mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 05:05:16 +03:00
93 lines
2.1 KiB
Markdown
93 lines
2.1 KiB
Markdown
# Post-Incident Lessons Learned Report
|
|
|
|
## Incident Information
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| Incident ID | |
|
|
| Incident Type | |
|
|
| Severity | |
|
|
| Date Detected | |
|
|
| Date Resolved | |
|
|
| Review Date | |
|
|
| Facilitator | |
|
|
|
|
## Incident Summary
|
|
[Brief factual description of the incident]
|
|
|
|
## Response Metrics
|
|
| Metric | Value | Target | Met Target |
|
|
|--------|-------|--------|------------|
|
|
| Dwell Time | | < 24 hours | Yes/No |
|
|
| MTTD (Detection to Triage) | | < 15 min | Yes/No |
|
|
| MTTC (Detection to Containment) | | < 4 hours | Yes/No |
|
|
| Eradication Duration | | < 24 hours | Yes/No |
|
|
| MTTR (Eradication to Recovery) | | < 48 hours | Yes/No |
|
|
| Total Incident Duration | | < 7 days | Yes/No |
|
|
|
|
## Timeline
|
|
| Date/Time (UTC) | Event | Actor |
|
|
|-----------------|-------|-------|
|
|
| | Initial compromise (estimated) | Threat actor |
|
|
| | First alert generated | SIEM/EDR |
|
|
| | Triage completed | SOC analyst |
|
|
| | Incident declared | IR lead |
|
|
| | Containment achieved | IR team |
|
|
| | Eradication completed | IR team |
|
|
| | Recovery completed | IT ops |
|
|
| | Incident closed | IR lead |
|
|
|
|
## What Worked Well
|
|
-
|
|
-
|
|
-
|
|
|
|
## What Needs Improvement
|
|
-
|
|
-
|
|
-
|
|
|
|
## Root Cause Analysis (5 Whys)
|
|
| Level | Question | Answer |
|
|
|-------|----------|--------|
|
|
| Why 1 | | |
|
|
| Why 2 | | |
|
|
| Why 3 | | |
|
|
| Why 4 | | |
|
|
| Why 5 | | |
|
|
|
|
**Root Cause:** [Summary]
|
|
|
|
## Action Items
|
|
| ID | Action | Owner | Priority | Deadline | Category | Status |
|
|
|----|--------|-------|----------|----------|----------|--------|
|
|
| 1 | | | High/Med/Low | | Process/Tech/People | Open |
|
|
| 2 | | | | | | |
|
|
| 3 | | | | | | |
|
|
|
|
## Playbook Updates Required
|
|
| Playbook | Change Description | Owner | Deadline |
|
|
|----------|--------------------|-------|----------|
|
|
| | | | |
|
|
|
|
## Detection Improvements
|
|
| Rule Name | Description | MITRE Technique | Priority |
|
|
|-----------|-------------|-----------------|----------|
|
|
| | | | |
|
|
|
|
## Participants
|
|
| Name | Role | Present |
|
|
|------|------|---------|
|
|
| | Incident Commander | Yes/No |
|
|
| | SOC Analyst | Yes/No |
|
|
| | IR Lead | Yes/No |
|
|
| | CISO | Yes/No |
|
|
|
|
## Meeting Notes
|
|
[Key discussion points and decisions]
|
|
|
|
## Approval
|
|
| Role | Name | Date |
|
|
|------|------|------|
|
|
| IR Lead | | |
|
|
| CISO | | |
|