Post-Incident ReviewP2~180 min

Generate Comprehensive Incident Report

Compile all evidence, create a final timeline, document IOCs, and write the technical narrative for the comprehensive incident report.

Actions

  1. 1

    Write the technical narrative covering: initial detection, investigation scope, evidence collected, attacker TTPs, impact assessment, containment actions, eradication steps, and recovery.

  2. 2

    Create the final incident timeline with all key events in chronological order.

  3. 3

    Compile the IOC appendix: file hashes, IP addresses, domains, email addresses, user agents, and other indicators.

  4. 4

    Document the evidence inventory with chain of custody references.

  5. 5

    Prepare executive summary (1-2 pages) and detailed technical report (full length) as separate sections.

Queries

Compile all queries used during the investigation for the report appendix.
index=notable sourcetype=stash earliest=T_START latest=T_END | stats count by rule_name, urgency, src, dest, user | eval incident_phase=case(urgency=="critical","Triage",urgency=="high","Containment",1=1,"Investigation") | sort -urgency -count | table rule_name, urgency, incident_phase, src, dest, user, count

Notes

The incident report should be factual and evidence-based. Avoid speculation and clearly label any assumptions or limitations.

Reports may be shared with legal counsel, regulators, insurance providers, and law enforcement. Write accordingly.

Where to Go Next

Report complete, address remaining improvements

Review improvement actions

Related Resources

Artifacts

4
$MFT (Master File Table)eDiscovery Content Search ResultsSystemd Journal (Persistent Binary Logs)PCAP Full Packet Captures

Suggested Acquisition

4
FTK Imager Full Disk ImageEnCase Forensic Full Disk Imagedd / dc3dd Raw Disk ImageGuymager Full Disk Image