analysis reconstructs the attack sequence:
Example Timeline: | Time | Host | Event | ATT&CK | |------|------|-------|--------| | 14:05 | WKS-042 | Initial Access: Phishing email opened | T1566.001 | | 14:06 | WKS-042 | Execution: Malware run | T1204.002 | | 14:06 | WKS-042 | C2 Communication | T1071.001 | | 14:12 | WKS-042 | Credential Access | T1003.001 | | 14:18 | FILE-SRV | Lateral Movement | T1021.001 | | 14:22 | FILE-SRV | Impact: Encryption | T1486 |
Initial Access = First Compromise This is critical for determining: - Attack vector (how they got in) - Total dwell time - Scope of compromise
Reference: Chapter 5, Section 5.4 - Timeline Analysis
Question 5: Which is a high-signal enrichment data point for alert triage?
A) The color scheme of the SIEM dashboard B) Threat intelligence match on an IP address C) The analyst's coffee preference D) The length of the alert description
Answer
Correct Answer: B) Threat intelligence match on an IP address
Explanation: Enrichment adds context to aid decision-making:
High-Signal Enrichment: - Threat Intel: IP/domain/hash reputation - Asset Data: Criticality, owner, business function - User Context: Department, normal behavior baseline - Historical: Has this alert fired before?
Low/No Signal: - Dashboard aesthetics - Analyst preferences - Alert text formatting
Example Enriched Alert:
Question 6: What is the '5 Whys' technique used for?
A) Generating SIEM queries B) Root cause analysis to identify underlying issues beyond symptoms C) Calculating alert severity scores D) Tuning detection rule thresholds
Answer
Correct Answer: B) Root cause analysis to identify underlying issues
Explanation: The 5 Whys iteratively asks "why" to drill from symptoms to root causes:
Example: 1. Why did ransomware encrypt files? → User executed malicious attachment 2. Why did user execute? → Email appeared legitimate (spoofed sender) 3. Why did email bypass filters? → Gateway lacked attachment sandboxing 4. Why no sandboxing? → Budget constraints, config oversight 5. Why no compensating control? → User training outdated, no phishing simulations
Root Cause: Technical gap (no sandboxing) + human factor (training gap)
Remediation: - Enable email sandboxing (technical) - Deploy phishing-resistant MFA (technical) - Quarterly phishing simulations (training) - EDR behavioral detection (defense in depth)
Question 7: How should analysts use LLM copilot suggestions during investigations?
A) Always implement suggestions without review (trust blindly) B) Ignore all suggestions as unreliable C) Validate suggestions and use them to accelerate tasks D) Only use suggestions after investigation is complete
Answer
Correct Answer: C) Validate suggestions and use them to accelerate tasks
Explanation: LLM copilots are tools, not replacements for human judgment:
Appropriate LLM Use: - Query Generation: "Show PowerShell with encoded commands" → LLM generates SPL/KQL - ATT&CK Mapping: "What technique is certutil.exe -urlcache?" → T1105 - Runbook Lookup: "How do I investigate impossible travel?" → Step-by-step guidance
Analyst Responsibility: - Verify outputs: Check query syntax, validate ATT&CK IDs - Apply context: LLM doesn't know your specific environment - Make decisions: Analyst owns escalation/closure decisions
Example:
Analyst: "Generate query for lateral movement via RDP"
LLM: [provides KQL query]
Analyst: Reviews syntax, adjusts time range for this incident, executes
Risk of Over-Reliance: Blind trust in LLM hallucinations can lead to incorrect actions.
Reference: Chapter 5, Section 5.6 - LLM Copilots in Investigation
Question 8: Alert: Failed login to 'finance_scanner' service account from 10.0.5.22 (3 attempts). Enrichment: IP is internal vulnerability scanner (IT-approved), account is for automated scans, historical 2-5 failures weekly due to password rotation lag. What is your triage decision?
A) Escalate to Tier 2 as potential breach B) Close as false positive - expected service account behavior C) Immediately disable the account D) Shutdown the entire network segment
Answer
Correct Answer: B) Close as false positive - expected service account behavior
Explanation:
Context Analysis: - Source: Known, authorized internal scanner (not external threat) - Account: Service account for legitimate vulnerability scanning - Pattern: Historical 2-5 failures weekly (normal due to password rotation delays) - Count: 3 attempts (within normal range) - Threat Intel: No match (internal IP)
Decision: Close as FP
Documentation: "Expected service account behavior - vulnerability scanner authentication lag during password rotation. No action required."
Tuning Opportunity: Add allowlist for scanner IP to reduce future false positives.
Reference: Chapter 5, Practice Tasks - Task 1
Question 9: Given timeline: 10:00 RDP login to DB server, 10:05 sqlcmd.exe executes, 10:07 2.1GB CSV created, 10:12 HTTPS to dropbox.com, 10:15 file upload. What ATT&CK tactic is occurring at 10:15?
A) Initial Access B) Execution C) Exfiltration D) Persistence
Answer
Correct Answer: C) Exfiltration
Explanation:
Timeline Analysis: | Time | Event | ATT&CK | |------|-------|--------| | 10:00 | RDP login | T1021.001 (Lateral Movement or Initial Access) | | 10:05 | sqlcmd execution | T1059 (Execution) | | 10:07 | CSV created (2.1GB) | T1005 (Data from Local System - Collection) | | 10:12 | HTTPS to Dropbox | T1071.001 (Application Layer Protocol) | | 10:15 | File upload | T1567.002 (Exfiltration to Cloud Storage) |
At 10:15: Data is being uploaded to external cloud storage = Exfiltration
Full Attack Chain: Lateral movement → Database query → Data collection → Exfiltration prep → Exfiltration
Reference: Chapter 5, Practice Tasks - Task 2
Question 10: You identified malicious file hash 'abc123def456' on WKS-001. What pivot query finds if this malware spread to other systems?
A) index=firewall dest_ip="WKS-001" B) index=endpoint file_hash="abc123def456" | stats count by host C) index=email subject="malware" D) Delete all logs
Answer
Correct Answer: B) index=endpoint file_hash="abc123def456" | stats count by host
Explanation: This is a file hash pivot to determine spread:
Pivot Query:
Purpose: - Find all systems where this malware exists - Determine scope of infection - Identify patient zero (earliest infection)
Other Recommended Pivots: 1. Network connections from WKS-001 (find C2 or lateral movement targets) 2. User activity from compromised system (check for credential theft) 3. Similar file characteristics (find variants by file path pattern, size)
Reference: Chapter 5, Practice Tasks - Task 3
Question 11: In incident documentation, why is it important to maintain an audit trail of all analyst actions?
A) To blame analysts for mistakes B) For compliance, post-incident review, lessons learned, and legal requirements C) To slow down investigations D) Audit trails are not necessary
Answer
Correct Answer: B) For compliance, post-incident review, lessons learned, and legal
Explanation:
Audit Trail Purposes: 1. Handoff: Tier 1 → Tier 2 → IR team (maintain continuity) 2. Compliance: Legal/regulatory requirements (GDPR, HIPAA, PCI-DSS) 3. Lessons Learned: What worked? What didn't? Improve processes 4. Metrics: Track MTTR, incident trends, analyst performance 5. Legal: Chain of custody for potential litigation
What to Document: - Timeline of events - Analyst actions taken (queries run, systems isolated, accounts disabled) - Evidence collected - Decision rationale ("Escalated because...") - IOCs identified
Question 12: What is the primary benefit of LLM-generated SIEM queries?
A) Queries are always 100% accurate with no errors B) Reduces syntax errors and speeds up data retrieval, allowing analysts to focus on analysis C) LLM writes queries that hack back into attacker systems D) Queries automatically close all incidents
Answer
Correct Answer: B) Reduces syntax errors and speeds up data retrieval
Explanation:
LLM Query Generation Benefits: - Speed: Seconds vs. minutes searching documentation - Syntax Accuracy: Reduces trial-and-error - Learning Tool: Junior analysts learn query patterns - Complex Queries: LLM can generate multi-step correlation logic
Example:
Analyst: "Show PowerShell executions with encoded commands in last 24h"
LLM Output (SPL):
index=endpoint process_name="powershell.exe"
| where match(command_line, "(?i)-enc|-encodedcommand")
| table _time, host, user, command_line
| sort -_time
Analyst Still Needs To: - Verify query syntax is correct - Adjust time range if needed - Interpret results - Make escalation decision
LLMs Do NOT: Hack back, auto-close incidents, or replace analyst judgment.
Reference: Chapter 5, Section 5.6 - Use Case 1: Query Generation
Question 13: In the 5 W's investigation framework, what question does 'When' answer?
A) Which user account was compromised B) Timeline of events from initial access to current state C) Which systems were affected D) Attacker's objective (ransomware, espionage)
Answer
Correct Answer: B) Timeline of events from initial access to current state
Explanation:
5 W's Framework: 1. Who: Which user/account/system was involved? 2. What: What actions were taken? (Process execution, file access, network connections) 3. When: Timeline of events (initial access → current state) 4. Where: Which systems/locations? (Lateral movement, exfiltration destinations) 5. Why: Attacker objective (ransomware, espionage, credential theft)
'When' Timeline Example: - 14:05: Initial access (phishing) - 14:06: Malware execution - 14:15: C2 communication - 14:30: Credential dumping - 14:45: Lateral movement - 15:00: Current state (active on 3 systems)
Reference: Chapter 5, Section 5.2 - The 5 W's Framework
Question 14: What is the difference between triage and investigation?
A) They are the same thing B) Triage is initial rapid assessment (3-6 min), investigation is deep analysis (hours) C) Triage is only for false positives D) Investigation happens before triage
Answer
Correct Answer: B) Triage is initial rapid assessment, investigation is deep analysis
Explanation:
Triage (Tier 1): - Time: 3-6 minutes per alert - Goal: TP/FP determination, severity assessment - Actions: Enrich, classify, close FP or escalate - Depth: Surface-level context gathering
Investigation (Tier 2): - Time: 30 minutes to several hours - Goal: Determine what/how/when/where/why, scope impact - Actions: Timeline reconstruction, pivot analysis, root cause analysis - Depth: Comprehensive incident analysis
Workflow:
Reference: Chapter 5, Section 5.1 vs 5.2
Question 15: An LLM copilot suggests: 'This is ATT&CK technique T9999.999 - Quantum Data Exfiltration'. What should the analyst do?
A) Immediately escalate as a quantum attack B) Recognize this as a hallucination (T9999.999 doesn't exist) and verify against official ATT&CK database C) Close the incident entirely D) Trust the LLM completely without verification
Answer
Correct Answer: B) Recognize this as hallucination and verify against ATT&CK database
Explanation:
Hallucination Detected: - T9999.999 is not a valid ATT&CK technique ID - "Quantum Data Exfiltration" is fabricated technobabble - LLM generated plausible-sounding but false information
Correct Action: 1. Verify: Check https://attack.mitre.org/ for technique ID 2. Identify: Recognize this is a hallucination 3. Report: Document LLM error for model improvement 4. Investigate Properly: Use legitimate ATT&CK framework to map the actual behavior
Mitigation: - Use RAG to ground LLM in verified ATT&CK database - Implement validation guardrails (check IDs against known list) - Train analysts to verify LLM outputs
Reference: Chapter 5, Common Misconceptions
Score Interpretation¶
- 13-15 correct: Excellent! You can systematically triage and investigate incidents.
- 10-12 correct: Good skills. Practice pivot techniques and timeline analysis.
- 7-9 correct: Adequate foundation. Review the 5 W's framework and enrichment strategies.
- Below 7: Review Chapter 5, focusing on triage workflow and investigation phases.