On [date], [team] received an [tool] alert of type [cat]. [tool] [action] the below file(s). [additional high level details about what occured and what acctions took place]
Source IP/Host: [ip]/[host]
MAC: [mac]
Threat: [Threat]
Signature: [sig]
FilePath: [path]
User: [user]
Action: [action]
[detailed findings of interest from investigation]
- Unauthorized file/program could have undesired impact on enterprise.
- Verified user behavior which caused alert
- Validated program and business case
- Verified no other suspicious activity in time-frame
<No further actions | False-Positive | Ticket created>
- [links or resources that validate your findings]