Effective Threat Investigation For Soc Analysts Pdf Official

| Principle | Description | |-----------|-------------| | | Start with “What must be true for this alert to be malicious?” | | Minimize dwell time | Time from alert to decision should be <5 minutes for low severity, <30 min for high. | | Preserve evidence | Collect logs, artifacts, and timeline before any containment. | | Chain of custody | Especially if incident may lead to legal action or IR handoff. | | Bias awareness | Avoid confirmation bias (assuming malicious) or alert fatigue bias (assuming benign). |