Report Templates

Comprehensive Incident Report Template

Creating a structured and detailed incident report is essential for effective communication and decision-making. Below is a standardized template to ensure clarity, thoroughness, and professionalism.

1. Table of Contents

Provide a structured overview of the report’s sections along with corresponding page numbers.

Example:

  1. Incident Background .............................. 1

  2. Findings ............................................. 2

  3. Recommendations ............................. 3

  4. Timeline ............................................. 4

  5. Appendices ......................................... 5

2. Incident Background

Purpose: Summarize the incident and initial detection steps.

Key Points to Include:

  • Detection Method: Describe how the incident was first identified (e.g., SIEM alert, user report).

  • Initial Actions: Briefly outline immediate response steps.

  • Time Information: Use consistent time formatting (e.g., UTC or GMT).

Example: On June 12, 2023, at 14:32 UTC, a suspicious login attempt was flagged by the SIEM system originating from an external IP address. The SOC team immediately isolated the affected workstation for further analysis.

3. Findings

Purpose: Present investigation results clearly and concisely.

Key Points to Include:

  • Malware or Tools Identified: Names, hashes, and file paths.

  • Compromised Hosts: List all affected systems.

  • Attack Vectors: Describe entry points and methods used.

  • Indicators of Compromise (IOCs): Include relevant IPs, file hashes, and domains.

Example:

  • File Identified: mimikatz.exe

  • SHA256: 3f786850e387550fdab836ed7e6dc881de23001b

  • Path: C:\Windows\Temp\mimikatz.exe

  • Compromised Hosts:

    • Hostname: AppServer01 (192.168.1.20)

    • Hostname: DBServer02 (192.168.1.25)

4. Recommendations

Purpose: Provide actionable steps to mitigate and prevent similar incidents.

Key Points to Include:

  • Short-Term Recommendations: Immediate actions such as patching, isolating affected systems, or disabling compromised accounts.

  • Long-Term Recommendations: Strategic improvements like implementing new security tools or conducting employee training.

Example:

  • Short-Term:

    • Apply MS17-010 patch to all vulnerable systems.

    • Reset passwords for compromised accounts.

  • Long-Term:

    • Deploy Endpoint Detection and Response (EDR) solutions for better endpoint visibility.

    • Conduct regular phishing simulation training for employees.

5. Timeline

Purpose: Present a chronological sequence of events to provide clear context.

Format: Include timestamps with concise descriptions.

Example:

Time (UTC)

Event

14:32

Suspicious login detected from IP 203.0.113.5.

14:40

SOC alerted and investigation initiated.

14:50

Malicious file (mimikatz.exe) identified.

15:10

Affected systems isolated.

16:00

Forensic analysis initiated on compromised hosts.

6. Appendices

Purpose: Include detailed lists or additional data that could clutter the main report.

Examples of Content:

  • Full list of Indicators of Compromise (IOCs).

  • Relevant logs, large datasets, or screenshots.

  • Network diagrams or other visual aids.

Example Appendix - IP Addresses:

IP Address

Description

203.0.113.5

Attacker’s IP (external)

192.168.1.20

Compromised App Server

192.168.1.25

Compromised Database Server

Benefits of Using This Template

  • Thorough Documentation: Covers all critical aspects of an incident for both technical and non-technical audiences.

  • Organized Layout: Enhances readability and ensures information is easy to navigate.

  • Actionable Insights: Provides clear recommendations for mitigating risks and preventing future incidents.

By following this template, SOC teams can produce professional, standardized reports that effectively communicate incident details and foster informed decision-making.

PreviousReport FormattingNextHow to Prepare a Cyber Crisis Management Pla

Last updated