Uncover: Pulling the evidence
Phase 2 Β· piece 4 of 7
What does the evidence say?
Uncover is where the investigation does its work. With Alert, Subject, and Scope established, this phase pulls Telemetry Collection and transmission of security-relevant data from remote sources for monitoring and analysis. , correlates it, identifies anomalies, and surfaces root cause. The output is a coherent narrative supported by evidence.
What you will get from this chapter
Pull from the right data sources for the investigation: endpoint, network, identity, cloud, vulnerability, FIM, email, DLP, deception, and more.
Use threat intelligence appropriately: matching, attribution, TTP-driven hunting, and validating intel before acting on it.
Map findings to MITRE ATT&CK so the chain has a shared vocabulary the rest of the team can use.
Choose the right tools at the right step: SIEM, EDR, network analysis, deception, forensics, vulnerability scanners, SOAR, CSPM, data lakes.
The four pillars
Data sources
15+ telemetry sources an investigation may pull from. Knowing what each one captures (and does not) is the foundation.
Read βThreat intelligence
Indicator matching, attribution, TTP-driven hunting, tiers and validation. How to use intel without being used by it.
Read βMITRE ATT&CK
Tactics, techniques, procedures. The shared vocabulary for describing what an adversary did and how the chain progressed.
Read βTool integration
SIEM, EDR, network analysis, deception, forensics, SOAR, CSPM. The tools that make Uncover possible at scale.
Read βWhy Uncover deserves its own phase
Evidence is plural
Tap to revealEndpoint A device that initiates network connections and runs user-facing software: laptop, desktop, server, phone, tablet. Endpoints are where most adversary tradecraft eventually shows up, which is why EDR exists. telemetry alone is rarely enough. Network logs alone are rarely enough. Uncover is the phase that brings sources together so the analyst can answer a question the way only correlated data can.
ATT&CK is the vocabulary
Tap to revealMapping findings to MITRE ATT&CK A globally-accessible knowledge base of adversary tactics and techniques based on real-world observations, used for threat modeling and security operations. turns βthe attacker did this and then thisβ into βT1566 β T1059.001 β T1071.β That precision matters at handoff, in trend analysis, and when describing the incident to a non-technical audience.
Intel is a hypothesis source
Tap to revealThreat Intelligence Evidence-based knowledge about existing or emerging threats, including context, mechanisms, indicators, implications, and actionable advice. is most useful as a hypothesis generator, not as ground truth. Uncover uses intel to guide what to look for, then validates with the evidence in the environment.
Tools serve the question
Tap to revealA common Uncover failure mode is starting with a tool (βlet me run a SIEM queryβ) instead of starting with a question. The methodology asks what the analyst needs to know, then chooses the tool that can answer it.
Next up
Data sources
The 15+ telemetry sources an Uncover investigation pulls from, and what each one is good for.
Read data sources