Goal: confirm if this is Noise / Exposure / Incident.
Steps:
- Validate the alert / log:
- correct host? correct time? correct user?
- Look for pattern:
- repetition? multiple accounts? same source?
- Identify scope quickly:
- single endpoint vs multiple
- standard user vs admin/service
- Decide classification:
- Noise / Exposure / Incident
Goal: gather context without overreacting.
Collect:
- source IP / workstation
- account name + privilege
- target host/service
- time window start/end
- event IDs in sequence (timeline)
Exposure:
- document, monitor, recommend containment if needed Incident:
- escalate immediately with a clean note
- recommend containment actions (block source, isolate host) based on org policy
A Tier-1 note must include:
- summary (1–2 lines)
- classification
- evidence (event IDs + key fields)
- timeline (simple)
- scope/impact guess (admin? DC? spread?)
- recommendation / escalation reason