TR0.10 Your First Triage

Figure TR0.10 — Six NE alerts spanning cloud identity, endpoint, email, Linux, and cross-environment scenarios. Apply the scorecard, classify each, and compare against the reference answers.

How to work this lab

For each alert, apply the 8-question scorecard. Score each question, calculate the total, determine the classification (FP, probable TP, confirmed TP, or BTP), and decide the immediate action. Write your reasoning before expanding the reference answer. The reasoning matters more than the classification — two analysts can reach the same classification through different reasoning, and the reasoning reveals gaps in the triage process.

Time yourself. FP alerts should take 3–5 minutes each. Probable and confirmed TP alerts should take 8–10 minutes. Target: all 6 alerts in 30–45 minutes.

Alert 1: Impossible travel — s.patel

Alert: Entra ID Protection — Impossible travel. s.patel@northgateeng.com authenticated from London (09:02) and from Singapore (09:08). s.patel is a software developer based in Edinburgh. No VPN documented. No travel request. The Singapore sign-in used a different device fingerprint than s.patel's known laptop.

Triage query result: SigninLogs shows 0 previous sign-ins from this Singapore IP for any NE user. The IP resolves to a residential ISP in Singapore.

Reference answer — Alert 1

Score: Q1: YES (+3) — different device fingerprint + residential Singapore IP with no tenant history. Q2: NO (0) — single user. Q3: ACTIVE (+3) — Singapore session is current. Q4: PROBABLE (+1) — s.patel has access to source code repositories. Q5: IMMEDIATE (+2) — active session from unknown device. Q6: MEDIUM (+1) — developer access to code. Q7: UNCERTAIN (+1) — source code may contain customer data. Q8: HIGH confidence.

Total: 11 — Probable TP. Two simultaneous sessions from two continents with different devices, 6 minutes apart, from a residential IP with no history. VPN is excluded by the residential ISP classification and lack of documentation.

Action: Revoke s.patel's sessions immediately. Preserve sign-in logs (last 48h). Check for post-authentication activity from the Singapore IP — mailbox access, file downloads, OAuth grants. Escalate to IR team.

Alert 2: Inbox rule creation — d.wright

Alert: Custom Sentinel rule — Suspicious inbox rule. d.wright@northgateeng.com created an inbox rule redirecting emails containing "bank details" and "payment confirmation" to Deleted Items. Rule created at 11:45 from 198.51.100.10 (Bristol office egress IP).

Triage query result: SigninLogs shows d.wright authenticated from Bristol office IP at 08:30. Normal browser user-agent. MFA completed via Authenticator push. No anomalous sign-ins in last 30 days. d.wright works in accounts payable.

Reference answer — Alert 2

Score: Q1: NO (0) — no anomalous sign-in, rule created from a legitimate session. Q2: NO (0) — single user. Q3: ACTIVE (+3) — rule is currently filtering emails. Q4: YES (+2) — accounts payable + financial keyword filtering. Q5: SOON (+1) — rule is filtering but not exfiltrating. Q6: HIGH (+2) — financial process disruption risk. Q7: NO (0) — no personal data exposure yet. Q8: MEDIUM confidence — the rule could be legitimate (user filtering spam) but the Deleted Items destination is suspicious.

Total: 8 — Borderline probable TP. Authentication looks clean (no AiTM indicators), but the inbox rule matches the BEC persistence pattern from CHAIN-HARVEST exactly. The critical question: did d.wright create this rule themselves (BTP), or did an attacker with d.wright's session create it (TP)?

Action: Do NOT delete the rule (preserve evidence). Check OfficeActivity for the exact rule creation timestamp and compare the session ID with d.wright's authenticated session. Contact d.wright directly: "Did you create an inbox rule at 11:45?" If d.wright confirms — BTP, document and close. If d.wright denies — TP, begin full cloud triage.

Alert 3: Credential access — SRV-NGE-BRS005

Alert: Defender for Endpoint — Suspicious credential access. Process rundll32.exe loaded comsvcs.dll on SRV-NGE-BRS005 (Bristol file server) at 02:22. Command line includes MiniDump. Running as SYSTEM.

Triage query result: DeviceProcessEvents shows parent process is cmd.exe, parent of cmd.exe is svchost.exe (PID 876, service: Schedule). No remote logon events in last 60 minutes. Scheduled task "SystemHealthCheck" was created 3 days ago.

Reference answer — Alert 3

Score: Q1: YES (+3) — LSASS dump via comsvcs.dll MiniDump is a textbook credential theft technique. Q2: UNKNOWN (+2) — server compromise may enable lateral movement. Q3: ACTIVE (+3) — dump just executed. Q4: YES (+2) — credential dump captures all cached credentials including domain admin if present. Q5: IMMEDIATE (+2) — stolen credentials enable immediate lateral movement. Q6: HIGH (+2) — file server with potential domain admin creds. Q7: PROBABLE (+1). Q8: HIGH confidence — comsvcs.dll MiniDump is not a legitimate Windows operation.

Total: 15 — Confirmed TP. Active LSASS credential dump via a scheduled task planted 3 days ago (persistence). The attacker has been in the environment for at least 3 days and is now harvesting credentials for lateral movement.

Action: Network-isolate SRV-NGE-BRS005 via Defender for Endpoint IMMEDIATELY. Capture memory dump before isolation. Escalate as CRITICAL. The 3-day-old scheduled task indicates persistence elsewhere — scope the investigation beyond this single server.

Alert 4: Failed sign-ins — t.chen

Alert: Custom Sentinel rule — Brute force detected. 12 failed sign-in attempts for t.chen@northgateeng.com from IP 203.0.113.99 between 14:00 and 14:05. All failures: incorrect password.

Triage query result: SigninLogs shows 0 successful authentications from 203.0.113.99. The IP resolves to a hosting provider (OVH). t.chen has not authenticated since 13:30 (legitimate session from Manchester office). No MFA registration changes.

Reference answer — Alert 4

Score: Q1: NO (0) — only failed attempts, no successful compromise. Q2: NO (0) — only t.chen targeted (but check if same IP targeted others). Q3: HISTORICAL (0) — attack failed, no active session. Q4: NO (0) — no data access occurred. Q5: STANDARD (0) — no urgency, attack failed. Q6: LOW (0) — no compromise occurred. Q7: NO (0). Q8: HIGH confidence — 12 failures from a hosting provider IP with 0 successes is a failed brute force.

Total: 0 — False positive (more precisely, a detected-and-failed attack). The attack was real but unsuccessful. No compromise occurred.

Action: Close with documentation. Note IP 203.0.113.99 for threat intelligence — check if this IP targeted other NE accounts (spray pattern). If the same IP shows up targeting multiple accounts, escalate the pattern even though individual attacks failed. Feed the IP to the detection engineering team for watchlist consideration.

Alert 5: Kerberoasting — a.patel

Alert: Defender for Identity — Suspected Kerberoasting. a.patel@northgateeng.com requested Kerberos TGS tickets for 15 service accounts in 2 minutes at 10:30 from DESKTOP-NGE-IT03.

Triage query result: IdentityLogonEvents confirms the Kerberoasting pattern. a.patel is a senior IT administrator. Change ticket CHG-2026-0415 authorizes penetration testing by a.patel from 10:00–12:00 today on DESKTOP-NGE-IT03.

Reference answer — Alert 5

Score: Q1: YES (+3) — Kerberoasting pattern is clear. Q2: YES (+3) — 15 service accounts targeted. Q3: ACTIVE (+3). Q4: YES (+2) — service account credentials at risk. Q5: STANDARD (0) — authorized test. Q6: LOW (0) — authorized test. Q7: NO (0). Q8: HIGH confidence.

Total: 11 — but classification: BENIGN TRUE POSITIVE. The detection is correct (Kerberoasting occurred), the activity is real (not a false positive), but it is authorized. Change ticket CHG-2026-0415 explicitly covers this activity.

Action: Close as BTP. Reference CHG-2026-0415 in closure documentation. Verify the testing window (10:00–12:00) matches the alert timestamp (10:30 — within window). If the activity occurred OUTSIDE the authorized window, reclassify as TP and escalate.

Alert 6: C2 beaconing — DESKTOP-NGE042

Alert: Custom Sentinel rule — Beaconing pattern detected. DESKTOP-NGE042 (j.morrison's workstation) makes HTTP connections to 45.155.205.99 every 60 seconds (±3 seconds). Started at 14:30. Consistent packet size (312 bytes).

Triage query result: DeviceNetworkEvents confirms 45 connections in 45 minutes. The destination IP has no DNS record. The process is rundll32.exe loading msedge_update.dll from C:\Users\j.morrison\AppData\Local\Temp\.

Reference answer — Alert 6

Score: Q1: YES (+3) — 60-second beaconing with consistent jitter and size is a C2 communication pattern. Q2: UNKNOWN (+2) — check for other devices connecting to same IP. Q3: ACTIVE (+3) — beaconing is ongoing. Q4: PROBABLE (+1) — j.morrison's workstation may cache credentials. Q5: IMMEDIATE (+2) — active C2 means the attacker has remote access. Q6: HIGH (+2) — C2 on an engineering workstation. Q7: UNCERTAIN (+1). Q8: HIGH confidence — rundll32.exe loading msedge_update.dll from Temp with 60-second beaconing is textbook C2.

Total: 14 — Probable/Confirmed TP. Active C2 beacon. The attacker has persistent remote access via DLL sideloading masquerading as a Microsoft Edge update.

Action: Network-isolate DESKTOP-NGE042 via Defender for Endpoint immediately. Capture memory dump (beacon configuration including C2 infrastructure is in memory). Do NOT delete the DLL — it is evidence. Escalate as CRITICAL. Check DeviceNetworkEvents for any other device connecting to 45.155.205.99.

Scoring your performance

After completing all 6 alerts, assess across four dimensions.

Classification accuracy. How many matched the reference? Target: 5/6 correct. If you scored 4/6 or below, identify which alert type you misclassified — review Section 0.2 for classification definitions or Section 0.8 for scorecard application.

Scorecard consistency. Compare your scores against the reference. Discrepancies of 1–2 points per question are normal. Discrepancies of 3+ on any question indicate a gap in how that evidence category is interpreted. Focus on Q1 (evidence of compromise) and Q3 (active vs historical) — these two questions have the highest impact on the final classification.

Speed. Target: 30–45 minutes total. If any individual alert took longer than 12 minutes, identify the bottleneck. Was it reading the alert context, running the scorecard, or deciding on containment? Each bottleneck maps to a specific section in the course for further practice.

Documentation quality. Review your triage notes. Could another analyst read them and understand what you checked, what you found, why you classified the way you did, and what actions you took? If your notes are sparse — "Checked, looks fine, closed" — they fail the documentation standard from Section 0.9.

The self-assessment isn't a pass/fail exercise. It's a diagnostic. If you consistently over-classify (calling FPs probable TPs), you'll generate unnecessary escalations that exhaust the investigation team. If you consistently under-classify (calling probable TPs as FPs), you'll miss real incidents. Neither pattern is visible from a single alert — it emerges across the queue. After this lab, you should know which direction your triage instinct leans and how the scorecard corrects for it.

Run this lab again in a week without looking at the reference answers beforehand. Your second run will be faster and your classifications will be more consistent. The improvement between run one and run two is where the scorecard methodology transitions from something you follow consciously to something that shapes how you read alerts automatically.

Common mistakes on this lab

Alert 4 — classifying a failed attack as a TP. The brute force was real but it failed. No compromise occurred. The correct response is documentation, threat intelligence (watchlist the IP), and monitoring. Full IR mobilization for a failed attack wastes resources and trains the team to over-escalate. The distinction between "the attacker tried and failed" versus "the attacker tried and succeeded" is one of the most important triage skills.

Alert 5 — dismissing a service account alert without verifying the schedule. Service accounts operating on schedule are BTPs — but only if you verify the schedule. An unverified dismissal risks closing a genuine compromise of a service account, which is among the most dangerous compromise types because service accounts have broad access and lower monitoring visibility than interactive users.

Alert 6 — not recognizing the C2 indicators. The combination of regular interval (60 seconds), consistent jitter (±3 seconds), consistent packet size (312 bytes), and a DLL loaded from Temp by rundll32.exe is a classic C2 pattern. Analysts who focus on the process name (rundll32 is legitimate) without examining the loaded DLL name and network behavior will miss the beacon.