| Action | Tool/Data | Finding | |--------|-----------|---------| | IP reputation | VirusTotal, MISP | Known Emotet C2 (first seen 4 days ago) | | Host context | CMDB | Endpoint is a finance department laptop – high value | | User context | AD logs | User logged in from home VPN 1 hour earlier, then office 5 min later – impossible (geographic anomaly) |
| Principle | Description | |-----------|-------------| | | Start with “What must be true for this alert to be malicious?” | | Minimize dwell time | Time from alert to decision should be <5 minutes for low severity, <30 min for high. | | Preserve evidence | Collect logs, artifacts, and timeline before any containment. | | Chain of custody | Especially if incident may lead to legal action or IR handoff. | | Bias awareness | Avoid confirmation bias (assuming malicious) or alert fatigue bias (assuming benign). | effective threat investigation for soc analysts pdf