Incident Reporting & Communication

Why Incident Reporting Matters

An incident response that is not documented did not happen — at least not in any way that benefits your organization, satisfies regulators, or protects you legally. The incident report is the permanent record that captures what happened, what you did about it, and what should change.

Incident reports serve multiple purposes:

A single incident may require multiple report versions, each tailored to its audience.

Anatomy of an Incident Report

The Seven Essential Sections

Every incident report, regardless of type, should contain these sections:

Section 1: Executive Summary

Two to four sentences. What happened, how severe it is, what was done, and what remains to be done. A busy executive should be able to read this section alone and understand the situation.

EXECUTIVE SUMMARY

On February 21, 2026, the SOC detected unauthorized access to the corporate
file server (FS-CORP-01) originating from a compromised VPN credential belonging
to the svc-backup service account. The attacker dwelled in the environment for
approximately 90 minutes before detection, during which they accessed the
Finance shared drive containing Q4 financial reports. The account was disabled,
VPN session terminated, and affected system isolated within 25 minutes of
detection. A full investigation is underway to determine the scope of data
accessed and whether exfiltration occurred.

Section 2: Technical Details

The detailed technical narrative. What the attacker did, how they did it, and what tools and techniques were used. This section is for the security team and should include specific log entries, command lines, and artifact details.

TECHNICAL DETAILS

Initial Access:
- Vector: Credential harvesting via phishing email (T1566.001)
- Phishing email delivered to user j.martinez@company.com at 09:00 UTC
- User clicked link to credential harvesting page hosted at
  login-portal[.]company-auth[.]com (185.220.101.42)
- Harvested credentials used for VPN login at 09:15 UTC from
  IP 45.33.32.156 (Tor exit node)

Lateral Movement:
- Attacker used svc-backup credentials to access FS-CORP-01 via SMB (T1021.002)
- Multiple Finance directory listings observed between 10:00-10:30 UTC
- Wazuh alert fired at 10:30 UTC: Rule 92105 (Suspicious SMB access pattern)

Persistence:
- No persistence mechanisms identified on FS-CORP-01
- Investigation ongoing for the VPN gateway and user workstation

Section 3: Timeline

Chronological record of every significant event from initial compromise through current status:

INCIDENT TIMELINE

2026-02-21 09:00 UTC  Phishing email delivered to j.martinez@company.com
2026-02-21 09:04 UTC  User clicks credential harvesting link
2026-02-21 09:15 UTC  Attacker authenticates to VPN from Tor exit node
2026-02-21 10:00 UTC  SMB access to FS-CORP-01 Finance share begins
2026-02-21 10:30 UTC  Wazuh alert fires: suspicious SMB access pattern
2026-02-21 10:45 UTC  L1 analyst triages alert, extracts context
2026-02-21 10:50 UTC  MISP search: 185.220.101.42 matches known C2 feed
2026-02-21 11:00 UTC  L2 escalation — confirms active compromise
2026-02-21 11:20 UTC  Containment: VPN session killed, svc-backup disabled
2026-02-21 11:25 UTC  FS-CORP-01 isolated from network
2026-02-21 11:45 UTC  Incident Commander notified, IR team mobilized
2026-02-21 12:00 UTC  Forensic evidence collection begins (Velociraptor)
2026-02-21 14:00 UTC  Initial scope assessment complete
2026-02-22 09:00 UTC  Full investigation report in progress

Section 4: IOC Table

Structured table of all indicators of compromise for blocking and hunting:

Section 5: ATT&CK Mapping

Map all observed techniques to the MITRE ATT&CK framework:

Section 6: Impact Assessment

Quantify the business impact:

IMPACT ASSESSMENT

Confidentiality: MODERATE — Q4 financial reports potentially accessed.
  Exfiltration not confirmed but cannot be ruled out pending
  full network forensic analysis.
Integrity: LOW — No evidence of data modification on FS-CORP-01.
Availability: LOW — FS-CORP-01 isolated for investigation; users
  temporarily redirected to backup file server.
Business Impact: Finance team unable to access primary file share
  for estimated 48 hours during investigation.
Data Classification: Internal / Confidential (financial reports).
Affected Users: 1 confirmed compromised (j.martinez), svc-backup
  service account. Fleet sweep in progress for additional compromise.

Section 7: Recommendations

Prioritized list of immediate and long-term actions:

RECOMMENDATIONS

Immediate (0-48 hours):
1. Complete forensic analysis of FS-CORP-01 and j.martinez workstation
2. Sweep fleet for IOCs using Velociraptor hunt
3. Reset all credentials that svc-backup had access to
4. Notify Finance leadership of potential data exposure

Short-term (1-2 weeks):
5. Deploy MFA for all VPN connections (currently password-only)
6. Implement geo-impossible travel detection for VPN logins
7. Review and restrict svc-backup permissions (least privilege)
8. Conduct phishing awareness refresher for Finance department

Long-term (1-3 months):
9. Implement network segmentation for sensitive file shares
10. Deploy DLP monitoring on Finance share
11. Evaluate CASB for cloud storage migration

Click to enlarge

Audience-Appropriate Communication

The same incident requires different communication depending on who is reading:

Technical Report (SOC Team)

Full details. Every log entry, command line, VQL query, and artifact path. The purpose is reproducibility and detection improvement. Use technical language freely — your audience speaks it.

Executive Summary (C-Suite)

Business impact in business language. No command lines, no log entries, no IP addresses. Focus on:

• What happened (one sentence)
• Business impact (data at risk, systems affected, operational disruption)
• What was done (containment, investigation status)
• What is needed (resources, decisions, budget)
• Risk going forward

EXECUTIVE BRIEFING — Incident 2026-017

A service account with access to financial data was compromised through
a phishing attack targeting an employee. The attacker accessed the Finance
shared drive for approximately 30 minutes before the security team detected
and contained the intrusion. There is no confirmed data exfiltration, but
the possibility cannot be excluded until forensic analysis is complete.

Key risk: VPN access does not currently require multi-factor authentication.
This was the primary control gap that allowed the compromise. MFA deployment
is recommended within 2 weeks at an estimated cost of $15,000.

Current status: Investigation ongoing. Full report expected within 72 hours.

Legal/Compliance Brief

Focus on regulatory implications, evidence preservation, and notification obligations:

• Was personal data involved? (GDPR, HIPAA, state breach notification)
• What is the notification timeline? (72 hours for GDPR)
• What evidence has been preserved and how? (chain of custody)
• What steps demonstrate due diligence? (detection, containment, investigation)

Report Templates by Incident Type

Ransomware Incident

Additional sections beyond the standard seven:

Data Breach Incident

Additional sections:

Phishing Campaign

Additional sections:

Regulatory Reporting Requirements

The 72-Hour GDPR Clock

The GDPR 72-hour notification window starts when the organization becomes aware of a breach — not when the breach occurred. "Aware" means when the organization has a reasonable degree of certainty that a breach has occurred.

Timeline for GDPR compliance:

Hour 0:    L1 analyst confirms personal data breach
Hour 0-1:  Notify Privacy/DPO team immediately
Hour 1-24: Assess scope — what data, how many records, which countries
Hour 24-48: Draft supervisory authority notification
Hour 48-72: Submit notification to lead supervisory authority
Hour 72+:  Continue investigation, update notification if scope changes

Click to enlarge

Stakeholder Communication During Active Incidents

During an active incident, multiple stakeholders need updates at different cadences:

Status Update Template

INCIDENT STATUS UPDATE — [Incident ID] — [Date/Time UTC]

Status: ACTIVE / CONTAINED / MONITORING / CLOSED
Severity: CRITICAL / HIGH / MEDIUM / LOW
Last update: [timestamp]

Summary of changes since last update:
- [Bullet point updates]

Current activities:
- [What the team is doing now]

Blockers/needs:
- [Any resource needs or decisions required]

Next update: [scheduled time]

— [Analyst name], [Role]

Evidence of Due Diligence

In the event of litigation, regulatory inquiry, or insurance claim, your incident reports serve as evidence that your organization responded appropriately. Key elements that demonstrate due diligence:

• Timely detection: SIEM alerts that show when the incident was first detected
• Immediate response: TheHive case log showing analyst actions within minutes of detection
• Structured investigation: Evidence of following a documented playbook
• Containment actions: Timestamped records of isolation, account disablement, block rules
• Evidence preservation: Chain of custody documentation for forensic artifacts
• Stakeholder notification: Records of who was notified and when
• Remediation: Actions taken to prevent recurrence

Connecting All Course Skills

This lesson — and this entire course — has built toward one outcome: you can handle any SOC alert from first detection through final report. Here is the complete analyst workflow, using every skill from every module:

Every incident you handle in your career will use some combination of these skills. The strongest analysts are not the ones who know any single tool the best — they are the ones who can move fluidly between tools and stages, applying the right skill at the right moment.

Key Takeaways

• Every incident report must contain seven sections: executive summary, technical details, timeline, IOC table, ATT&CK mapping, impact assessment, and recommendations
• Adapt your communication to the audience: full technical detail for the SOC team, business impact for executives, regulatory implications for legal
• Defang IOCs in reports (hxxps://, [.]) to prevent accidental activation
• Know your regulatory obligations before incidents occur — GDPR requires 72-hour notification, HIPAA requires 60-day notification, PCI DSS requires immediate notification with a forensic investigator
• During active incidents, provide self-contained status updates at appropriate cadence for each stakeholder group
• Incident reports serve as evidence of due diligence in legal, regulatory, and insurance contexts — document everything with timestamps
• The complete analyst workflow connects every course module: SIEM detection → intel enrichment → endpoint investigation → triage → containment → reporting → improvement

What's Next

You have completed Module 13 — Incident Response, the final domain-specific module. You can now manage incidents end-to-end: from initial detection through containment, eradication, recovery, post-incident review, and professional reporting.

In Module 14 — Security Automation & SOAR, you will learn to automate the repeatable parts of this workflow using Shuffle. The manual processes you have practiced throughout this course become automated playbooks — receiving alerts, enriching IOCs, creating cases, and notifying analysts without human intervention for routine tasks.