Sign In

TH1.12 Escalation Protocols and IR Handoff

3-4 hours · Module 1 · Free
Operational Objective
A hunt finding that reaches the wrong person, reaches them too slowly, or reaches them without sufficient context wastes the dwell time compression hunting is designed to provide. The escalation is the moment hunting delivers its highest value — getting it wrong undermines everything the hunt produced. This subsection defines the escalation protocol: who to notify, what to include, how to maintain hunt continuity during IR, and the critical difference between warm and cold handoffs.
Deliverable: A documented escalation protocol for hunt findings that ensures findings reach the right person with sufficient context for immediate action.
⏱ Estimated completion: 20 minutes

Speed matters at escalation

When a hunt discovers a compromise, every hour between discovery and containment is an hour the attacker continues to operate. The analysis step (TH1.4) already established that high-confidence findings (3+ correlated enrichment dimensions) warrant immediate escalation. This subsection addresses the mechanics.

The escalation package

The IR analyst or SOC lead who receives the escalation needs enough information to take immediate action without re-running the hunt. The package:

1. Finding summary (2–3 sentences). What was found, for which entity, with what confidence level. “Hunt TH-2026-005 identified user j.morrison@northgateeng.com with high-confidence indicators of account compromise: sign-in from new IP (Romania) correlated with new MFA method registration and inbox rule creation, all within a 4-hour window. Phishing email delivered to the user 6 hours before the anomalous sign-in.”

2. Evidence table. Timestamps, entities, indicators, and data sources — in a format the IR analyst can immediately verify.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

// Generate the evidence summary for the escalation package
// Adapt entity and time window from your hunt finding
let compromisedUser = "j.morrison@northgateeng.com";
let incidentWindow = 7d;
union
    (SigninLogs | where TimeGenerated > ago(incidentWindow)
    | where UserPrincipalName == compromisedUser
    | where IPAddress == "203.0.113.47"
    | project TimeGenerated, Source = "SigninLogs",
        Detail = strcat("Sign-in from ", IPAddress,
            " (", tostring(LocationDetails.countryOrRegion), ")")
    ),
    (AuditLogs | where TimeGenerated > ago(incidentWindow)
    | where InitiatedBy.user.userPrincipalName == compromisedUser
    | where OperationName has_any ("registered security",
        "InboxRule", "Consent to application")
    | project TimeGenerated, Source = "AuditLogs",
        Detail = OperationName),
    (EmailEvents | where TimeGenerated > ago(incidentWindow)
    | where RecipientEmailAddress == compromisedUser
    | where ThreatTypes has "Phish"
    | project TimeGenerated, Source = "EmailEvents",
        Detail = strcat("Phishing: ", Subject))
| sort by TimeGenerated asc
// This produces the chronological evidence timeline
// for the escalation package

3. Recommended containment. The immediate actions you recommend based on the technique. For AiTM: revoke all sessions, force password change, review and remove inbox rules, review and revoke OAuth consents, enable Entra ID Identity Protection user risk = High. The IR analyst may modify these based on additional context, but providing the recommended actions saves decision time.

4. Hunt context. The hypothesis, the query chain that led to the finding, and any additional suspect results that have not been fully analyzed. The IR analyst needs to know whether this finding is isolated or part of a wider pattern the hunt has not finished investigating.

Warm handoff versus cold handoff

Warm handoff: The hunter walks through the finding with the IR analyst in real time — verbal briefing, screen share, or shoulder-tap. The hunter answers questions, explains the query logic, and provides environmental context (“this IP has been seen by 3 other users this week — possible shared attacker infrastructure”). The IR analyst starts investigation with full context.

Cold handoff: The hunter writes the escalation package and submits it through the ticketing system (Sentinel incident creation, email, Slack). The IR analyst reads it and investigates independently. The hunter is available for questions but not actively guiding the investigation.

Warm handoffs are faster and produce fewer misunderstandings. Use them for high-severity findings. Cold handoffs are acceptable for medium-confidence leads that warrant investigation but are not time-critical.

Maintaining hunt continuity

When you escalate, the hunt does not stop. Two scenarios:

Scenario 1: Escalate and continue. The finding involves one user. The hunt hypothesis covers the full tenant. Escalate the finding for the one user. Continue the hunt for the remaining population. The IR response and the hunt run in parallel.

Scenario 2: Escalate and merge. The finding indicates a wide-scope compromise — multiple users from the same attacker infrastructure, or an attacker technique that implies organizational-level access (Global Admin compromise, conditional access policy weakening). Escalate and merge the remaining hunt scope into the IR investigation. The hunt becomes the IR investigation’s scoping phase. The hunt queries become IR queries.

The decision between these scenarios depends on the finding’s scope implications. A single compromised user account suggests Scenario 1. Compromised admin credentials suggest Scenario 2.

ESCALATION — TWO PATHS BASED ON SCOPEHIGH-CONFIDENCE FINDINGESCALATE AND CONTINUESingle entity compromised.Escalate finding → IR responds.Hunt continues for remaining population.ESCALATE AND MERGEWide-scope compromise.Escalate finding → IR absorbs hunt.Hunt queries become IR scoping queries.

Figure TH1.12 — Two escalation scenarios. Single-entity findings allow the hunt to continue in parallel. Wide-scope findings merge the hunt into the IR investigation.

Try it yourself

Exercise: Draft an escalation package

Using the finding from TH1.3–TH1.5 exercises (or a hypothetical finding if your hunt produced no true positives), draft the complete escalation package: finding summary, evidence table (run the evidence timeline query adapted for your finding), recommended containment actions, and hunt context.

Show the package to a colleague or your SOC lead. Ask: "If you received this at 2 AM, do you have enough information to start investigating?" If the answer is no, identify what is missing and add it.

⚠ Compliance Myth: "Hunt findings should be documented before escalation to avoid false alarms"

The myth: Take time to fully document the finding before escalating. False escalations damage credibility.

The reality: Documentation happens in parallel with — not before — escalation. A high-confidence finding (3+ correlated dimensions) has sufficient evidence for immediate escalation. Waiting to write a polished report while the attacker continues operating wastes the dwell time compression that justified the hunt in the first place. Escalate with the evidence you have. Document the full hunt record after containment is initiated. The escalation package (finding summary, evidence, containment recommendation) takes 10 minutes to assemble. The full hunt record takes 20 minutes after the hunt concludes. Do not confuse the two.

Extend this protocol

If your organization has a formal incident management process with defined severity levels and escalation matrices, integrate hunt escalations into that process. A high-confidence hunt finding should create a Sentinel incident (manually or through a dedicated automation rule for hunt escalations) with the appropriate severity and assignment. This ensures the finding enters the same workflow as detection-triggered incidents — with the same SLAs, the same triage process, and the same documentation requirements. TH14 covers the integration of hunting with SOC workflows in detail.

📋 Operational Artifact — Escalation Package Template

Hunt Escalation — [Hunt ID]

Finding: [2-3 sentence summary — entity, technique, confidence level, key indicators]

Evidence timeline: [Timestamp] | [Source] | [Detail] [Timestamp] | [Source] | [Detail]

Recommended containment: [Immediate actions based on technique]

Hunt context: Hypothesis: [statement]. This finding was discovered at query [N] of [total]. Remaining population not yet fully analyzed. [Additional suspect results pending / no additional suspects identified so far].

Handoff type: [Warm — verbal briefing scheduled] / [Cold — package submitted via {channel}]

Hunter available for questions: [name, contact method]

References Used in This Subsection

  • Course cross-references: TH1.4 (confidence model for escalation threshold), TH1.5 (conclusion — confirmed outcome), TH0.6 (hunting → IR handoff point 6)
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← TH1.11 Working with False Positives: The Tuning Cycle TH1.13 The Hunt-to-Detection Pipeline: Worked End-to-End →