Cybersecurity giant CrowdStrike has released a free incident response tracker to help IT and security teams document indicators of compromise, compromised systems and a timeline of important events during its forensic analysis of an attack.
The company calls the tool the CrowdStrike Incident Response Tracker, which is essentially an organized spreadsheet to help teams document attacks and form the basis of the incident narrative. The company says it released the free resource after meeting with a client that did not have a methodology for tracking indicators and building an incident timeline.
“The CrowdStrike Services team wanted to provide more information to our client on how incidents can and should be tracked, but nothing was available in the public domain,” the company says.
The tracker spreadsheet is organized into a number of tabs to record various classes of incident-related events in a structured and repeatable manner, according to CrowdStrike’s blog on the announcement.
The CrowdStrike IR Tracker, the company says, provides a single place for synthesizing key incident details, including:
- A consolidated incident timeline that forms the basis of the incident narrative
- Incident indicators, including IP addresses, domain names, malware names/hashes, registry entities and more.
- Compromised account details and systems of interest
- Incident metadata including key contacts, meeting details, collected evidence items and incident-related request and asks.
While the IR Tracker includes tabs for a variety of incident response functions, CrowdStrike highlights three: timeline, host indicators and network indicators.
CrowdStrike says the timeline tab is “arguably the biggest benefit” of the IR Tracker, with a consolidated incident timeline giving respondents a place to track the start and stop times of all relevant incident information including suspect account login data, file creation and modification, process creation, registry key creation, network connections, firewall events and EDR events.
The company says the host indicators tab is used to record the suspected and confirmed host indicators of compromise for the incident. These include things like file names and paths, file hashes, file sizes, service names and registry keys.
The network indicators tab helps security workers keep a consolidated list of network-related indicators to make searching additional data sets for the same indicators easier.
“With this consolidated and organized information, we can focus on helping the organization identify the impact to business assets, and in conjunction with legal counsel, identify any regulatory reporting requirements,” the company says.
