In this section
Check My Knowledge
Scenario 1. An alert fires at 09:14 for a suspicious sign-in from a Tor exit node for j.morrison. You check SigninLogs and find j.morrison also has an active legitimate session from the Bristol office at the same time. MFA was satisfied via a push notification. Using the triage scorecard, how does the dual-session finding affect your classification?
It reduces the score because the active Bristol session proves the account is still under the user's control, suggesting the Tor session may be a VPN misconfiguration. a
Two concurrent sessions from two locations — one being a Tor exit node — disproves the VPN explanation. A VPN replaces the user's IP; it does not create a parallel session. The dual session is evidence of compromise, not evidence against it.
It scores Q1 (evidence of compromise beyond the alert) as YES because two simultaneous sessions from incompatible locations — one a Tor exit node — is a corroborating indicator of token replay or session hijacking. b
Correct. The dual session answers Q1 definitively. The legitimate Bristol session disproves VPN or travel explanations because the user cannot physically be in both locations. Combined with the Tor exit node, this is a strong indicator of AiTM token theft or session hijacking. The MFA push confirmation does not rule out compromise — the attacker may have replayed a captured token rather than authenticating interactively.
It scores Q3 (active or historical) as ACTIVE but does not affect Q1 because the dual session is already explained by the alert itself, not by additional evidence. c
The dual session is additional evidence beyond the alert. The alert reported a suspicious sign-in from Tor. The analyst discovered the concurrent Bristol session through enrichment. That enrichment finding changes the classification — it is exactly the kind of corroborating indicator Q1 is designed to capture.
Scenario 2. Your scorecard produces a total of 11 (probable TP) for a credential access alert. Your confidence is low because the user is on annual leave and unreachable for verification. What is the correct action per the scorecard methodology?
Close the alert as indeterminate and schedule re-triage when the user returns from leave. a
Waiting for user verification delays the response while the attacker — if this is real — continues operating. The scorecard already scored 11 based on available evidence. The user's absence is a reason for lower confidence, not a reason to defer classification. Evidence decays during the wait.
Reduce the score by 3 points to account for the uncertainty, producing a score of 8, and monitor without containment. b
The score reflects the evidence you have. Low confidence reflects evidence you do not have. These are separate dimensions — you do not adjust one to compensate for the other. Artificially reducing the score masks the actual risk level in the incident record.
Escalate immediately. Q8 (confidence override) requires that low confidence on a score of 8 or above triggers escalation. Begin evidence preservation while documenting the uncertainty. c
Correct. Q8 is the confidence override — low confidence plus a score in the probable TP range means escalate, not wait. The triage report documents the specific uncertainty ("user unreachable — classification pending verification") so the investigation team knows what remains unconfirmed. Preservation begins immediately because volatile evidence does not wait for the user's return.
Scenario 3. An attack at NE crosses from Entra ID (AiTM phishing) to a Windows endpoint (malicious DLL via OneDrive sync) to Linux (SSH to a database server using stolen credentials). The identity team triages the cloud alert and revokes the user's session tokens. Is the incident contained?
Yes — revoking cloud session tokens removes the attacker's access, which stops the attack chain at its origin. a
Cloud containment stops cloud access only. The endpoint DLL executes independently of the cloud session — it was downloaded via OneDrive sync and runs locally. The SSH session to Linux uses stolen credentials, not the cloud token. Two of three attack surfaces remain active after cloud-only containment.
No — the endpoint compromise and Linux access operate independently of the cloud session. Containment must be executed in all three environments: cloud (session revocation), Windows (device isolation), and Linux (network block plus account disable). b
Correct. Each boundary crossing created an independent access path. The malicious DLL on the endpoint executes regardless of cloud session status. The SSH session uses stolen credentials, not the revoked cloud token. This is why cross-environment triage matters — the identity team correctly triaged their environment, but the attacker retained access through two other paths that require separate containment actions.
Partially — cloud containment stops new activity, but the existing endpoint and Linux compromises only need investigation, not additional containment. c
Active compromises require containment, not just investigation. The DLL is executing on the endpoint now. The SSH session to the database server is open now. Waiting for investigation to complete before containing means the attacker continues operating in both environments during the investigation window.
Scenario 4. Your L1 analyst has been working on an alert for 14 minutes. The scorecard scores 6 (likely FP range) but the analyst has a nagging feeling about one anomaly — the user's device compliance status changed from compliant to non-compliant 20 minutes before the alert fired. The analyst wants to investigate the compliance change. What should the analyst do?
Document the compliance anomaly in the triage report, classify as indeterminate (treating as probable TP), and escalate. The compliance change is exactly the kind of contextual signal that Q8's confidence override captures — the score says FP but the evidence pattern does not feel right. a
Correct. The Q8 override exists for this situation. The scorecard scored 6 based on the questions asked, but the compliance timing anomaly is a contextual signal the scorecard does not directly measure. Escalating with documented reasoning ("scorecard 6 but compliance state change at T-20 is unexplained") is the correct use of professional judgment within the structured methodology.
Close as FP per the scorecard — the score is 6, which falls in the likely FP range. Gut feelings are not evidence. b
The compliance state change is not a gut feeling — it is observable evidence that the analyst discovered through enrichment. The scorecard provides structure, but it does not capture every possible indicator. Q8's override mechanism exists precisely because the eight scored questions cannot cover every scenario. Ignoring evidence because it does not fit a scored question defeats the purpose of analyst judgment.
Investigate the compliance change before classifying — spend another 10 minutes querying IntuneDeviceComplianceOrg and DeviceEvents to determine what caused the change. c
This is investigation work on triage time. The analyst is at 14 minutes against a 15-minute triage boundary. Deep-diving into the compliance change delays every alert behind this one in the queue. The correct action is to document the anomaly and escalate — the investigation team has the time and tools to determine whether the compliance change is related.
Scenario 5. A penetration tester (a.patel) runs an authorised Kerberoasting attack during an approved testing window. Defender for Identity fires a credential access alert. The scorecard produces a score of 14. What is the correct classification?
False positive — the detection rule incorrectly fired on legitimate testing activity. Document as FP and request a rule exclusion for a.patel during testing windows. a
The rule fired correctly — it detected real Kerberoasting activity. The detection is accurate. An FP classification means the rule identified something that did not actually happen. In this case, the Kerberoasting did happen. Classifying as FP corrupts the FP rate metric and may lead to inappropriate rule tuning.
True positive — the scorecard produced 14, which is in the probable TP range. Follow the standard escalation path regardless of the testing context. b
The score reflects the technical indicators, which are real. But the context — authorised testing during an approved window — means this activity does not require incident response. Escalating a known authorised test wastes the investigation team's time and teaches analysts that escalation is sometimes pointless, which undermines escalation compliance for real incidents.
Benign true positive — the detection is accurate (real Kerberoasting occurred), the activity is authorised (approved testing window), and the alert should be closed with documentation referencing the testing authorisation. c
Correct. BTP classification means the detection rule worked correctly and the activity is real but authorised. The documentation must reference the specific authorisation — testing window approval, tester identity, scope. This classification preserves the rule's TP rate accuracy, documents the authorisation for audit, and does not generate an unnecessary escalation.
Scenario 6. NE's SOC processes 50 alerts per day with a 58% false positive rate. Each FP takes 8 minutes to triage. The SOC lead proposes hiring an additional L1 analyst to handle the volume. What is the more effective action?
Hire the analyst — the alert volume requires additional capacity regardless of the FP rate. a
Adding an analyst scales the waste. At 58% FP, 29 of the 50 daily alerts are false positives consuming 232 minutes of analyst time. A new hire processes the same FPs faster but does not reduce the FP count. The underlying problem — noisy detection rules — persists and grows as new rules are added.
Tune the top 3 noisiest detection rules first. Identify the rules generating the most FPs from triage documentation and submit tuning requests with the specific FP conditions. Reducing the FP rate from 58% to 30% eliminates 14 daily FPs and recovers 112 minutes of analyst time — equivalent to adding capacity without adding headcount. b
Correct. Detection tuning addresses the root cause. The triage documentation from each FP closure identifies which rules fire on what conditions — this is the data the detection engineering team needs to write exclusions or adjust thresholds. Tuning the top 3 rules typically produces disproportionate improvement because FP volume follows a power-law distribution — a small number of rules generate most of the noise.
Auto-close all low-severity alerts to reduce the queue and focus analyst time on medium and high severity. c
Low-severity alerts can indicate real threats. Attackers frequently trigger low-severity detections during reconnaissance and credential probing. Auto-closing by severity hides threats instead of reducing noise. The correct approach is to reduce the FP count through tuning, not to stop looking at categories of alerts.
Scenario 7. A triage responder classifies an alert as probable TP (scorecard 13) and executes containment — session revocation and device isolation. The investigation team later determines the alert was a false positive. The affected user was locked out for 45 minutes. Was the containment decision wrong?
No. The containment was correct based on the information available at triage time. Containment actions are reversible — the investigation team re-enabled the account and released isolation once the FP was confirmed. The 45-minute disruption is the designed cost of the contain-on-probable-TP policy, which is cheaper than the alternative of not containing a real breach. a
Correct. The triage system is designed to produce some unnecessary containment. A scorecard of 13 falls in the probable TP range where containment is the expected action. The cost asymmetry is clear: 45 minutes of user disruption versus potentially unlimited damage from an uncontained breach. Reversible containment is a safety net, and safety nets sometimes catch things that did not need catching.
Yes — containment should only be executed on confirmed TPs (scorecard 15+) to avoid business disruption. b
Restricting containment to confirmed TPs means waiting for more evidence while the attacker operates. The probable TP range (8–14) exists because the evidence strongly suggests compromise but is not conclusive. Waiting for conclusive evidence before containing is the equivalent of waiting for the fire to be confirmed before pulling the alarm — the delay is the damage.
It depends on the user's role — containment for a standard user may have been disproportionate. c
The user's role affects the impact of containment but not the containment decision. A scorecard of 13 triggers containment regardless of role. The triage responder's job is to classify and contain based on the evidence. Business impact assessment happens during investigation, not during the 15-minute triage window.
Scenario 8. You are triaging an alert at 02:30 on a Saturday. The scorecard produces a score of 12 (probable TP). Your on-call IR analyst is reachable but was called out for a separate incident 3 hours ago. What is the correct approach?
Handle the triage and initial investigation yourself to avoid overloading the on-call analyst. Escalate only if you confirm the TP. a
Extending triage into investigation delays the handoff and stalls the alert queue — this is triage creep. The scorecard scored 12, which is in the probable TP range. The correct action is to complete the Triage Trinity and escalate. The on-call analyst's current workload is their problem to manage, not a reason to change the triage methodology.
Begin evidence preservation immediately — volatile evidence degrades regardless of the day or time. Execute containment per the scorecard threshold. Produce the triage report and escalate to the on-call IR contact with full documentation. A score of 12 triggers the same response at 02:30 Saturday as it does at 10:00 Monday. b
Correct. Evidence does not wait for convenient hours and the triage methodology does not adjust for weekends. The on-call analyst receives a complete triage report with classification, preserved evidence, containment actions, and outstanding questions — the same handoff format used during business hours. If the on-call analyst is saturated, that is an escalation to the IR manager, not a reason for the triage responder to change their process.
Document and monitor until business hours — a probable TP with a score of 12 is not urgent enough to justify a weekend escalation. c
A probable TP is a probable TP regardless of when it fires. Waiting until Monday morning means 30+ hours of potential attacker activity, 30+ hours of evidence decay, and 30+ hours of uncontained risk. The 60-minute window from Section 0.1 does not pause for weekends.
How was this module?
Your feedback helps us improve the course. One click is enough — comments are optional.
Thank you — your feedback has been received.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.