by Mostafa Yahia is a primary resource that covers examining attacker techniques through email, firewall, and proxy logs. A Free Sample Chapter on Email Threats is available online. Strategic Frameworks 11 Strategies of a World-Class SOC (MITRE)

Once an alert is confirmed as worthy of investigation, the analyst enters the core investigative phase. This involves collecting evidence, analyzing logs, enriching indicators with threat intelligence, and forming hypotheses about attacker behavior. A hypothesis is a testable assumption about adversary activity in your environment — focusing on tactics, techniques, and procedures (TTPs) rather than just indicators of compromise (IOCs).