Too Long; Didn't Read
The first step is to become familiar with attacker TTPs, tactics techniques and procedures, the real attacker thingies they do. If your organization has an application that runs on several servers you need to get familiar with the behavior of the admins of these servers and the operation of the servers. When you feel you understand the technology, you're probably done. When you know what technology or security solutions you have in your environment I will try to stay general and give broad advice here. The advice that you find online isn’t pragmatic. It’s hard to find advice that can directly apply to your environment or systems.