The Triage Problem

0.1 What is incident triage

Incident triage is the structured methodology for the first 60 minutes of every security incident. Not investigation — investigation answers "what happened?" over hours or days. Triage answers three questions in 15 minutes or less: Is this alert real? What is the scope? Is it urgent?

Every security incident has a first responder — the person who sees the alert, assesses it, and decides what happens next. In most organizations, that person has no structured methodology. They rely on intuition, experience, and whatever procedures they remember under pressure. Evidence is lost, containment happens too late or too aggressively, and the investigation team inherits a contaminated scene.

This course replaces intuition with structure. The 8-question triage scorecard classifies any alert within 15 minutes. The evidence preservation hierarchy captures volatile data before it decays. The containment decision framework prevents both under-response and over-response. The same methodology applies across M365, Windows endpoints, and Linux servers — but the commands, evidence locations, and containment actions differ by environment. You learn both the framework and the per-environment execution.

0.2 What you will learn

Section 0.1 — The 60-Minute Window. Why the first 60 minutes determine the outcome of every incident. The three categories of evidence loss that occur during delayed triage, the race between evidence decay and attacker progress, and the measurable impact of triage speed on containment outcomes.

Section 0.2 — The Triage Decision. The binary decision framework: escalate or close. What makes a triage decision defensible, the cost of false negatives versus false positives, and how to document the reasoning behind every classification.

Section 0.3 — Three Environments, One Methodology. How the same triage framework applies across M365/cloud, Windows endpoints, and Linux infrastructure. The evidence locations differ. The methodology doesn't. You'll see how a single alert can span all three environments and why single-environment triage produces incomplete assessments.

Section 0.4 — The NE Attack Timeline. A walked cross-environment attack against Northgate Engineering — from initial phishing email through lateral movement to data exfiltration. You'll trace the triage decision points where early detection would have changed the outcome, and where delayed triage allowed the attacker to advance.

Section 0.5 — Hybrid Environment Mapping and Asset Prioritization. Mapping the hybrid footprint before the incident: AD domains, Entra ID tenant, hybrid-joined devices, Azure Arc servers, M365 workloads. The 3-tier asset classification and blast radius assessment that determine triage priority. You'll run the environment snapshot commands that build your reference map.

Section 0.6 — Legal, Regulatory, and Chain-of-Custody. The regulatory timelines that start the moment you classify an alert as a probable incident. GDPR 72-hour notification, NIS2 early warning, SEC 4-day disclosure. Chain-of-custody requirements for evidence that may become forensic evidence.

Section 0.7 — Triage vs Investigation. Where triage ends and investigation begins. The handoff criteria, the triage report structure, and why crossing the boundary during triage degrades both the triage and the investigation.

Section 0.8 — The Triage Scorecard. The 8-question framework that produces consistent, defensible triage classifications. Weighted scoring, action thresholds, and calibration across analyst teams. You'll apply the scorecard to NE alerts and see how it resolves the judgment calls that unstructured triage leaves to intuition.

Section 0.9 — The Triage Report Template. The structured handoff document that feeds the investigation team. What to include, what to exclude, and how the triage report's quality determines the investigation's starting position.

Section 0.10 — Your First Triage. Six mixed alerts from the NE environment. Three true positives, two false positives, one benign true positive. You'll apply the scorecard under time pressure, document your reasoning, and compare your classifications against the reference answers.

0.3 What makes the Microsoft stack ideal for learning triage

The Microsoft security stack provides the richest triage evidence set available in a single vendor ecosystem. Sentinel aggregates alerts from Defender XDR, Entra ID Protection, Defender for Cloud Apps, and Defender for Endpoint into a single incident queue with entity mapping and alert correlation. The triage responder sees the alert, the affected entity's history, related alerts, and correlated evidence without switching tools.

KQL is the query language for triage evidence retrieval. A single KQL query against SigninLogs answers "has this user signed in from unusual locations in the past 30 days?" in seconds. A query against DeviceProcessEvents answers "what else ran on this machine in the 30 minutes surrounding the alert?" without touching the endpoint. A query against EmailEvents answers "did anyone else receive this email?" without involving the mail admin. The triage responder who knows KQL works faster than the one who navigates portal UIs — and the queries are documentable, repeatable, and auditable.

The developer tenant with E5 licensing provides the complete triage environment for free. You get Sentinel, Defender XDR, Entra ID Protection, and all the log tables the course queries against. The lab exercises in Phase 2 use this tenant to run real triage queries against real data structures — not screenshots of what the output would look like.

0.4 How to get the best from this module

Work through TR0 in order. The sections build on each other — the 60-minute window (Section 0.1) establishes why speed matters, the triage decision framework (Section 0.2) establishes how to decide, and the scorecard (Section 0.8) gives you the tool to execute both consistently.

The NE attack timeline in Section 0.4 is the worked example that anchors the module. Every subsequent section references specific moments in that timeline — "at 14:23, the triage responder checks the sign-in logs" — so the methodology is always grounded in a concrete scenario rather than abstract principles.

You can complete TR0 in a single session or spread it across two evenings. No lab setup is needed for TR0 — the module teaches methodology and framework. Lab setup happens when you reach Phase 2.

0.5 Module structure

• Section 0.1 — The 60-Minute Window
• Section 0.2 — The Triage Decision
• Section 0.3 — Three Environments, One Methodology
• Section 0.4 — The NE Attack Timeline
• Section 0.5 — Hybrid Environment Mapping and Asset Prioritization
• Section 0.6 — Legal, Regulatory, and Chain-of-Custody
• Section 0.7 — Triage vs Investigation
• Section 0.8 — The Triage Scorecard
• Section 0.9 — The Triage Report Template
• Section 0.10 — Your First Triage

Sections 0.1 through 0.3 provide the foundational understanding. Sections 0.4 through 0.7 apply the methodology to NE's environment and establish the boundaries. Sections 0.8 through 0.10 give you the operational tools and practice.

Go to Section 0.1 — The 60-Minute Window to begin.