After Action Report

Wiki > After Action Report

Incident Reference: 123456

Created by: SOC Manager

Report Date: YYYYMMDD

Operational Entity: Local, Regional, Global

Incident Priority: P1, P2, P3, P4     

Incident Duration: YYYYMMDD through YYYYMMDD

Incident Description: For example, Backdoor detected on end user laptop.

Identification Time: YYYYMMDD

Physical Location: [Location] City, State, Country

Source of Notification: For example, End user or Operational Entity, Email from end user, Threat detection tool, etc.

Stakeholders Outside the SOC: Forexamples, Operational Entities, IT services, or Risk and Compliance

Incident Summary: A brief explanation of the incident describing what the initial lead was, who and how they responded.

VERIS:Action: Malware, Hacking, Social, Misuse, Physical, Error, Environmental

VERIS:Actor: External, Internal, Partner

VERIS:Actor:Motive: Motive of external, internal, or partner actor

VERIS:Assets:Variety: Windows, Linux, MacOS

VERIS:Assets:Ownership: Employee Owned, Company Owned, Third-Party Managed

VERIS:Attributes:Discloure: Disclosure required yes/no

VERIS:Attributes:Availability: Business impact/loss of availability

Extracted Indicators (IOC’s): sample.exe 84C0C5914FF0B825141BA2C6A9E3D6F4

Supporting Details:

Explains any support details such as:

  • Tools, tactics, and procedures used to investigate the incident or actions taken by the threat actor.
  • During live response, acme.exe was discovered with altered code inserting a backdoor running in the background.
  • Five unique SHA256 were taken and matched VirusTotal known malware associated with Zeusbot.

Summary of resolution: Insert resolution including outcome, containment, and recovery efforts.

Lessons Learned Summary:

  • Was the incident managed properly?
  • Were policies followed?
  • What improvements could be recommended?
  • Did any processes fail?