- Incident Title: [Descriptive Name of Incident]
- Incident ID: [Unique Identifier]
- Date of Detection: [YYYY-MM-DD]
- Incident Lead: [Name]
- Assigned Team: [Incident Response Team]
- Current Status: [Open | In Progress | Resolved]
- Summary:
Provide a brief summary of the incident, including affected systems, potential impact, and high-level observations.
- Incident Severity: [Low | Medium | High | Critical]
- Business Impact: [Description of affected services, data, or users]
- Data Sensitivity: [Sensitive | Confidential | Public | Unknown]
- Regulatory Impact: [GDPR, HIPAA, PCI, etc.]
| Date/Time (UTC) | Event | Description/Details | Investigator/Source |
|---|---|---|---|
| [YYYY-MM-DD HH:MM] | Detection | Detected [Suspicious Activity/Event] | [Name] |
| [YYYY-MM-DD HH:MM] | Initial Response | [Actions taken during initial response] | [Name] |
| [YYYY-MM-DD HH:MM] | Containment | [Actions taken to contain the incident] | [Name] |
| [YYYY-MM-DD HH:MM] | Eradication | [Actions taken to eradicate the threat] | [Name] |
| [YYYY-MM-DD HH:MM] | Recovery | [Recovery efforts, systems restored] | [Name] |
| [YYYY-MM-DD HH:MM] | Post-Incident Review | [Details of post-incident review] | [Name] |
- IP Addresses:
- [IP Address 1]
- [IP Address 2]
- Domains:
- [malicious-domain.com]
- File Hashes:
- MD5:
[hash] - SHA256:
[hash]
- MD5:
- URLs:
- Other:
- [Any additional IoCs]
- Detection Method: [IDS, SIEM, Antivirus, Employee Report, etc.]
- Source of Alert: [Name of tool/system]
- Alert Signature/Rule ID: [If applicable]
- Alert Details: [Brief summary of what triggered the detection]
- Impacted Systems/Services: [List internal systems, apps, and services]
- Third-Party Vendors: [List any external dependencies involved]
- Cloud Services: [Identify cloud environments involved (e.g., AWS, Azure)]
| Date/Time (UTC) | Stakeholder | Summary of Communication | Medium (Email, Call, Meeting) | Notes |
|---|---|---|---|---|
| [YYYY-MM-DD HH:MM] | [Stakeholder Name] | [Summary] | [Email/Call] | [Notes] |
- Logs:
- [Location/File Name] - [Brief Description]
- Malware Samples:
- [Sample Name/Hash] - [Brief Description]
- Screenshots:
- [Image file name] - [Context or Notes]
- System Images:
- [Description of collected images, e.g., “Full system image of server XYZ”]
- Memory Dumps:
- [Details of memory dump collected]
-
Detailed Findings:
- [Include any detailed notes and observations from the investigation]
-
Key Observations:
- [Any notable behaviors, correlations with other incidents, etc.]
-
Triage Results:
- [Findings from triage efforts, including severity and urgency]
-
Immediate Actions Taken:
- [Action 1]
- [Action 2]
-
Containment Strategy:
- [Strategy used to isolate the threat, e.g., firewall rule changes, account lockouts]
-
Mitigation Techniques Applied:
- [Technique 1]
- [Technique 2]
-
Pending Questions:
- [Example: "Has lateral movement occurred?"]
- [Example: "Are backups of affected systems available?"]
-
Outstanding Actions:
- [Example: "Complete malware analysis of collected samples"]
- [Example: "Verify the integrity of recovered systems"]
-
Eradication Actions:
- [Action 1]
- [Action 2]
-
Systems Recovered:
- [System Name] - [Recovery Date]
-
Post-Eradication Testing:
- [Tests performed to ensure no residual threat remains]
- Vulnerability Scans Performed: [Yes/No]
- Penetration Testing: [Yes/No]
- Validation Results: [Details of post-recovery tests to ensure threats have been eliminated]
- Missed Indicators: [Any IoCs missed by detection tools]
- Detection Gaps: [Where the detection system could have performed better]
- Proposed Improvements: [Changes to detection rules, tools, or processes]
-
Root Cause Analysis:
- [Analysis of how the incident occurred, attack vector, and contributing factors]
-
Lessons Learned:
- [Important takeaways and improvements for future response]
-
Recommendations:
- [Security control improvements, patching, process changes, etc.]
-
Prevention Steps:
- [Measures to prevent similar incidents in the future, e.g., implement multi-factor authentication]
- Escalation Path: [Teams/individuals involved in escalating the incident]
- Date of Escalation: [YYYY-MM-DD HH:MM]
- Escalation Details: [Reason and summary of escalation]
- Public/Customer Notification Needed? [Yes/No]
- Drafted Public Statement: [Include if relevant]
- Media or Legal Involvement: [Yes/No, and details if necessary]
- Reportable Incident? [Yes/No]
- Deadline for Notification: [Date/Time]
- Regulatory Body Notified: [Body Name, e.g., GDPR, CCPA]
- Reporting Details: [Date and summary of notification sent]
- Mean Time to Detection (MTTD): [Time from compromise to detection]
- Mean Time to Resolution (MTTR): [Time from detection to resolution]
- Affected Users: [Number of impacted users/systems]
- Downtime Duration: [Total downtime experienced]
- Final Resolution Date: [YYYY-MM-DD]
- Final Status: [Resolved | Mitigated | Ongoing]
- Notes:
- [Any additional final thoughts or documentation, e.g., the incident is under continued monitoring]