Module Summary

What you built in this module

Module 0 established the triage methodology that every subsequent module builds on. Here's what each section delivered.

Section 0.1 — The 60-Minute Window. The business case for triage speed. Evidence decays on a predictable timeline — volatile memory in minutes, authentication tokens in hours, log data in days. The attacker advances through persistence, lateral movement, and data staging during the same window. The KQL session snapshot query gave you a production tool that captures the current state of a compromised identity within seconds of alert firing.

Section 0.2 — The Triage Decision. Four classification outcomes: true positive (escalate), false positive (close with documentation), benign true positive (close with authorization reference), and indeterminate (treat as probable TP). The cost asymmetry between a missed TP and a false escalation makes the "when uncertain, escalate" principle the rational default. You saw the KQL classification distribution query that measures your SOC's actual TP/FP/BTP ratio.

Section 0.3 — Three Environments, One Methodology. The Triage Trinity — classify, preserve, contain — applies identically across Entra ID, Windows endpoints, and Linux servers. The tools differ per environment. The decision framework does not. The cross-environment correlation query demonstrated how a single identity event links cloud, endpoint, and infrastructure telemetry within one triage window.

Section 0.4 — The NE Attack Timeline. CHAIN-HARVEST extended: AiTM phishing in Entra ID, endpoint compromise via OneDrive sync, database exfiltration via stolen SSH credentials. Five intervention points where triage could have interrupted the chain. Each boundary crossing — cloud to endpoint, endpoint to Linux — represents a point where single-environment triage fails and cross-environment capability matters.

Section 0.5 — Hybrid Environment Mapping and Asset Prioritization. The 5-question KQL snapshot that maps an organization's hybrid environment in under 10 minutes: identity provider, endpoint management, cloud workloads, network boundaries, and critical asset inventory. The 3-tier classification system (Tier 1 crown jewels, Tier 2 business operations, Tier 3 general) that determines containment priority when multiple systems are compromised simultaneously.

Section 0.6 — Legal, Regulatory, and Chain-of-Custody. GDPR's 72-hour notification window, NIS2's 24-hour early warning, SEC's 4-business-day materiality disclosure, and DORA's 4-hour classification deadline. The chain-of-custody Bash script that creates tamper-evident evidence packages with SHA-256 hashing. Triage decisions carry legal weight — the classification determines which regulatory clock starts.

Section 0.7 — Triage vs Investigation. The boundary between triage ("is this real?") and investigation ("what exactly happened?"). Triage creep — continuing into investigation activities instead of completing the handoff — blocks the investigation team and stalls the alert queue. The structured handoff artifact with six sections that transfers context without requiring a verbal briefing.

Section 0.8 — The Triage Scorecard. Eight questions that classify any alert within 15 minutes. Scoring thresholds: 0–7 likely FP, 8–14 probable TP (preserve and escalate), 15–20 confirmed TP (full Triage Trinity). The Q8 confidence override prevents closing uncertain alerts. You scored CHAIN-HARVEST through the scorecard (16/20) and calibrated against reference classifications.

Section 0.9 — The Triage Report Template. Five sections: executive summary, triage findings, containment actions, evidence inventory, and outstanding questions. The worked CHAIN-HARVEST report demonstrated dual-audience writing — technical detail for the investigation team, business impact for leadership. The KQL report header automation query pre-populates incident metadata so the analyst writes analysis, not boilerplate.

Section 0.10 — Your First Triage. Six NE alerts scored against the scorecard: impossible travel, inbox rule creation, credential access on a domain controller, failed brute force, Kerberoasting during a testing window, and C2 beaconing. The lab tested consistent methodology across different alert types — the classification matters, but the documented reasoning matters more.

The methodology you now own

Three operational artifacts came out of this module that you will use in every triage from this point forward. The 8-question scorecard standardises the classification decision across analysts, shifts, and alert types. The 5-section report template standardises the handoff from triage to investigation. The Triage Trinity sequence — classify, preserve, contain — governs the order of operations regardless of environment or alert severity.

The scorecard is not a checklist to follow mechanically. It is a decision support tool that ensures you check specific evidence dimensions before classifying. The override mechanism preserves your professional judgment when the score does not match what the evidence is telling you. The discipline is in the process, not in blind adherence to a number.

What comes next

TR1 — Evidence Volatility and the Preservation Hierarchy. With the triage methodology established, the next module teaches what evidence exists in each environment, how quickly it disappears, and the exact sequence for preserving it. The Triage Trinity's "preserve" phase requires knowing which evidence sources matter and which ones vanish first. TR1 provides that knowledge — volatile memory, authentication state, log retention windows, and the collection scripts that capture each category before it decays.