IR AnalystSwitch roles in the top navigation to see different perspectives.

Compile a comprehensive incident timeline, document evidence gaps, and prepare technical findings for the lessons learned review.

Actions

  1. 1.Compile the complete incident timeline from detection through recovery with all key events, decisions, and timestamps.
  2. 2.Document all evidence gaps encountered and how they were addressed (or could not be addressed).
  3. 3.Identify detection gaps: what alerts should have fired but did not? What telemetry would have enabled faster detection?
  4. 4.Prepare technical recommendations: specific detection rules, logging improvements, hardening measures, and tooling needs.
  5. 5.Document attacker TTPs mapped to MITRE ATT&CK framework for threat intelligence sharing.

Queries

Review all investigation notes, evidence logs, and timeline entries compiled during the incident.

Notes

  • The lessons learned session should occur within 2 weeks of incident closure while details are still fresh.
  • Focus on process and systemic improvements, not individual blame.