Incident response investigations are complex efforts, shifting between chaos and order, as the incident lead maintains investigation Incident Pruning Thumbnailalignment with incident response policies, while the team chases down every possible clue, leaving no stone unturned. Without incident pruning, investigations can spin out of control within a few minutes simply due to the number of possibilities — associated indicators, adversary aliases, MITRE ATT&CK tactics or techniques, victims, attributes, sightings, etc.

In this paper, learn some of the strategies to effectively prune and investigation and maintain security operations efficiency and focus.