Transition to Subject
What the transition is for
The handoff between phases is where investigations either gather momentum or stall. A clean Alert-to-Subject transition does three things:
Hands forward structured alert data
Parsed metadata, validated signal, detection mechanism context.
Identifies the entities
Primary, secondary, and high-value targets that need Subject-phase analysis.
Frames investigative parameters
Analysis depth, time window, escalation thresholds.
Three deliverables from Alert
By the time you leave the Alert phase, you should have:
π§ Technical foundation
- Detection mechanism analysis, what fired, by what logic, with what confidence.
- Structured alert data, normalized fields: processes, commands, hashes, identifiers.
- Validation results, the four-dimensional check on signal fidelity.
- Telemetry correlation, cross-platform context tying the alert to its environment.
π§ Contextual intelligence
- Baseline analysis, how this activity compares to the entityβs history.
- Attack chain reconstruction, any multi-event correlation that emerged during validation.
- Threat intelligence fusion, campaign attribution, TTP mapping where applicable.
- Temporal context, the chronology of what happened, in what order.
βοΈ Initial risk framing
- Asset criticality classification, business value of the systems involved.
- Regulatory mapping, applicable compliance regimes (SOX, HIPAA, GDPR, PCI DSS).
- Business impact framing, first-pass estimate of operational, financial, reputational consequence.
- Escalation criteria, thresholds defined; Subject and later phases test them.
Preparing for Subject analysis
Alert told you what fired. Subject asks who acted. To make that question answerable, organize three things before you start.
Entity identification
From the parsed Alert data, list every Entity A person, system, or organization that interacts with or affects a security incident. that touched the activity:
- Primary entities: users, systems, services directly named in the detection.
- Secondary entities: related accounts, connected systems, dependent services that may have been affected.
- High-value targets: critical assets or privileged accounts that could become targets for Lateral Movement Adversary traversal from the initial-access host to other hosts inside the environment. Each hop expands the blast radius and adds new entities for Subject analysis. Often piggybacks on legitimate authentication, which is what makes it hard to detect. .
Context requirements
The Subject phase needs organizational context the Alert phase didnβt have to assemble:
- User An individual who interacts with a system, network, or application. role information: job functions, department, business responsibilities.
- System classifications: criticality ratings, data sensitivity, operational importance.
- Relationship mappings: network connectivity, access dependencies, trust relationships.
Investigation parameters
Set the shape of the Subject-phase work before you start:
- Analysis depth: how much behavioral, authorization, authentication, and relationship analysis is the alert worth?
- Time boundaries: historical window for baseline comparison and pattern detection.
- Escalation thresholds: what would the Subject phase need to find for you to skip ahead and escalate?
Ready to check your understanding?
The Alert chapter ends with a five-question quiz that tests how you would apply what you have learned to fresh scenarios.