Reporting Style
Best Practices for Writing Clear and Professional Technical Reports
Technical reports are critical for documenting incidents and ensuring stakeholders understand what occurred and how it was managed. Below are essential guidelines to enhance clarity, professionalism, and utility in your reports.
1. Use Past Tense
Reports document events that have already occurred, so they should consistently use the past tense.
Example:
Before: "The attacker tries to log in to the system using brute force."
After: "The attacker attempted to log in to the system using brute force."
2. Write Short and Concise Sentences
Avoid unnecessary complexity. Focus on delivering clear, direct information.
Example:
Before: "The highly sophisticated hacker used several techniques in an attempt to compromise our secure server, but our robust security measures stopped the attack."
After: "The attacker attempted to compromise the server using multiple techniques but failed due to existing security measures."
3. Provide Specific Details
Vague statements lack actionable insights. Always include specific information to add clarity and context.
Example:
Before: "Various malware was found on our servers."
After: "We detected Mimikatz.exe on the web servers with IP addresses 192.168.10.15 and 192.168.10.16."
4. Focus on Actions Performed
Highlight the actions taken rather than emphasizing what was not done, unless relevant to the context.
Example:
Before: "No memory analysis was conducted."
After: "Memory analysis could not be conducted because the attacker restarted the operating system, resulting in the loss of volatile data."
5. Clarify Abbreviations
Introduce abbreviations with their full form upon first use, then use the abbreviation for the remainder of the report.
Example:
First Use: "IOC (Indicator of Compromise) was identified."
Subsequent Uses: "The IOC was further analyzed."
6. Maintain Consistency in Terminology
Stick to a single term for specific entities or systems throughout the report to prevent confusion.
Example:
If you refer to a system as "host" in one section, continue to use "host." Avoid switching between terms like "endpoint," "node," or "system."
Sample Report Section Applying Best Practices
Incident Summary: On November 10, 2024, at 3:45 PM, an attacker attempted to exploit a SQL injection vulnerability on the web server (IP: 192.168.1.10). The Web Application Firewall (WAF) blocked the attempt.
Details of the Attack:
Target: Web server (192.168.1.10)
Method: SQL Injection
Detected By: WAF (Web Application Firewall)
Time: 3:45 PM, November 10, 2024
Analysis and Actions Taken:
The SOC team identified Mimikatz.exe on the application server (192.168.10.15).
IOC (Indicator of Compromise): The hash of Mimikatz.exe was identified and isolated.
Immediate containment and cleanup were performed, and the compromised server was taken offline for forensic analysis.
Benefits of Adopting These Practices
Improved Readability: Reports become easier to understand for both technical and non-technical audiences.
Actionable Insights: Stakeholders can quickly grasp key details and next steps.
Professionalism: Ensures consistent, high-quality documentation across all reports.
Efficient Decision-Making: Facilitates rapid decision-making by providing clear and relevant information.
By adhering to these guidelines, SOC analysts can produce reports that effectively communicate critical incident details and support organizational learning and response optimization.
Last updated