Post-Incident Lessons Learned Report
Incident Information
| Field |
Value |
| Incident ID |
|
| Incident Type |
|
| Severity |
|
| Date Detected |
|
| Date Resolved |
|
| Review Date |
|
| Facilitator |
|
Incident Summary
[Brief factual description of the incident]
Response Metrics
| Metric |
Value |
Target |
Met Target |
| Dwell Time |
|
< 24 hours |
Yes/No |
| MTTD (Detection to Triage) |
|
< 15 min |
Yes/No |
| MTTC (Detection to Containment) |
|
< 4 hours |
Yes/No |
| Eradication Duration |
|
< 24 hours |
Yes/No |
| MTTR (Eradication to Recovery) |
|
< 48 hours |
Yes/No |
| Total Incident Duration |
|
< 7 days |
Yes/No |
Timeline
| Date/Time (UTC) |
Event |
Actor |
|
Initial compromise (estimated) |
Threat actor |
|
First alert generated |
SIEM/EDR |
|
Triage completed |
SOC analyst |
|
Incident declared |
IR lead |
|
Containment achieved |
IR team |
|
Eradication completed |
IR team |
|
Recovery completed |
IT ops |
|
Incident closed |
IR lead |
What Worked Well
What Needs Improvement
Root Cause Analysis (5 Whys)
| Level |
Question |
Answer |
| Why 1 |
|
|
| Why 2 |
|
|
| Why 3 |
|
|
| Why 4 |
|
|
| Why 5 |
|
|
Root Cause: [Summary]
Action Items
| ID |
Action |
Owner |
Priority |
Deadline |
Category |
Status |
| 1 |
|
|
High/Med/Low |
|
Process/Tech/People |
Open |
| 2 |
|
|
|
|
|
|
| 3 |
|
|
|
|
|
|
Playbook Updates Required
| Playbook |
Change Description |
Owner |
Deadline |
|
|
|
|
Detection Improvements
| Rule Name |
Description |
MITRE Technique |
Priority |
|
|
|
|
Participants
| Name |
Role |
Present |
|
Incident Commander |
Yes/No |
|
SOC Analyst |
Yes/No |
|
IR Lead |
Yes/No |
|
CISO |
Yes/No |
Meeting Notes
[Key discussion points and decisions]
Approval
| Role |
Name |
Date |
| IR Lead |
|
|
| CISO |
|
|
mukul975