TR0.12 Module Summary

Module Summary — The Triage Problem

This module established the foundation for structured incident triage across cloud, Windows, and Linux environments.

The 60-minute window (TR0.1). The first hour determines the incident outcome. Evidence decays across three categories — volatile system evidence (minutes to hours), log evidence (hours to days), and environmental state (minutes). Simultaneously, the attacker progresses from initial access through persistence to lateral movement and impact. Triage speed directly determines the quality of evidence available to the investigation team and the scope of damage the attacker achieves.

The triage decision (TR0.2). Every alert resolves to one of four classifications: true positive (escalate), false positive (close with documentation), benign true positive (close with authorisation reference), or indeterminate (treat as probable TP). The cost of missing a true positive vastly exceeds the cost of a false escalation. When uncertain, escalate.

Three environments, one methodology (TR0.3). The Triage Trinity — classify, preserve, contain — applies identically across cloud, Windows, and Linux. The tools and evidence sources differ per environment. The decision framework is the same. Cross-environment triage capability is the skill that catches attacks that traverse boundaries.

The NE attack timeline (TR0.4). CHAIN-HARVEST extended demonstrates a realistic cross-environment attack: AiTM phishing (cloud) → endpoint compromise via OneDrive sync (Windows) → database exfiltration via stolen credentials (Linux). Each boundary crossing is a triage intervention point. Single-environment triage misses boundary crossings.

Triage vs investigation (TR0.5). Triage determines IF an incident exists. Investigation determines WHO, HOW, and WHAT. The handoff between phases is the triage report — classification, preserved evidence, containment actions, and outstanding scope questions.

The triage scorecard (TR0.6). Eight questions that classify any alert within 15 minutes. Score 0-7: likely FP. Score 8-14: probable TP (preserve and escalate). Score 15-20: confirmed TP (full Triage Trinity). Q8 confidence override prevents closing uncertain alerts.

Your first triage (TR0.7). Six alerts scored against the scorecard. The classification is important; the reasoning is more important. Consistent methodology produces defensible decisions under pressure.

Key artifacts produced

• The 60-minute triage framework (classify → preserve → contain → report)
• The Triage Trinity methodology per environment
• The 8-question triage scorecard with scoring thresholds
• The cross-environment triage report template

Check My Knowledge (TR0.9). Ten questions covering: the 15-minute triage target and its relationship to the 60-minute evidence window, the 4 classification types with worked examples, the Triage Trinity sequence (classify, preserve, contain), the NE Training Universe attack chain with intervention points, the triage-investigation boundary and handoff format, the 8-question triage scorecard with scoring methodology, common lab mistakes (MFA fatigue misclassification, service account verification, atypical travel context), FP cost calculation and detection tuning ROI, and the containment-on-probable-TP principle (reversible containment is always correct even when later classified as FP).

Interactive lab (TR0.7). Six alerts from the NE environment with mixed classifications: AiTM credential theft (confirmed TP with scorecard 16), impossible travel from a residential ISP (probable TP with scorecard 11), service account nightly activity (BTP — verify schedule before closing), MFA fatigue attack with all prompts denied (failed attack — password reset, not IR), admin role assignment (BTP — verify with Global Admin), atypical travel to a known NE office (FP — calendar confirms travel). The lab tests the analyst’s ability to apply the scorecard consistently across different alert types and to differentiate between technical compromise (requiring IR escalation) and operational events (requiring documentation but not escalation).

The triage mindset

This module establishes the foundational mindset for triage — distinct from the investigation mindset:

Triage asks: “Is this real, and how urgent is it?” Investigation asks: “What exactly happened, and how do we fix it?” The triage responder makes a classification decision under time pressure with incomplete information. The investigation team makes a comprehensive analysis with preserved evidence and unlimited time. Attempting to investigate during triage (deep-diving into every anomaly, reverse-engineering every binary, tracing every connection) exceeds the 15-minute window and delays containment. Attempting to triage during investigation (making classification decisions without thorough evidence analysis) produces inaccurate conclusions.

The scorecard is a decision support tool, not a replacement for judgment. The scorecard provides structure for the classification decision — ensuring the analyst considers all 8 evidence dimensions. But the final classification is the analyst’s professional judgment. The scorecard prevents the analyst from making impulsive decisions (closing based on gut feeling) while the override mechanism (Q8) preserves the analyst’s ability to incorporate context the scorecard does not capture.

Speed is a feature, not a compromise. Fast triage is not sloppy triage. The structured workflows (5-query cloud triage, 10-command Windows triage, 3-query email triage) are DESIGNED for speed — pre-built queries, saved in Sentinel, with one parameter to change per triage. The analyst’s time is spent on result interpretation and judgment, not on query construction and data gathering. The speed comes from preparation (pre-built queries, pre-staged tools, pre-approved containment actions), not from skipping steps.

Key operational artifacts from this module

Every subsection produces at least one operational artifact — a tool, template, checklist, or reference card that the triage responder uses during production incidents. The complete artifact set from TR0:

The 60-minute evidence window framework (TR0.1) — the evidence decay timeline showing which evidence categories disappear at what rate, from CPU registers (seconds) to archival media (years). Post this on the SOC wall as a reminder of why triage speed matters.

The 4 classification definitions with worked examples (TR0.2) — TP, FP, BTP, and Indeterminate with specific NE scenarios for each. Use as the reference when the scorecard produces a borderline score and the classification is ambiguous.

The Triage Trinity sequence (TR0.3) — classify, preserve, contain. The three-step process that governs every triage regardless of environment. The sequence is fixed: never contain before classifying (you may contain the wrong thing), never skip preservation (the investigation team needs evidence).

The NE Training Universe reference (TR0.4) — the 6 attack chains (CHAIN-HARVEST, CHAIN-MESH, CHAIN-ENDPOINT, CHAIN-FACTORY, CHAIN-PRIVILEGE, CHAIN-DRIFT) that provide realistic scenarios throughout the course. Refer back to TR0.4 whenever a later module references a specific attack chain.

The triage report template (TR0.5) — the 6-section format (classification summary, findings per query, containment actions, evidence preserved, outstanding questions, scorecard) that standardises the handoff from triage to investigation. Create this as a Sentinel incident comment template for your SOC.

The 8-question triage scorecard (TR0.6) — the decision support tool with scoring methodology, threshold boundaries, the Q8 override mechanism, calibration exercises, and deployment guidance. The scorecard is the single most important process artifact in the course — it standardises the classification decision across all analysts, shifts, and alert types.

The module’s position in the course. TR0 establishes the methodology that every subsequent module builds on. The 4 classifications (TR0.2) are used in every lab and every triage procedure in TR2-TR4. The Triage Trinity (TR0.3) governs every containment decision. The triage scorecard (TR0.6) is scored in every lab scenario. The triage report format (TR0.5) is the handoff document produced at the end of every confirmed TP triage. Mastering TR0’s concepts is prerequisite.

The preparation investment from this module. Three actions to complete before starting TR2: (1) create the triage scorecard as a Sentinel incident comment template — 15 minutes of setup that saves 2 minutes on every future triage. (2) Build the triage report template with the 6-section format — 10 minutes of setup that standardises every handoff. (3) Memorise the 8 scorecard questions so you can score without consulting the reference card — practice with 5 historical incidents from your Sentinel queue. These three preparations transform TR0’s concepts from theoretical knowledge into operational muscle memory.

Mastering TR0’s concepts is prerequisite to effective performance in the environment-specific modules — the decision support tool with scoring methodology, threshold boundaries (0-7 FP, 8-14 probable TP, 15-20 confirmed TP), and the Q8 override mechanism. Print as a reference card for each analyst’s desk until the scorecard is memorised.

What comes next

TR1 — Evidence Volatility and the Preservation Hierarchy. With the triage methodology established, the next module teaches what evidence exists in each environment, how quickly it disappears, and the exact sequence for preserving it. TR1 provides the evidence collection knowledge that the Triage Trinity’s “preserve” phase requires.