Incident Report Template

Incident Summary

Incident ID: [ID]
Title: [Brief Description]
Severity: [Low/Medium/High/Critical]
Status: [Open/In Progress/Resolved/Closed]
Date Reported: [Date/Time]
Date Resolved: [Date/Time]
Assigned Analyst: [Name]

---

Executive Summary

[2-3 sentence overview of the incident, impact, and resolution]

---

Initial Triage

Alert Details

• Alert Type: [Type]
• Source: [SIEM/EDR/Email Security/etc.]
• Time Detected: [Timestamp]
• Initial Severity: [Level]

Initial Assessment

[Brief assessment of the alert and why it was prioritized]

Priority: [Low/Medium/High/Critical]

---

Investigation

1. [Investigation Step 1]

Tools Used: [List tools]

Key Findings:

• Finding 1
• Finding 2
• Finding 3

2. [Investigation Step 2]

Tools Used: [List tools]

Key Findings:

• Finding 1
• Finding 2

3. [Investigation Step 3]

Tools Used: [List tools]

Key Findings:

• Finding 1
• Finding 2

---

Findings

Verdict

[Benign/False Positive/Suspicious/Malicious/Confirmed Compromise]

Indicators of Compromise (IOCs)

• IP Addresses: [List]
• Domains/URLs: [List]
• File Hashes: [List]
• Email Addresses: [List]
• Other: [List]

Attack Vector

[Description of how the attack occurred]

Impact Assessment

• Risk Level: [Low/Medium/High/Critical]
• Users Affected: [Number/Details]
• Systems Affected: [List]
• Data at Risk: [Description]
• Potential Damage: [Description]

---

Resolution

Actions Taken

1. ✅ [Action 1]
2. ✅ [Action 2]
3. ✅ [Action 3]

Recommendations

• Immediate: [Actions]
• Short-term: [Actions]
• Long-term: [Actions]

Containment

[Description of containment measures and current status]

---

Ticket Notes

INCIDENT: [ID]
STATUS: [Status]
SEVERITY: [Severity]

SUMMARY:
[Brief summary]

INVESTIGATION:
[Key investigation findings]

IOCs:
[List IOCs]

ACTIONS:
[Actions taken]

RESOLUTION:
[Resolution summary]

---

Lessons Learned

• Lesson 1
• Lesson 2
• Lesson 3

---

References

• [Related casefiles/projects]
• [External resources]