Sign In
In this module

References & Further Reading

Reference · Module 99 · Free
Operational Objective
This subsection covers references & further reading — building practical investigation and operational skills through scenarios from the Northgate Engineering environment.
Deliverable: Working proficiency with the techniques covered in this subsection.
Estimated completion: 25 minutes

Figure — References & Further Reading.

References & Further Reading

The content in Practical Incident Response: Windows and Microsoft 365 is grounded in the tool documentation, forensic methodology, and technical references listed below. This page is updated as new modules are published.

Forensic Tool Documentation

Eric Zimmerman. "EZTools — KAPE, PECmd, MFTECmd, EvtxECmd, AmcacheParser, and more." https://ericzimmerman.github.io

Expand for Deeper Context

Kroll. "KAPE — Kroll Artifact Parser and Extractor." https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape

Velocidex. "Velociraptor — Digging Deeper." https://docs.velociraptor.app

The Volatility Foundation. "Volatility 3 Framework." https://volatility3.readthedocs.io

Nextron Systems. "THOR and THOR Lite — Compromise Assessment Scanner." https://www.nextron-systems.com/thor/

Yamato Security. "Hayabusa — Windows Event Log Fast Forensics Timeline Generator." https://github.com/Yamato-Security/hayabusa

Harlan Carvey. "RegRipper — Registry Analysis Tool." https://github.com/keydet89/RegRipper3.0

Microsoft. "Sysinternals Suite." https://learn.microsoft.com/en-us/sysinternals/

Magnet Forensics. "Magnet AXIOM Cyber." https://www.magnetforensics.com/products/magnet-axiom-cyber/

Binalyze. "Binalyze AIR." https://www.binalyze.com/air

Exterro. "FTK Imager." https://www.exterro.com/ftk-imager

Arsenal Recon. "Arsenal Image Mounter." https://arsenalrecon.com/products/arsenal-image-mounter

---

Microsoft Cloud Investigation

Microsoft. "Microsoft Sentinel Documentation." Microsoft Learn. https://learn.microsoft.com/en-us/azure/sentinel/

Microsoft. "Microsoft Defender XDR — Advanced Hunting." Microsoft Learn. https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-overview

Microsoft. "Microsoft Purview Audit — Search the Audit Log." Microsoft Learn. https://learn.microsoft.com/en-us/purview/audit-search

Microsoft. "Microsoft Entra ID — Sign-in Logs." Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins

Microsoft. "Kusto Query Language (KQL) Overview." Microsoft Learn. https://learn.microsoft.com/en-us/kusto/query/

---

Incident Response Methodology

National Institute of Standards and Technology. "NIST SP 800-61 Rev. 3 — Incident Handling Guide." 2024.

SANS Institute. "SANS DFIR — Digital Forensics and Incident Response Curriculum." https://www.sans.org/cyber-security-courses/digital-forensics/

MITRE Corporation. "MITRE ATT&CK — Enterprise Matrix." https://attack.mitre.org

---

Information Commissioner's Office. "Guide to the UK GDPR — Personal Data Breaches." https://ico.org.uk

UK Government. "Computer Misuse Act 1990." https://www.legislation.gov.uk/ukpga/1990/18

UK Government. "Regulation of Investigatory Powers Act 2000." https://www.legislation.gov.uk/ukpga/2000/23

---

How These Sources Were Used

Forensic tool documentation provided the authoritative references for tool capabilities, command syntax, and output formats used throughout the course. Microsoft cloud documentation provided the investigation procedures for M365 evidence sources. NIST and SANS methodologies informed the six-step investigation method and the IR lifecycle framework. MITRE ATT&CK provided the threat technique mappings used in every investigation scenario. Legal references informed the evidence handling and chain of custody guidance.

All course content — including the six-step investigation method, worked findings, investigation scenarios, and evidence handling procedures — was written by Ridgeline Cyber Defence based on operational incident response experience. No content was reproduced from any source.

Detection depth: NE-specific implementation

This detection rule addresses a technique that directly threatens NE's operational environment. The implementation accounts for NE's specific infrastructure characteristics:

Telemetry source: The primary data table for this detection ingests approximately 0.5-3.2 GB/day depending on the activity volume. At NE's scale (810 users, 865 devices, 42 servers), the event volume generates a stable baseline that statistical detection methods (percentile analysis from DE9.4) can reliably characterize. Deviations from this baseline represent either environmental changes (new applications, infrastructure modifications) or attacker activity.

Expand for Deeper Context

Threshold calibration: The threshold was selected using the percentile method: P99 of 30-day historical data establishes the upper bound of normal activity. The production threshold is set at 1.5x P99 to provide margin above normal fluctuation while maintaining detection sensitivity for attack patterns that typically generate 5-50x normal volume.

False positive profile: The primary FP sources for this detection include: IT administrative activity (legitimate but anomalous-looking operations), automated tools and scripts (scheduled tasks, monitoring agents), and business events (quarterly reporting, annual audits, project deadlines). Each FP source is addressed through the watchlist architecture (DE9.6) — Corporate IPs (WL1), Service Accounts (WL2), IT Admin Accounts (WL3), and Known Applications (WL4) provide systematic exclusion without reducing the rule's detection scope below acceptable levels.

Attack chain integration: This detection maps to one or more of the 6 NE attack chains (CHAIN-HARVEST, CHAIN-MESH, CHAIN-ENDPOINT, CHAIN-FACTORY, CHAIN-PRIVILEGE, CHAIN-DRIFT). When this rule fires, the SOC analyst correlates with adjacent-phase alerts to determine whether the activity is isolated or part of a multi-phase attack. The correlation query from this module's cross-technique subsection provides the KQL pattern for this analysis.

Response procedure: On alert, the analyst: (1) checks the entity against the watchlists — is this a known benign source? (2) checks for correlated alerts from adjacent kill chain phases within 60 minutes, (3) classifies as TP/FP/BTP using the DE9.5 decision tree, and (4) escalates to Rachel if the alert correlates with other phases (potential active attack chain).

This investigation technique transfers directly to any Microsoft 365 environment — the table names, field structures, and query patterns are identical whether you investigate NE's environment or your own. The adaptation required is environmental context: your organization's IP ranges, user naming conventions, and baseline activity volumes differ from NE's. The investigation methodology and KQL patterns are universal.

Compliance Myth: "Evidence collection can wait until the investigation is underway"

The myth: Evidence collection can wait until the investigation is underway

The reality: Volatile evidence disappears with every passing minute. Running processes, network connections, logged-in sessions, and memory contents are lost on reboot. The first responder's priority is evidence preservation — not investigation. Collecting a memory dump, capturing network state, and imaging volatile storage BEFORE beginning the investigation ensures evidence integrity. Investigate later with complete data rather than investigating now with incomplete data.

Operational Artifact — References & Further Reading

Review the techniques in this subsection and add the operational patterns to your team's runbook.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
← Previous Next →