AuditRubric
rs-an-1 high Respond / Incident Analysis

Investigate contributing factors to confirmed incidents

Understanding how an incident happened is just as important as stopping it. Investigations that surface the root cause and contributing factors enable the organization to fix the underlying weakness, not just the immediate symptom. Without structured investigation, the same attack vector often reappears in future incidents. This control ensures that confirmed incidents are met with disciplined inquiry, not just reactive remediation.

Estimated effort: 8h
investigationroot-causeforensicstimeline
Complete first: rs-ma-2

Implementation steps

  1. 1

    Establish an investigation scope and timeline

    Define the time window and systems in scope for the investigation. Build an initial attack timeline from available log data, alerts, and endpoint telemetry. Identify the earliest indicator of compromise to understand attacker dwell time.

    splunkelasticmicrosoft-sentinelcrowdstrike
  2. 2

    Collect and preserve relevant evidence

    Gather logs, memory captures, disk images, network packet captures, and authentication records from affected systems. Preserve originals before analysis to maintain chain of custody. Tag all collected artifacts with timestamps and source information.

    crowdstrikevelociraptoraws-cloudtrailazure-monitor
  3. 3

    Identify contributing factors and attack path

    Analyze the collected evidence to reconstruct the attack path. Identify the initial access method, lateral movement techniques, and any misconfigurations, credential weaknesses, or unpatched vulnerabilities that enabled the incident.

    splunkelasticmitre-att-ckconfluence

Evidence required

Investigation report or case notes

Documented findings from the investigation including the attack timeline, techniques used, and identified contributing factors.

  • · Incident investigation report in Confluence or SharePoint
  • · SIEM timeline export showing attacker activity sequence
  • · Crowdstrike or endpoint detection report with attack path visualization

Evidence collection log

A record of what evidence was collected, from where, and when, with chain-of-custody information.

  • · Evidence inventory spreadsheet or ticket attachment
  • · Log export records with hash verification
  • · Disk image acquisition log with timestamps

Related controls

rs-an-3 high

Forensics are performed

Incident Analysis
rs-an-6 medium

Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved

Incident Analysis
rs-an-7 medium

Incident data and metadata are collected, and their integrity and provenance are preserved

Incident Analysis
rs-an-2 high

The impact of the incident is understood

Incident Analysis