This report is produced either pre-emptively for an imminent attack or for an executed attack after the incident has taken place. Following is the template for the report which defines its building blocks and also provides contextual information elements.
The title page defines the name of the Threat or the Attack.
Table of Contents
Standard Table of Contents to allow for easy navigation of the report.
Priority Information Requirements Covered
Add whatever the report is going to cover. Few examples below for the Attack:
■ What was the date and time of the attack?
■ What was the attack vector (e.g. social engineering, zero-day, phishing, etc.)?
■ What users were being targeted?
■ Time to the resolution?
The context of the information will change as follows for an imminent Attack:
■ What is the likely time of the attack?
■ What is the likely attack vector (e.g. social engineering, zero-day, phishing, etc.)?
■ What users are likely to be targeted?
■ What assets/business units are subject to this threat?
■ Mitigation tactics / strategies?
Report/Job Control Number
Report Control #
Date of Report
YYYYMMDD format is used to avoid any ambiguity across regions.
Name (If applicable)
Name (Usually the GSOC Manager and the Threat Analyst)
<<On YYYYMMDD, X (X) employees were targeted with a socially engineered (SE) email from (Email Address). Ticket # contains information related to this email incident.
The email contained a subject line of (“enter subject”) and contained a malicious attachment named (“enter attachment name”).
Threat Analysts have confirmed that none of the targeted users opened the malicious attachment. Threat Analysts have confirmed that X of the targeted users opened the malicious attachment.>>
<< Add a screenshot of the malicious email, for example. >>
<< Explain threat details, attack scenarios, targets, logic, indicators, etc. >>
Add related mitigation strategies here, e.g. patches applied, C2’s blocked, sender address blocked.
Points of Contact
Analyst contact information