When creating incident reports after it’s resolved, what information do you typically include outside of when the alert occurred, the steps to revolve it and what systems were affected? Did I miss anything?
There are several different formats that one can follow, and a lot of different techniques for gathering the required information. Several organizations utilize a variant of https://www.sans.org/score/incident-forms but at a minimum, I would at least start with:
-Executive Summary
-Host Details (Attacker/Victim)
-Indicators of Compromise
-Traffic Captures (pcaps)
-Kill Chain Analysis
-Courses of Actions
-General Analysis
-References
-Communications Log
1 Like
Thanks for sharing. This will help me too
Also once you decide on a template that you want to use for your different types of Incidents, even creating the Incident report can be done in an automated fashion. This is produce reports that are consistent and uniform that upper management will love. You can view more info about automating Incident Reports in this blog Creating Cybersecurity Incident Reports
1 Like
I’d add an incident timeline to the report.
1 Like
Would a timeline report just include what happened and when? Should I include any other components?
Thanks