So You Want to Investigate an Incident

Open a new Excel spreadsheet.

Name it "investigation_v1.xlsx." You will also create investigation_v2.xlsx, investigation_final.xlsx, investigation_final_FINAL.xlsx, and investigation_for_real_this_time.xlsx before the day is over. This is normal. This is process.

Pull the relevant logs. All of them.

From your SIEM, your EDR, your cloud provider, your firewall, and your Active Directory. Paste them into the spreadsheet. The spreadsheet will not load. Excel will freeze. You will lose columns B through AQ. Start again.

Correlate the logs "by eye."

Look for timestamps that match across sources. You're trying to reconstruct a timeline — the same timeline Exabot Investigate would have produced in 8 minutes using 2.3 million log lines. You are working with about 400 rows and a gut feeling.

Write key findings on a sticky note.

Something like "weird login @ 2am — same IP as last week?" Attach it to your monitor. You will have 11 sticky notes by end of day — two of them will be on the keyboard, and one will say "ask IT." IT does not know.

Open a second spreadsheet for the timeline.

A pivot table would be ideal here. You do not know how to do a pivot table. You create a table manually with columns labeled "Time," "Event," "Source," and "Vibes." The Vibes column gets the most use.

Identify the attacker.

You've narrowed it to a range of 4,000 IPs, two threat actor groups, and "maybe someone internal." Exabot Investigate would have named the actor, mapped the TTPs, and produced an attribution report by now. You have a sticky note and a strong suspicion.

Write the incident report.

It is now 7pm. The incident report is three paragraphs — two of them are "we are still investigating," and the third says "no evidence of data exfiltration." That is true in the sense that no one has found the evidence yet.