Sign In
First Response

For SOC Analysts, First Responders, and On-Call Engineers Who Must Classify, Preserve, and Contain Within 60 Minutes

Master Incident Triage and First Response

The Mission: From Alert to Containment Handoff Across Cloud, Windows, and Linux

Every IR course starts at \"you have confirmed an incident, now investigate.\" Every SOC course ends at \"triage the alert and escalate.\" The gap between those two points — the 15–60 minutes where the responder must classify severity, preserve volatile evidence, and execute initial containment — is taught nowhere as a dedicated skill. This course fills that gap across three environments simultaneously, because real incidents cross environment boundaries. A phishing email (cloud) leads to endpoint compromise (Windows) which pivots to a database server (Linux). The responder who triages all three hands off a complete scope assessment that the investigation team can act on immediately.

Access Course Material Start Free — No Account Needed View Pricing
TRIAGE — FIRST 60 MINUTEST+0:00Alert fires — AiTM credential phishing detected in SentinelSource: Defender for Office 365 → KQL triage query packT+0:08Cloud triage — 5-query pack confirms active session hijackTools: KQL, Graph PowerShell, Defender portalT+0:15Windows triage — KAPE collection, EZ Tools parse, process treeTools: KAPE, PECmd, EvtxECmd, Sysinternals, PowerShellT+0:25Linux triage — auth.log, process analysis, LiME memory captureTools: ps, ss, lsof, LiME, Volatility3, Bash triage scriptT+0:35Cross-environment correlation — unified timeline, pivot pointsEntity mapping: UPN ↔ SAM ↔ Linux user, IP correlation across logsT+0:45Synchronized containment — all 3 environments within 2 minutesSession revoke + endpoint isolate + iptables block → verify → report

The Triage Trinity

Every triage in this course follows the same three-step methodology — the same sequence used across cloud, Windows, and Linux:

1. Classify severity — the 8-question triage scorecard produces a defensible severity classification in under 15 minutes. Is this a true incident? How bad? What is at risk?

2. Preserve volatile evidence — memory, processes, network connections, session tokens — captured in the correct order before they disappear. Environment-specific tools: KQL exports for cloud, KAPE + EZ Tools for Windows, LiME + native commands for Linux.

3. Execute initial containment — stop the attacker without destroying evidence. Cloud session revocation, Defender for Endpoint isolation, Linux iptables blocking — synchronized across all affected environments within a 2-minute window.

Who this course is for

SOC analysts who triage alerts but lack confidence in the full sequence. You can investigate an alert in Sentinel. You can check SigninLogs. But when the alert is real — when it is a confirmed compromise crossing from cloud to endpoint to Linux — you need a structured methodology that covers evidence preservation, containment decisions, and investigation handoff. This course builds that methodology.

IT administrators who are first on scene. Your organization does not have a dedicated IR team. When something goes wrong, you are the person who receives the call. You need the skills to assess the situation, preserve evidence, and make the containment decision — even if you hand off to an external IR firm afterward.

Junior IR analysts who need structured first-response methodology. You have investigation skills but no systematic approach to the first 60 minutes. The gap between \"alert received\" and \"investigation started\" is where this course operates.

On-call engineers who receive after-hours security alerts. The alert fires at 02:00. You need to decide: wake the team or document for morning? This course gives you the on-call runbook and decision framework for that exact scenario.

Who this course is not for

Deep forensic investigators. This course does not teach full disk imaging, super timeline construction, or malware reverse engineering. If you need those skills, start with our Practical Incident Response course (Windows/M365) or Practical Linux IR course. This course teaches triage-level collection and rapid assessment — the first 30 minutes, not the full investigation.

Detection engineers. This course does not teach rule building, analytics rule architecture, or detection-as-code. Our Detection Engineering course covers that discipline. This course teaches you to triage the alerts that detection rules generate.

Complete beginners to security operations. This course assumes you can navigate the Sentinel portal, read a KQL query result, and understand basic networking concepts. If you are new to security operations, start with our SOC Operations course or M365 Security Operations course.

Built on a realistic organization — not abstract examples

Every triage scenario in this course is built for Northgate Engineering — an 810-person precision manufacturing company with hybrid infrastructure spanning M365 E5 (Entra ID, Exchange Online, SharePoint, Defender XDR, Sentinel), on-premises Active Directory (4 DCs across 3 sites, 865 Windows endpoints, 12 Windows servers), Linux servers (6 RHEL for manufacturing, 2 Ubuntu web servers), and Palo Alto Prisma Access SD-WAN across 6 sites with BlueVoyant as managed SOC partner. The incidents cross environment boundaries because real incidents cross environment boundaries — AiTM phishing (cloud) leads to VPN access (network) leads to endpoint compromise (Windows) leads to database pivot (Linux). Single-environment triage courses miss the attack chain. This course follows it across all three.

What you will be able to do

After completing this course, you will be able to:

1. Scope an incident across all three environments within 15 minutes using the triage scorecard and the environment-specific query packs — KQL for cloud, PowerShell for Windows, Bash for Linux. Determine whether the attack has crossed environment boundaries and identify the pivot points.

2. Collect the highest-value volatile and non-volatile artifacts in under 30 minutes per system using KAPE for Windows (automated artifact collection), LiME for Linux (memory acquisition), and KQL exports for cloud. Parse collected artifacts rapidly with Eric Zimmerman Tools — EvtxECmd for event logs, PECmd for prefetch, AmcacheParser for application execution history.

3. Execute safe, repeatable containment that stops the attacker without destroying evidence. Cloud session revocation, Defender for Endpoint device isolation, Linux iptables blocking — synchronized across all environments within a 2-minute window.

4. Correlate entities and timelines across environments — mapping the same user identity across Entra ID (UPN), Active Directory (SAM), and Linux (username), correlating IPs across NAT and VPN boundaries, and building the unified timeline that reveals the full attack chain.

5. Classify severity and make the escalation decision using the 4-tier model (Critical/High/Medium/Low), the confidence scale (Confirmed/Probable/Possible/Suspected), and the escalation matrix that maps severity to stakeholders, timelines, and communication channels.

6. Produce a complete triage report in 15 minutes — the structured handoff document with severity classification, evidence locations, containment actions, regulatory triggers, and prioritized investigation questions. The investigation team starts investigating from minute one.

7. Operate effectively at 02:00 using the on-call runbook, after-hours escalation thresholds, and the remote triage capability matrix. The structured decision framework works when your cognitive capacity is lowest.

Course at a glance

Modules: 16 (TR0–TR15) across 4 phases

Interactive labs: 10+ (alert simulators, terminal simulators, investigation engines)

Attack chain scenarios: 4 NE chains (CHAIN-HARVEST, CHAIN-PRIVILEGE, CHAIN-DRIFT, CHAIN-FACTORY)

Triage scenarios: 10 common scenarios with worked playbooks

Format: Written content — production KQL/PowerShell/Bash, SVG diagrams, interactive labs, worked artifacts, knowledge checks

Free content: TR0–TR1 (2 modules) — no account required

Paid content: TR2–TR15 (14 modules) — Premium or Team subscription

Environments: Cloud (M365/Entra/Azure), Windows (AD/endpoints), Linux (servers/containers), Network

Built by Ridgeline Cyber

Ridgeline Cyber Defence builds security operations training grounded in practical and operational experience. The team behind this course runs CSOC operations across on-prem, Splunk, and Microsoft 365 security stacks, Cisco and Palo Alto networks, and managed SOC partnerships.

Experience spans incident triage, detection engineering, incident response, and DFIR investigation across on-prem, M365, and Linux environments — including leading cyber incident response engagements and operating the triage methodologies taught in this course in production environments.

The triage procedures, tool workflows, and containment sequences in this course are drawn from that operational work — adapted for training but grounded in real incident response.

Technical requirements

Microsoft Sentinel workspace: Required for cloud triage queries. A free M365 E5 developer tenant with an Azure free subscription provides Sentinel with 5 GB/day free ingestion and all Defender XDR data connectors. TR0 provides complete lab setup guidance.

Windows endpoint access: Required for KAPE and EZ Tools exercises. A Windows 10/11 VM or physical machine is sufficient. KAPE and all Eric Zimmerman Tools are free downloads.

Linux server access: Required for Linux triage exercises. Any RHEL, Ubuntu, or Debian system — a free cloud VM (Azure, AWS free tier) or a local VM works. All tools are native commands or free open-source packages.

KQL proficiency: You need to be comfortable reading KQL query results and running basic queries — where, summarize, project, ago(). If you are new to KQL, complete our Mastering KQL course first.

Command-line familiarity: Basic PowerShell and Bash command-line skills. You do not need scripting expertise — the course provides pre-built scripts — but you should be comfortable running commands and reading output.

No third-party paid tools required. Every tool in this course is either native to the operating system, built into the Microsoft security stack, or free open-source software (KAPE, EZ Tools, LiME, Volatility3, Velociraptor, Sysinternals).

How to get the most from this course

Recommended pace: 1–2 modules per week. Each module takes 2–4 hours of focused study. The course is designed for 8–16 weeks of part-time learning alongside a full-time role.

Phase 1 (TR0–TR1) is sequential. TR0 introduces the triage methodology and scorecard. TR1 teaches evidence volatility. Complete both before moving to environment-specific modules.

Phase 2 (TR2–TR5) can be prioritized based on your environment. If your organization is cloud-first: start with TR2. If you handle Windows endpoints daily: start with TR3. If you manage Linux servers: start with TR4. The cross-environment modules in Phase 3 require all three.

Phase 3 (TR6–TR8) ties everything together. Cross-environment triage, severity classification, and containment decisions require the environment-specific skills from Phase 2.

Phase 4 (TR9–TR15) builds operational mastery. Automation, communication, scenarios, regulatory considerations, advanced techniques, and the capstone. TR15 (capstone) requires all previous modules.

Deploy the tools. Download KAPE, install EZ Tools, set up a Linux VM with LiME. Reading about triage is not the same as doing it. The muscle memory only develops through practice.

Support and community

Questions about course content: training@ridgelinecyber.com

Billing and account management: Self-service via your account page or training@ridgelinecyber.com

LinkedIn: Follow Ridgeline Cyber for operational security content, course updates, and new module announcements

X: @RidgelineCyber

Course Syllabus

Four phases. Sixteen modules. TR0–TR1 are free — no account required.

Free Phase 1 — Foundations

TR0
The Triage Problem — The 60-minute window, the triage decision, three environments one methodology, the NE attack timeline, hybrid environment mapping, legal and chain-of-custody fundamentals, triage vs investigation boundaries, asset prioritization, the 8-question triage scorecard, and the triage report template.
TR1
Evidence Volatility and the Preservation Hierarchy — Order of volatility (RFC 3227), cloud evidence volatility (sessions, tokens, audit logs), Windows evidence volatility (memory, processes, event logs, prefetch), Linux evidence volatility (/proc, ss, kernel modules, container layers), memory acquisition tools and verification, disk and log collection without contamination, the preservation decision tree, chain of custody, cross-environment evidence correlation, and live response scripting.

Phase 2 — Environment-Specific Triage

TR2
Cloud Triage — M365 and Entra ID — The 5-query cloud triage pack (KQL), identity alert triage (Entra ID Protection), email alert triage (Defender for Office 365), token theft and session hijacking detection, OAuth and application alert assessment, mailbox audit and message trace analysis, Teams/SharePoint/OneDrive exfiltration triage, hybrid identity (Entra Connect and PTA), cloud containment actions, and Sentinel incident triage workflow.
TR3
Windows Triage — Endpoints and Active Directory — The 10-command Windows triage toolkit, endpoint alert triage (Defender for Endpoint), Active Directory alert triage (Defender for Identity), process analysis with Sysinternals, Windows persistence mechanisms, high-fidelity forensic artifacts (Prefetch, Amcache, ShimCache with EZ Tools), Sysmon and PowerShell/AMSI triage, KAPE automated collection and EZ Tools parsing, volatile evidence collection (WinPMem, MemProcFS, Velociraptor), and Windows containment actions.
TR4
Linux Triage — Servers and Containers — The 10-command Linux triage toolkit, log-based alert triage (auth.log, journalctl, auditd), process and network analysis, container and Kubernetes triage (Docker CLI, kubectl), rootkit detection and filesystem forensics, Linux persistence mechanisms, evidence collection (LiME, Volatility3), Linux containment actions, cross-environment correlation (Linux to AD and M365), and triage automation scripting.
TR5
Network and Perimeter Triage — The 5-query network triage pack (KQL against CommonSecurityLog), firewall alert triage, DNS alert triage (DGA, tunnelling), web proxy and TLS certificate triage, VPN and remote access triage, C2 beaconing detection, network-based data exfiltration triage, network containment actions, lateral movement detection at the network layer, and network threat intelligence correlation.

Phase 3 — Cross-Environment Triage

TR6
Multi-Environment Attack Triage — When attacks cross boundaries (5 pivot patterns), entity correlation across environments, the cross-environment timeline (KQL union), cross-environment tool integration (KAPE + EZ Tools + KQL + Bash in parallel), four worked scenarios: CHAIN-HARVEST (cloud→endpoint→Linux), CHAIN-PRIVILEGE (on-prem→cloud), CHAIN-DRIFT (Azure management plane→Linux), CHAIN-FACTORY (Linux→cloud via service principal), synchronized containment coordination, and cross-environment evidence packaging.
TR7
Severity Classification and Escalation — 4-tier severity model (Critical/High/Medium/Low), the escalation decision matrix, the 15-minute triage report (7-section template), regulatory notification triggers (GDPR, NIS2, DORA, PCI DSS, HIPAA), communicating uncertainty (4-level confidence scale), stakeholder management, MSSP/managed SOC coordination, real-time documentation, the triage handoff to investigation, and after-hours on-call triage.
TR8
Containment Decision Framework — Containment philosophy (contain the attacker, not the evidence), environment-specific containment playbooks (cloud, Windows, Linux, network, Azure infrastructure), blast radius assessment, containment verification, containment in regulated environments, and automated/semi-automated containment with confidence thresholds.

Phase 4 — Operational Mastery

TR9
Triage Automation and Tooling — Automated triage enrichment, Sentinel triage playbooks, SOAR integration for first response, the complete PowerShell triage toolkit, the complete Bash triage toolkit, the KQL triage query pack, KAPE automation profiles, Velociraptor for triage collection, the triage go-bag, and building custom triage playbooks.
TR10
Communication During Triage — The first notification template, managing stakeholder expectations, technical vs executive communication, managed SOC coordination, legal and HR coordination, real-time documentation, cross-team coordination during multi-environment incidents, post-triage handoff communication, regulatory communication triggers, and the complete communication template pack.
TR11
Common Triage Scenarios — Ten worked scenarios: phishing with credential harvest, ransomware pre-encryption, suspicious SSH to production, business email compromise, insider threat indicators, cloud VM cryptomining, supply chain compromise, credential spray and brute force, living-off-the-land (LOLBin), and a cross-environment attack chain. Each scenario produces a deployable triage playbook.
TR12
Triage in Regulated Environments — Regulatory triage obligations (GDPR, NIS2, DORA, PCI DSS, HIPAA), evidence preservation for legal proceedings, individual framework assessment procedures, sector-specific requirements, insurance and legal hold considerations, and the regulatory trigger decision tree.
TR13
Triage Quality and Continuous Improvement — Measuring triage quality (metrics), triage retrospectives, the triage playbook library, common triage failures, triage metrics dashboard (Sentinel workbook), training and tabletop exercises, tool maintenance and go-bag updates, knowledge transfer and team capability building, integrating triage outputs into the IR program, and building a triage maturity model.
TR14
Advanced Triage Techniques — Memory triage with Volatility3, MemProcFS for live memory analysis, advanced KAPE workflows, Velociraptor at scale, advanced KQL for triage, advanced PowerShell for triage, advanced Bash for triage, threat intelligence integration during triage, cloud-native triage (Azure Activity and Resource Logs), and triage under adversarial conditions (anti-forensics detection).
TR15
Capstone — Full Triage Exercise — Saturday 01:45. On-call. Three simultaneous alerts: AiTM (cloud), suspicious process (Windows), SSH from unknown IP (Linux). 60 minutes. Cloud triage, Windows triage, Linux triage, network triage, cross-environment correlation, severity classification, containment execution, unified triage report, CISO notification, and investigation handoff. Self-scoring against the triage scorecard.

Prerequisites

Required:

Familiarity with the Microsoft security stack — you know what Sentinel, Defender XDR, and Entra ID do. Completion of our SOC Operations course or M365 Security Operations course, or equivalent operational experience.

Basic KQL proficiency — you can read query results and run simple queries. If SigninLogs | where TimeGenerated > ago(1h) | where ResultType != \"0\" | summarize count() by UserPrincipalName is comfortable: you are ready.

Recommended but not required:

Experience with Windows command-line tools (PowerShell, Event Viewer, Task Manager). The course teaches the specific triage commands, but familiarity accelerates TR3.

Experience with Linux command-line tools (ps, grep, find). The course teaches the specific triage commands, but familiarity accelerates TR4.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may deploy triage scripts, query packs, and playbooks from this course in your organization's production environment. You may not redistribute course content, share account credentials, or republish course materials.

Triage tools and scripts: All PowerShell, Bash, and KQL artifacts are provided as-is for deployment in your environment. Test every script against your environment before using in production incidents. Containment actions have business impact — verify blast radius before execution. Ridgeline Cyber Defence is not responsible for operational impact from deployed scripts or containment actions.

Fictional environment: All scenarios use the fictional Northgate Engineering environment. Any resemblance to real organizations, incidents, or individuals is coincidental. IP addresses use RFC 5737 documentation ranges.

Version and changelog

Current version: 1.0  |  Last updated: 2026

2026 — v1.0: Course launch. 16 modules (TR0–TR15) across 4 phases. Cloud, Windows, Linux, and network triage with full tool coverage. 4 NE attack chain scenarios. 10 common triage scenarios. Interactive labs (alert simulators, terminal simulators, investigation engines). Full content standard compliance.

This course is actively maintained. Triage procedures are updated as the Microsoft security platform evolves, new tools are released, and new attack techniques emerge. Check this page for version updates.