1. Indicate the action taken. Select a relevant action from the list: it will serve as the name of the step. Other should only be selected if you are confident that the action does not fit any of the options. In this case, you need to add a description of the step. Detailed descriptions of the critical event triggering steps can be found in the
guide to filling out attacker reports.
2. Enter the time of the attack or time interval.
The report creation time is set as the attack time by default.
Be sure to change the value to the actual attack time.Do not specify a 24 hour period. A precise time interval will tell the jury that you have examined all the details of the attack. The jury will spend less time finding the incident record in the security tool and verifying the report, and you will get the results faster.
3. Enter a description of the attack and the vulnerability used.
Examples: "Using the utility regsvr32.exe, a memory dump of the lsass.exe process was obtained on the host dwilkerson.energy.stf" or "By connecting via a support bot to the SCRM system, the attackers grabbed the file scrm_db.sql, which contained personal data." Explain why you consider the identified events illegitimate.
It is not enough to just copy the text from the security tools: you must thoroughly analyze the attackers' actions and describe the essence of the attack. This will show the jury that you have correctly understood the attackers' actions. Messages from the security tools can be attached to the step in the form of screenshots.
4. Specify the attack source and target, and the access credentials or account used.Consider the sequence of steps: the attack source is the attack target from the previous step.
5. Enter the file path. Example:
6. Attach screenshots confirming the attackers' actions.These can be screenshots of security tool UIs. Screenshots are mandatory for the final step of a critical event triggering: without these, the report will be returned for revision.
You can submit the report for review immediately or save it and return to fill out the fields later. Saved reports are located on the
Draft tab.