Reporting Templates & Guidelines

Reporting Templates & Guidelines#

This file outlines standard formats and required elements for common reports generated during security operations.

General Report Metadata Requirements#

Runbook Reference: All reports generated via runbook execution must clearly state which runbook was used at the beginning of the report.
- Example: **Runbook Used:** Alert Investigation Summary Report Runbook
Timestamp: Include a generation timestamp in a consistent format (e.g., YYYY-MM-DD HH:MM Timezone).
Case ID: Reference the relevant SOAR Case ID(s).
Workflow Diagram: Include a Mermaid sequence diagram from the executed runbook, showing the actual MCP Servers and Tools used.

Common Report Types#

Daily SOC Summary#

Purpose: Provide a comprehensive overview of security operations for a 24-hour period to enable shift handover and management visibility.

Required Sections:

# Daily SOC Summary Report
**Runbook Used:** Daily SOC Summary Report Runbook
**Date:** YYYY-MM-DD
**Shift:** [Day/Evening/Night]
**Generated:** YYYY-MM-DD HH:MM UTC
**Case ID:** N/A (Operational Report)

## Executive Summary
[2-3 sentence overview of the day's security posture and key events]

## Key Metrics
- **Total Alerts:** [number]
- **Alerts Investigated:** [number]
- **Cases Created:** [number]
- **Cases Closed:** [number]
- **Critical/High Severity Incidents:** [number]
- **False Positives:** [number]
- **Mean Time to Detection (MTTD):** [time]
- **Mean Time to Response (MTTR):** [time]

## Notable Events
### Critical/High Severity Incidents
- [Brief description of each critical incident with Case ID]

### Significant Security Events
- [Notable events that didn't rise to incident level but warrant attention]

## Alert Breakdown by Category
| Alert Type | Count | Investigated | False Positives | Notes |
|------------|-------|--------------|-----------------|-------|
| Malware Detection | X | Y | Z | |
| Network Anomaly | X | Y | Z | |
| User Behavior | X | Y | Z | |
| Failed Logins | X | Y | Z | |

## Ongoing Investigations
- **Case ID:** Brief description and current status
- **Case ID:** Brief description and current status

## Infrastructure Status
- **SIEM Health:** [Operational/Degraded/Down]
- **EDR Coverage:** [X% of endpoints reporting]
- **Network Monitoring:** [Status]
- **Threat Intelligence Feeds:** [Status]

## Shift Handover Notes
### Priority Items for Next Shift
1. [High priority item requiring follow-up]
2. [Second priority item]

### Pending Actions
- [Action item with assigned owner and deadline]

### Known Issues/Planned Maintenance
- [Any ongoing technical issues or planned maintenance]

## Workflow Diagram
```{mermaid}
sequenceDiagram
    participant Analyst
    participant SIEM as secops-mcp
    participant SOAR as soar-mcp
    participant TI as gti-mcp

    Analyst->>SIEM: search_security_events("alert metrics last 24 hours", hours_back=24)
    SIEM-->>Analyst: Alert counts and response times
    Analyst->>SOAR: get_case_statistics(time_range="24h")
    SOAR-->>Analyst: Case creation/closure data
    Analyst->>TI: get_threat_landscape_summary(timeframe="daily")
    TI-->>Analyst: Current threat trends
    Analyst->>Analyst: Generate daily summary report

Report Generated By: [AI Agent/Analyst Name] Next Report Due: [Timestamp]

---

### Post-Incident Report

**Purpose:** Document incident details, impact, response actions, and lessons learned for compliance, process improvement, and knowledge sharing.

**Required Sections:**

```markdown
# Post-Incident Report
**Runbook Used:** Post-Incident Analysis Report Runbook
**Incident ID:** [CASE-ID]
**Generated:** YYYY-MM-DD HH:MM UTC
**Report Version:** 1.0

## Executive Summary
[2-3 paragraph summary suitable for management, including incident type, impact, resolution, and key lessons]

## Incident Classification
- **Incident Type:** [Malware, Data Breach, DDoS, Insider Threat, etc.]
- **Severity:** [Critical/High/Medium/Low]
- **MITRE ATT&CK TTPs:** [T1234.001, T5678.002]
- **Affected Systems:** [Number and types of systems]
- **Data Involved:** [Yes/No, if yes specify type and estimated volume]

## Incident Timeline
| Time (UTC) | Event | Source | Actions Taken |
|------------|-------|--------|---------------|
| YYYY-MM-DD HH:MM | Initial detection | [Alert source] | Alert triaged |
| YYYY-MM-DD HH:MM | Incident declared | SOC Analyst | Escalated to IR team |
| YYYY-MM-DD HH:MM | Containment initiated | IR Team | Systems isolated |
| YYYY-MM-DD HH:MM | Threat eradicated | IR Team | Malware removed |
| YYYY-MM-DD HH:MM | Systems restored | IT Team | Services back online |
| YYYY-MM-DD HH:MM | Incident closed | IR Manager | Final validation |

## Technical Details
### Initial Vector
[How the attack began - phishing email, vulnerability exploitation, etc.]

### Attack Progression
[Step-by-step description of how the attack unfolded]

### Indicators of Compromise (IOCs)
- **IP Addresses:** [list]
- **Domain Names:** [list]
- **File Hashes:** [list]
- **File Paths:** [list]
- **Registry Keys:** [list]

### Affected Assets
| Asset | Type | Impact | Recovery Status |
|-------|------|--------|-----------------|
| [hostname] | [Server/Workstation] | [Description] | [Restored/In Progress] |

## Impact Assessment
### Business Impact
- **Downtime:** [Duration]
- **Affected Users:** [Number]
- **Lost Revenue:** [Estimate if applicable]
- **Data Compromised:** [Yes/No, details]

### Technical Impact
- **Systems Compromised:** [Count and details]
- **Data Integrity:** [Affected/Intact]
- **Service Availability:** [Impact level]

## Response Actions Taken
### Immediate Response (0-4 hours)
- [Action taken with timestamp]
- [Action taken with timestamp]

### Short-term Response (4-24 hours)
- [Action taken with timestamp]
- [Action taken with timestamp]

### Long-term Response (24+ hours)
- [Action taken with timestamp]
- [Action taken with timestamp]

## Root Cause Analysis
### Primary Cause
[Main factor that enabled the incident]

### Contributing Factors
1. [Factor 1 - e.g., missing patches]
2. [Factor 2 - e.g., insufficient monitoring]
3. [Factor 3 - e.g., user training gaps]

## Lessons Learned
### What Worked Well
- [Positive aspect of response]
- [Effective control or procedure]

### Areas for Improvement
- [Identified weakness]
- [Process gap or delay]

## Recommendations
### Immediate Actions (0-30 days)
1. [High-priority recommendation with owner and due date]
2. [Second immediate action]

### Short-term Actions (30-90 days)
1. [Medium-priority recommendation]
2. [Process improvement]

### Long-term Actions (90+ days)
1. [Strategic improvement]
2. [Technology investment]

## Compliance and Legal Considerations
- **Regulatory Requirements:** [GDPR, HIPAA, PCI-DSS notifications required]
- **Law Enforcement:** [Contacted/Not Required]
- **Customer Notification:** [Required/Completed/Not Required]

## Workflow Diagram
```{mermaid}
sequenceDiagram
    participant SOC as SOC Analyst
    participant SIEM as secops-mcp
    participant TI as gti-mcp
    participant SOAR as soar-mcp
    participant IR as IR Team
    participant IT as IT Team

    SOC->>SIEM: search_security_events("incident IOCs", hours_back=168)
    SIEM-->>SOC: Attack timeline data
    SOC->>TI: lookup_ioc(hash="malware_hash")
    TI-->>SOC: Threat intelligence context
    SOC->>SOAR: create_case(title="Security Incident", severity="high")
    SOAR-->>SOC: Case ID created
    SOC->>IR: Incident escalation
    IR->>SIEM: search_security_events("lateral movement indicators")
    SIEM-->>IR: Scope assessment data
    IR->>IT: Containment coordination
    IT-->>IR: Systems isolated
    IR->>SOAR: update_case(case_id, status="contained")
    IR->>IR: Post-incident analysis

Report Prepared By: [Name] Reviewed By: [IR Manager] Approved By: [CISO/Security Manager] Distribution: [List of recipients]

---

### Threat Hunt Summary Report

**Purpose:** Document proactive threat hunting activities, methodologies, findings, and recommendations for ongoing security improvement.

**Required Sections:**

```markdown
# Threat Hunt Summary Report
**Runbook Used:** Proactive Threat Hunt Report Runbook
**Hunt ID:** [HUNT-YYYY-MM-DD-###]
**Generated:** YYYY-MM-DD HH:MM UTC
**Hunt Duration:** [Start Date] to [End Date]

## Executive Summary
[Brief overview of hunt objectives, key findings, and strategic impact]

## Hunt Details
### Hunt Hypothesis
**Primary Hypothesis:** [Clear statement of what you were hunting for]
**Secondary Hypotheses:** [Additional areas explored]

### Hunt Trigger
- [x] Threat Intelligence Report
- [ ] Incident Response Follow-up
- [ ] Behavioral Analytics Alert
- [ ] Scheduled Recurring Hunt
- [ ] Other: [Specify]

### Scope and Timeframe
- **Data Sources:** [SIEM, EDR, Network Logs, etc.]
- **Time Range:** [YYYY-MM-DD to YYYY-MM-DD]
- **Assets in Scope:** [Network segments, user groups, systems]
- **Data Volume:** [Approximate GB/TB of data analyzed]

## Methodology
### Hunting Techniques Used
- [x] Indicator-based hunting (IOCs)
- [x] Behavioral analytics
- [ ] Machine learning anomaly detection
- [x] Threat intelligence correlation
- [ ] Other: [Specify]

### Tools and Queries
| Tool | Query/Technique | Purpose |
|------|-----------------|---------|
| secops-mcp | search_security_events("powershell encodedcommand", hours_back=168) | Detect obfuscated PowerShell |
| secops-mcp | search_security_events("outbound connections unusual ports", hours_back=72) | Unusual external connections |
| gti-mcp | lookup_ioc(hash="suspicious_hash") | Threat intelligence correlation |

## Findings
### Positive Findings (Confirmed Threats)
#### Finding 1: [Threat Type]
- **Severity:** [Critical/High/Medium/Low]
- **Description:** [Detailed description]
- **Affected Assets:** [List of compromised systems]
- **IOCs Identified:**
  - IP Addresses: [list]
  - Domains: [list]
  - File Hashes: [list]
- **MITRE ATT&CK TTPs:** [T1234.001, T5678.002]
- **Actions Taken:** [Immediate response actions]

#### Finding 2: [If applicable]
[Same format as Finding 1]

### Suspicious Activity (Requires Further Investigation)
- **Description:** [Activity that warrants follow-up]
- **Risk Level:** [Assessment of potential threat]
- **Recommended Actions:** [Next steps for investigation]

### Negative Findings (No Threats Detected)
- **Hypothesis Tested:** [What was searched for]
- **Confidence Level:** [High/Medium/Low confidence in negative result]
- **Coverage Assessment:** [How thoroughly the environment was searched]

## Enrichment and Context
### Threat Intelligence Correlation
- **Relevant CTI:** [Threat actor groups, campaigns, or TTPs matched]
- **IOC Overlap:** [Percentage of hunt IOCs found in environment]
- **Timeline Correlation:** [Relationship to known threat activity]

### Environmental Context
- **Baseline Behavior:** [How findings compare to normal operations]
- **Asset Criticality:** [Business impact of affected systems]
- **Historical Activity:** [Similar activity observed previously]

## Statistical Summary
| Metric | Value |
|--------|-------|
| Total Events Analyzed | [number] |
| Alerts Generated | [number] |
| False Positives | [number] |
| Confirmed Threats | [number] |
| Mean Time to Hunt (MTTH) | [hours] |
| Data Sources Queried | [number] |

## Recommendations
### Immediate Actions (0-7 days)
1. [Urgent recommendation with owner]
2. [Second immediate action]

### Short-term Improvements (7-30 days)
1. [Process or detection improvement]
2. [Tool enhancement]

### Long-term Strategic Actions (30+ days)
1. [Capability development]
2. [Architecture improvement]

### Detection Engineering
- **New Detection Rules:** [Recommendations for permanent monitoring]
- **Hunt Automation:** [Opportunities to automate this hunt]
- **Data Source Gaps:** [Additional visibility needed]

## Hunt Effectiveness Assessment
### Strengths
- [Effective techniques or tools]
- [Successful methodologies]

### Areas for Improvement
- [Gaps in coverage or technique]
- [Tool limitations encountered]

### Lessons Learned
- [Key insights for future hunts]
- [Process improvements identified]

## Workflow Diagram
```{mermaid}
sequenceDiagram
    participant Hunter as Threat Hunter
    participant TI as gti-mcp
    participant SIEM as secops-mcp
    participant EDR as edr-mcp
    participant SOAR as soar-mcp

    Hunter->>TI: get_campaign_iocs(campaign_id="apt29_recent")
    TI-->>Hunter: IOCs and TTPs for hunting
    Hunter->>SIEM: search_security_events("campaign IOCs", hours_back=168)
    SIEM-->>Hunter: Matching security events
    Hunter->>EDR: query_endpoint_data(hostname="suspicious_host")
    EDR-->>Hunter: Process and file execution details
    Hunter->>TI: lookup_ioc(hash="discovered_hash")
    TI-->>Hunter: Threat intelligence context
    Hunter->>SOAR: create_case(title="Threat Hunt Finding", severity="medium")
    SOAR-->>Hunter: Case created for tracking

Hunt Lead: [Name] Contributors: [Team members] Review Status: [Peer Reviewed/Manager Approved] Next Scheduled Hunt: [Date/Recurring Schedule]

---

### Vulnerability Triage Report

**Purpose:** Provide comprehensive analysis of vulnerabilities to support prioritization and remediation decisions.

**Required Sections:**

```markdown
# Vulnerability Triage Report
**Runbook Used:** Vulnerability Assessment and Triage Runbook
**Vulnerability ID:** [VULN-YYYY-MM-DD-###]
**Generated:** YYYY-MM-DD HH:MM UTC
**Case ID:** [Associated SOAR case if applicable]

## Executive Summary
[Brief overview of vulnerability, risk level, and recommended actions]

## Vulnerability Details
### Basic Information
- **CVE ID:** [CVE-YYYY-#####]
- **CVSS Score:** [Score] ([Vector String])
- **Severity:** [Critical/High/Medium/Low]
- **Discovery Date:** [YYYY-MM-DD]
- **Disclosure Date:** [YYYY-MM-DD]
- **Patch Available:** [Yes/No - Date Available]

### Vulnerability Description
[Detailed technical description of the vulnerability]

### Affected Technology
- **Vendor:** [Software/Hardware vendor]
- **Product:** [Specific product name]
- **Versions Affected:** [Version ranges]
- **Component:** [Specific component if applicable]

## Environmental Impact Assessment
### Asset Inventory
| Asset ID | Hostname | IP Address | Version | Exposure | Business Criticality |
|----------|----------|------------|---------|----------|---------------------|
| [ID] | [name] | [IP] | [version] | [Internal/DMZ/External] | [Critical/High/Medium/Low] |

### Exposure Analysis
- **Total Assets Affected:** [number]
- **Internet-Facing Assets:** [number]
- **Critical Business Systems:** [number]
- **Network Segmentation:** [Impact on spread]

### Attack Vector Assessment
- **Network Access Required:** [Local/Adjacent/Network/Internet]
- **Authentication Required:** [None/Single/Multiple]
- **User Interaction:** [Required/Not Required]
- **Attack Complexity:** [Low/High]

## Threat Intelligence Context
### GTI Analysis
- **Active Exploitation:** [Yes/No - Evidence]
- **Exploit Availability:** [Public/Private/PoC Available]
- **Threat Actor Interest:** [High/Medium/Low]
- **Campaign Association:** [Known threat campaigns using this CVE]

### SIEM Correlation
```markdown
**Query Used:** [SIEM query to check for exploitation attempts]
**Results:** [Summary of findings]
**Indicators Detected:** [List any IOCs found]

Threat Actor Mapping#

Known Actors: [Threat groups known to exploit this vulnerability]
TTPs: [MITRE ATT&CK techniques associated]
Timeline: [Historical exploitation patterns]

Risk Assessment#

Exploitability Factors#

Exploit Maturity: [Functional/PoC/Unproven]
Required Privileges: [High/Low]
Attack Vector: [Network/Physical/Local]
Complexity: [Low/High]

Business Impact Analysis#

Confidentiality Impact: [High/Medium/Low/None]
Integrity Impact: [High/Medium/Low/None]
Availability Impact: [High/Medium/Low/None]
Financial Impact: [Estimated cost of exploitation]

Environmental Risk Score#

Calculated Risk: [Score methodology]

Base CVSS: [score]
Environmental multiplier: [factor]
Final Risk Score: [calculated score]

Remediation Analysis#

Available Mitigations#

Primary Remediation#

Action: [Patch/Upgrade/Configuration change]
Vendor Solution: [Link to vendor advisory]
Implementation Complexity: [Low/Medium/High]
Estimated Downtime: [Duration]

Temporary Mitigations#

Workaround: [Description]
- Effectiveness: [High/Medium/Low]
- Impact on Operations: [Description]
Compensating Controls: [Description]
- Implementation Time: [Duration]
- Coverage: [Partial/Full]

Remediation Timeline#

Phase	Action	Owner	Target Date	Dependencies
1	[Immediate action]	[Team]	[Date]	[Requirements]
2	[Short-term fix]	[Team]	[Date]	[Requirements]
3	[Long-term solution]	[Team]	[Date]	[Requirements]

Prioritization Recommendation#

Priority Level: [Critical/High/Medium/Low]#

Justification#

Business Risk: [High impact on critical systems]
Threat Landscape: [Active exploitation observed]
Remediation Feasibility: [Patch available and tested]
Compensating Controls: [Insufficient current protections]

Recommended Timeline#

Emergency Patching: [Within 24-72 hours for critical]
Standard Patching: [Within 30 days for high]
Next Patch Cycle: [Within 90 days for medium/low]

Detection and Monitoring#

Current Detection Coverage#

Existing Rules: [SIEM rules that might detect exploitation]
Coverage Assessment: [Adequate/Insufficient]
Blind Spots: [Areas not monitored]

Recommended Detection Enhancements#

New SIEM Rule: [Description and query]
Network Monitoring: [Specific indicators to watch]
Endpoint Detection: [Behavioral indicators]

Communication Plan#

Internal Notifications#

IT Operations: [Notification sent/required]
Business Units: [Affected departments notified]
Executive Leadership: [Briefing required for critical issues]

External Communications#

Vendor Contact: [Support case opened]
Regulatory Reporting: [Required/Not Required]
Customer Notification: [If applicable]

Workflow Diagram#

        sequenceDiagram
    participant Analyst as Vuln Analyst
    participant Asset as asset-mcp
    participant TI as gti-mcp
    participant SIEM as secops-mcp
    participant SOAR as soar-mcp
    participant IT as IT Team

    Analyst->>Asset: query_assets(vulnerability="CVE-2024-1234")
    Asset-->>Analyst: Affected systems inventory
    Analyst->>TI: lookup_vulnerability(cve="CVE-2024-1234")
    TI-->>Analyst: Exploitation intelligence
    Analyst->>SIEM: search_security_events("CVE-2024-1234 exploitation indicators")
    SIEM-->>Analyst: Attack evidence analysis
    Analyst->>SOAR: create_case(title="Vulnerability Remediation", priority="high")
    SOAR-->>Analyst: Tracking case created
    Analyst->>IT: Remediation coordination
    IT-->>Analyst: Implementation timeline

Analysis Performed By: [Name] Technical Review: [Senior Analyst/Engineer] Business Review: [IT Manager/Business Owner] Final Approval: [Security Manager] Next Review Date: [Follow-up timeline]

---

## Report Quality Standards

### Content Requirements
- **Accuracy:** All technical details must be verified
- **Completeness:** All required sections must be populated
- **Clarity:** Language appropriate for target audience
- **Actionability:** Clear next steps and ownership

### Technical Standards
- **Data Sources:** All data sources must be cited with MCP tool calls
- **Timestamps:** All times in UTC with timezone specified
- **IOCs:** All indicators properly formatted and validated
- **References:** Links to supporting documentation

### Review Process
1. **Technical Review:** Peer validation of findings
2. **Management Review:** Business impact assessment
3. **Quality Assurance:** Template compliance check
4. **Final Approval:** Authorized release

### Distribution Guidelines
- **Internal Reports:** Appropriate classification and handling
- **External Sharing:** Legal and compliance review required
- **Retention:** Comply with organizational retention policies
- **Access Control:** Role-based access to sensitive reports