Post-Incident ReviewP3~120 min

Conduct Lessons Learned Review Session

Compile a comprehensive incident timeline, document evidence gaps, and prepare technical findings for the lessons learned review.

Actions

1
Compile the complete incident timeline from detection through recovery with all key events, decisions, and timestamps.
2
Document all evidence gaps encountered and how they were addressed (or could not be addressed).
3
Identify detection gaps: what alerts should have fired but did not? What telemetry would have enabled faster detection?
4
Prepare technical recommendations: specific detection rules, logging improvements, hardening measures, and tooling needs.
5
Document attacker TTPs mapped to MITRE ATT&CK framework for threat intelligence sharing.

Queries

Review all investigation notes, evidence logs, and timeline entries compiled during the incident.

index=notable earliest=T_START latest=T_END | stats count by rule_name, urgency, status, owner | eval response_time=round((_time-info_min_time)/3600,2) | sort -urgency -count

Notes

The lessons learned session should occur within 2 weeks of incident closure while details are still fresh.

Focus on process and systemic improvements, not individual blame.

Where to Go Next

Improvement actions identified, create detection rules

Create new detection rules

Generate final incident report

Write incident report

Related Resources

Artifacts

Security Event Log (4624/4625/4688)C:\Windows\System32\winevt\Logs\Security.evtx Unified Audit Log (UAL)Microsoft Purview > Audit > Search (or Search-UnifiedAuditLog cmdlet)Firewall Logs (Allow/Deny)Firewall management console or syslog server (vendor-specific: Palo Alto, Fortinet, pfSense, iptables)

Suggested Acquisition

FTK Imager Full Disk Imagewindows · physical EnCase Forensic Full Disk Imagewindows · physical dd / dc3dd Raw Disk Imagewindows · physical Guymager Full Disk Imagewindows · physical