TR0.7 Triage vs Investigation — Where This Course Ends

Figure TR0.7 — Triage produces the classification, evidence, and containment that the investigation team needs to begin. Investigation produces the root cause, full scope, and eradication plan. The handoff between phases is the triage report.

What triage answers

Triage answers five questions, and only five. Each question has a specific deliverable.

Is this a true incident? Deliverable: classification (TP, FP, BTP, or Indeterminate with confidence level). This is the triage scorecard output from TR0.6.

What is the severity? Deliverable: severity classification (Critical, High, Medium, Low) based on the framework from TR7. The severity determines the response urgency: Critical requires immediate IR mobilisation. Low requires documentation and scheduled follow-up.

What volatile evidence must be preserved? Deliverable: evidence preservation actions documented with timestamps. Memory dumps captured, log snapshots taken, process states recorded. The preservation hierarchy from TR1 governs priority.

What immediate containment is needed? Deliverable: containment actions executed and documented. Session revoked, endpoint isolated, account disabled. The containment decision from TR8 governs scope.

What does the investigation team need to know? Deliverable: the 15-minute triage report from TR7.3. Classification, evidence, containment, outstanding questions.

When these five questions are answered, triage is complete. The investigation team takes over.

What triage does NOT answer

Triage deliberately leaves several questions unanswered. These are investigation questions that require hours or days of deep analysis.

How did the attacker get initial access? Triage identifies that initial access occurred (the AiTM token replay at 08:14). Investigation determines the full initial access chain: which phishing email, which infrastructure, which evasion techniques. Triage does not reverse-engineer the phishing kit.

What is the complete scope of compromise? Triage identifies the known affected entities (j.morrison’s account, DESKTOP-NGE042, SRV-NGE-BRS-DB01). Investigation determines whether OTHER accounts, endpoints, or servers were compromised. Triage flags the scope question. Investigation answers it.

What data was accessed or exfiltrated? Triage identifies that data access or exfiltration is occurring or has occurred (the database export on SRV-NGE-BRS-DB01). Investigation determines exactly what data was accessed, what was exfiltrated, and what the business impact is. Triage does not perform a data loss assessment.

How does the organisation eradicate the attacker? Triage executes initial containment (session revocation, device isolation, account disable). Investigation determines full eradication: removing all persistence mechanisms, rotating all compromised credentials, validating that no backdoors remain. Triage stops the bleeding. Investigation cures the disease.

What is the root cause? Triage identifies the technical entry point (AiTM via phishing). Investigation determines the root cause: why the phishing email bypassed Defender for Office 365, why j.morrison’s workstation had local admin, why svc-dbadmin credentials were cached on a user workstation, why the RHEL server accepted SSH from workstation IPs. Root cause analysis feeds remediation. Triage feeds investigation.

The danger of triage creep

Triage creep occurs when the responder, having classified the alert as a true positive and begun evidence preservation, continues into investigation activities instead of handing off. The responder starts analysing the memory dump they just captured. They begin reconstructing the full attack timeline from SigninLogs. They start writing the incident report.

This is dangerous for three reasons. First, it delays the triage report — the investigation team cannot begin until they receive the handoff, and every minute the responder spends investigating is a minute the investigation team waits. Second, the responder is not the investigator — they may lack the forensic skills, tools, or time allocation for deep analysis. Third, the triage responder may still need to triage other alerts — spending 3 hours investigating one incident means 3 hours of other alerts accumulating without triage.

The operational discipline is clear: complete the Triage Trinity (classify, preserve, contain), produce the triage report, hand off, and return to the alert queue. If you are both the triage responder AND the investigator (common in small teams), explicitly switch roles: close the triage phase, produce the report, and then begin investigation as a separate activity with a separate timeline.

What a good handoff looks like

The investigation team receives the triage report and immediately understands: what was found, what was preserved, what was contained, and what they need to investigate. They do not need to re-run the triage queries. They do not need to re-collect volatile evidence (it was preserved during triage). They do not need to re-execute containment (it was done during triage). They begin deep analysis from the triage responder’s endpoint.

A bad handoff: “We got an alert for j.morrison, looks suspicious, I revoked the session.” The investigation team must re-triage: what was the alert? What IP? What evidence exists? Was anything else affected? What was the severity? What evidence was preserved? Every question the triage report should have answered must now be answered by the investigation team — using evidence that has continued degrading during the delay.

The handoff format that works

The triage report format should be standardised across the team — every triage produces the same structure, regardless of who performs it. This consistency means the investigation team always knows where to find the classification (top of the report), the evidence list (middle), the containment actions (below evidence), and the outstanding questions (bottom). NE uses a one-page format: incident ID, timestamp range, classification with confidence, severity, affected entities (users, devices, IPs), evidence preserved with file locations, containment actions with timestamps, and a numbered list of scope questions the investigation must answer. The format fits on one screen. The investigation team reads it in 2 minutes and begins deep analysis immediately.

The worst handoff format is a chat message. “Hey, j.morrison got phished, I revoked the session, can someone investigate?” This conveys the classification (phishing) and one containment action (session revocation) but omits: severity, affected entities beyond j.morrison, evidence preserved, scope questions, and whether the attacker achieved any post-compromise objectives. The investigation team spends their first 30 minutes reconstructing what the triage responder already knew — and the volatile evidence that could have been preserved during those 30 minutes has degraded further.

The triage report template is the single most important artifact this course produces. Module TR7.3 teaches the full template with worked examples across all three environments. Every module between now and TR7.3 builds the skills that populate the template’s fields: the classification comes from the triage scorecard (TR0.6), the evidence comes from the environment-specific preservation toolkits (TR2-TR4), the containment comes from the containment framework (TR8), and the severity comes from the classification framework (TR7).

Case management as the handoff mechanism

The triage report should live in a case management system, not in a chat message or an email. Tools like DFIR-IRIS (open-source, self-hosted), TheHive, or Sentinel’s built-in incident comments provide structured case records where the triage classification, preserved evidence file paths, containment actions, and outstanding questions are documented in a single authoritative location. When the investigation team opens the case, they see the triage responder’s complete handoff without searching through Slack threads or email chains. The case record also provides the audit trail that regulatory frameworks (ISO 27035, NIST SP 800-61) require: who classified the alert, when, based on what evidence, and what actions were taken. Palo Alto’s 2024 Incident Response Report found that median time to data exfiltration dropped from 9 days in 2023 to just 2 days — meaning the window between triage and investigation is shrinking. A structured handoff that the investigation team can act on immediately is no longer a best practice. It is a requirement for catching attackers before they achieve their objective.

Troubleshooting

“I am the only security person — I do triage AND investigation. How do I separate them?” Explicitly. Complete the Triage Trinity, produce the triage report (even if the audience is yourself), and document the transition: “Triage complete at 14:35. Beginning investigation phase.” This forces the mental shift from triage mode (fast, classification-focused, preservation-focused) to investigation mode (thorough, scope-focused, root-cause-focused). The triage report you write for yourself is still valuable — when you return to the investigation after a break or a new shift, the report tells you where triage ended and what investigation needs to address.

“Management wants the full investigation completed in 60 minutes.” Educate management on the triage/investigation distinction using the cost model from TR0.2. A 60-minute investigation produces shallow findings that miss scope, miss root cause, and miss persistence mechanisms. The attacker returns because eradication was incomplete. A 60-minute triage followed by a thorough investigation (hours to days) produces the classification, evidence, and containment in 60 minutes AND the complete findings in the investigation phase. The business gets immediate protection (containment) AND lasting resolution (eradication).

The triage report format

The handoff between triage and investigation is a document — the triage report. This report must contain everything the investigation team needs to begin their analysis without re-doing the triage work. The format:

Section 1: Classification summary (2 sentences). “Alert [ID] on [entity] classified as [TP/FP/BTP/Indeterminate] at [timestamp]. Scorecard score: [X]/20.”

Section 2: Triage findings (bullet points per query). For each query run: the query name, the key finding, and the relevance to the classification. Example: “Query 1 (Active Sessions): 1 anomalous session from 185.220.101.42 (Tor exit, Romania) at 08:14. DeviceDetail mismatch with registered devices. Conclusion: attacker session confirmed.”

Section 3: Containment actions taken (timestamped list). Every action with its timestamp, the specific command or portal action used, and the verification that the action succeeded. Example: “08:19 — Session revocation: Revoke-MgUserSignInSession. Verified: no new sign-ins from attacker IP after revocation.”

Section 4: Evidence preserved (file list with hashes). Every evidence file collected: filename, location (case folder path), SHA256 hash, and description. Example: “memdump.raw — 16,384 MB — SHA256: abc123… — Full physical memory dump of DESKTOP-NGE042.”

Section 5: Outstanding questions for investigation. What the triage DID NOT determine. Example: “Scope beyond j.morrison’s account not assessed. Recommend Query 1 expansion to check whether 185.220.101.42 authenticated as other users.” The outstanding questions guide the investigation team’s first actions — they start where the triage stopped rather than starting from scratch.

Section 6: Triage scorecard (completed). The 8-question scorecard with the responder’s scores and reasoning. The scorecard provides the classification audit trail — if the classification is later questioned (by the IR team, by management, or by a regulator), the scorecard shows exactly what evidence was assessed and how the classification was reached.

This report takes 3-5 minutes to write during the triage workflow (not after — during). The responder documents findings as they run each query, not from memory after completing all queries. At NE, Rachel uses a Sentinel incident comment template pre-populated with the section headers. The analyst fills in the findings as they go, producing a complete triage report as a natural byproduct of the triage workflow rather than a separate documentation task.

The handoff timing

The handoff occurs at different points depending on the classification:

FP: Handoff is a close action. The triage report is the incident’s closing comment. No IR team involvement. The analyst closes the incident in Sentinel with the classification “False Positive” and the documented reasoning.

BTP: Same as FP — close with documentation. If the BTP involves a recurring pattern (IT admin lateral movement, scheduled scan), note it for detection tuning.

Indeterminate: Partial handoff. The triage responder has preserved evidence and documented findings but cannot definitively classify. The IR team reviews the evidence and makes the final classification. The indeterminate report explicitly states: “Classification pending verification. Evidence preserved. Recommend [specific verification steps].” The IR team may close as FP after verification, or escalate as TP if the evidence warrants.

Confirmed TP: Full handoff. The triage report, preserved evidence, and containment documentation transfer to the IR team. The triage responder’s job is complete. The IR team begins the investigation phase: deep analysis of the preserved evidence, scope assessment, root cause analysis, and regulatory impact evaluation.

What the investigation team expects from triage

Understanding what the investigation team needs — from their perspective — improves the triage handoff quality. The investigation team’s first 30 minutes after receiving a triage handoff follow a predictable pattern:

Minute 0-5: Read the triage report. The investigation lead reads the classification, scorecard, and findings. If the report is well-structured (following the 6-section format above), the lead understands the incident scope, the evidence available, and the outstanding questions within 5 minutes. If the report is a paragraph of unstructured text, the lead spends 15-20 minutes reconstructing the triage findings from the incident comments and alert data — time wasted on work the triage responder should have documented.

Minute 5-15: Verify containment. The investigation team’s FIRST action is not analysis — it is containment verification. They check: are all identified attacker sessions revoked? Are all persistence mechanisms removed? Is the compromised endpoint isolated? If any containment gap exists (the triage responder revoked sessions but did not check OAuth grants, or isolated the endpoint but did not disable the AD account), the investigation team closes the gap before beginning analysis. Every containment gap the triage responder leaves creates a re-entry path the attacker may use while the investigation is underway.

Minute 15-30: Begin scope assessment. Using the preserved evidence from the triage handoff, the investigation team determines: how many users are affected? How many systems? What data was accessed? What is the regulatory impact? The speed of this assessment depends entirely on the quality of the triage evidence. A memory dump + KAPE collection + cloud log snapshot enables immediate analysis. A triage report that says “endpoint appears compromised, please investigate” with no evidence preserved forces the investigation team to start from scratch — re-collecting evidence that may have degraded since the triage.

The triage quality metric: At NE, Rachel measures triage quality by tracking how many investigation cases require the investigation team to RE-DO triage work. If the investigation team must re-collect evidence that should have been captured during triage, re-run queries that should have been documented, or re-verify containment that should have been complete, the triage quality is poor. The target: zero re-work. The investigation team should never need to repeat a step that the triage responder was responsible for.