How do you identify and document adversarial TTPs from an intrusion artifact, and how would you translate that into a detection strategy?