What to include in your incident reports

When creating incident reports after it’s resolved, what information do you typically include outside of when the alert occurred, the steps to revolve it and what systems were affected? Did I miss anything?

hi @SecNinja, nice avatar!
Welcome to the community!

@SwedishMike any recommendations?


There are several different formats that one can follow, and a lot of different techniques for gathering the required information. Several organizations utilize a variant of https://www.sans.org/score/incident-forms but at a minimum, I would at least start with:
-Executive Summary
-Host Details (Attacker/Victim)
-Indicators of Compromise
-Traffic Captures (pcaps)
-Kill Chain Analysis
-Courses of Actions
-General Analysis
-Communications Log

1 Like

Thanks for sharing. This will help me too

Also once you decide on a template that you want to use for your different types of Incidents, even creating the Incident report can be done in an automated fashion. This is produce reports that are consistent and uniform that upper management will love. You can view more info about automating Incident Reports in this blog Creating Cybersecurity Incident Reports

1 Like

I’d add an incident timeline to the report.

1 Like


Would a timeline report just include what happened and when? Should I include any other components?