ASSURED

Documentation templates

Why standardized templates

Benefits

  • Reduce cognitive load during high-pressure investigations
  • Ensure comprehensive capture of required information
  • Enable consistent classification and categorization
  • Support automated data extraction for metrics and reporting
  • Facilitate knowledge transfer between team members
  • Accelerate review and approval processes
  • Maintain compliance with regulatory requirements

Implementation best practices

  • Integrate templates directly into case management systems
  • Include both required and optional fields with clear guidance
  • Provide dropdown menus for consistent categorization
  • Implement field validation to ensure data quality
  • Create specialized variants for different event types
  • Include examples of properly completed documentation
  • Design for both operational and compliance needs

The alert reporting template

A well-designed alert report template captures all essential details consistently to support rapid understanding, Event Correlation The process of analyzing multiple events across different sources to identify relationships and determine if they are part of a larger security incident. , and knowledge reuse. Each report includes the following core fields.

Event title and identifier
Concise yet descriptive. Pairs with a unique identifier (e.g., INC-YYYYMMDD-NNN) for chronological tracking and cross-referencing.
Detection timestamp and source
Standardized UTC timestamp with optional local time. Detection source specifies the tool or control (EDR, SIEM, CSPM) responsible for generating the alert.
Activity summary
Describes the observable behavior that triggered the alert. Balances technical clarity with readability, highlighting specific indicators and anomalies.
Initial triage outcome
Early classification: true positive, false-positive, or inconclusive, with concise justification grounded in observable behaviors and detection logic.
Affected systems
Endpoints, accounts, infrastructure elements involved, with business context (function, criticality, ownership).
Actions taken
Investigative or containment steps with timestamps and outcomes. Telemetry reviews, process analysis, network validation, remediation.
Escalation decision and final disposition
Whether the alert warranted escalation, to whom, and why. Final disposition: benign, confirmed malicious, or merged with a broader incident.
Worked example: the Cursor IDE alert report

A completed alert report for the macOS / Cursor IDE False-Positive (definition missing) case, in the standardized format:

FieldContent
Event title and IDEmpire-like behavior on developer workstation, INC-20241104-001
Detection date/time2024-11-04T15:27:33Z
Detection sourceCrowdStrike EDR
Activity summaryEDR flagged Execution The attacker successfully runs malicious code on a system, typically using interpreters, scripts, payloads, or legitimate tools. of β€œCursor Helper (Plugin)” binary due to behavioral traits associated with Empire Post-Exploitation The phase where the attacker explores the environment, escalates access, exfiltrates data, or sets up long-term control. frameworks.
Initial triage outcomeBehavioral heuristics triggered on execution via helper binaries with sandbox Evasion Techniques used by attackers to avoid detection by security tools. flags, manipulated debugger ports, TLS-encrypted high-entropy Traffic The flow of data between devices, systems, or servers on a network. , and elevated Node.js Event-driven JavaScript runtime on V8; backend services, APIs, automation scripts, and tooling. subprocesses. Matches known Empire indicators but requires contextual validation.
Affected systemsSingle developer workstation, source of the alert.
Actions takenReviewed CrowdStrike Telemetry Collection and transmission of security-relevant data from remote sources for monitoring and analysis. : execution patterns and network behavior aligned with expected developer activity. Traffic normal in volume / frequency, used standard ports / protocols, no signs of Exfiltration The unauthorized transfer of data from a system or network, often as part of a data breach or espionage operation. , Beaconing Periodic network communication from an infected host to a C2 server. , or tunneling.
Escalation decisionFlagged behavior appears to be benign development activity triggering a heuristic rule. No escalation required.
Final dispositionFalse-positive. Activity deemed non-malicious and consistent with developer workflows.

The same template, filled differently for the finance-team phishing case, would have produced a P1 escalation record with confirmed malicious classification.

Timeline and action tracking

Maintaining an accurate, timestamped timeline is fundamental to effective documentation. The timeline provides a sequential record of activities, decisions, and communications, supporting retrospective analysis and accountability.

Each timeline entry should contain five components.

01

Timestamp

The exact time the action occurred, using UTC for consistency across geographies. Both date and time for extended incidents.

02

Actor

Entity performing the action: human (analyst, engineer with name and role) or automated system (SOAR, EDR, IAM platform).

03

Action taken

Brief but descriptive: β€œisolated host via EDR,” β€œblocked IP in firewall,” β€œadded hash to denylist.” Concrete and specific.

04

Rationale

Reasoning behind the action, especially for discretionary steps. Documents the decision-making process and justification.

05

Outcome / result

Observed effect: successful containment, error encountered, lack of expected response. Captures actual vs. intended.

Next up

Pitfalls

Read pitfalls