Sign In Get Started Free
Lab 14 Intermediate

AI-Assisted IR Report Generation

60-90 minutes Modules: Module 4

Objective

Use AI to transform raw investigation notes into a structured IR report. You will provide investigation data and prompt the AI to produce each section of the report, then review and refine the output.

Required: Access to Claude. Use the scenario data provided below.

Scenario: AiTM Incident Investigation Notes

You have completed the investigation of an AiTM credential phishing incident. Your raw notes:

Incident: INC-2026-04-015
Reported: 2026-04-12 14:30 UTC by DET-SOC-002 (MFA fatigue)

Timeline:
- 14:22 - User k.patel received phishing email from 
  "it-security@northgateeng-update.com"
- 14:25 - User clicked link in email (Safe Links detonated, 
  classified clean at time of click — adversary delayed payload 
  activation)
- 14:26 - User entered credentials on AiTM proxy page
- 14:27-14:30 - 6 MFA push denials, then approval at 14:31
- 14:32 - Adversary accessed Outlook Web using stolen session token
  from IP 198.51.100.77 (DigitalOcean, NL)
- 14:35 - Inbox forwarding rule created: forward "payment|invoice|
  wire" to ext-collect@protonmail.com
- 14:36 - Evasion rule created: delete emails from 
  ext-collect@protonmail.com
- 14:37-15:10 - 412 emails accessed via MailItemsAccessed
- 15:02 - OAuth consent granted to "OneDrive Backup Service" 
  with Mail.ReadWrite
- No outbound BEC email sent (contained before execution)

Containment:
- 15:15 - Tokens revoked for k.patel
- 15:16 - Password reset forced
- 15:18 - Inbox rules deleted (forwarding + evasion)
- 15:20 - OAuth application "OneDrive Backup Service" deleted
- 15:25 - Phishing URL blocked at proxy
- 15:30 - Email purged from all recipients (12 users received it,
  only k.patel clicked)

Impact:
- 412 emails read by adversary (procurement, contains vendor 
  payment details)
- No data exfiltrated via forwarding (contained before any 
  forwarded emails were sent)
- No outbound BEC attempted
- OAuth app authenticated 3 times before deletion (Mail.Read 
  access confirmed)

Step 1: Generate the executive summary

Role: You are writing an executive incident summary for the CISO.

Context: [Paste the investigation notes above]

Task: Write a one-page executive summary with:
1. Incident overview (2-3 sentences — what happened)
2. Business impact assessment (what was exposed, what was prevented)
3. Response effectiveness (how fast, what worked)
4. Risk assessment (residual risk after containment)
5. 3 recommended improvements (specific, actionable)

Constraints: No technical jargon. No KQL. No log table names. 
The CISO needs to understand this in 2 minutes and decide whether 
to escalate to the board.

Evaluate: Does the summary accurately reflect the incident? Is the language CISO-appropriate? Are the recommendations specific and actionable?

Step 2: Generate the technical timeline

Role: You are writing the technical timeline for the full IR report.

Context: [Same investigation notes]

Task: Produce a chronological timeline table with columns:
Timestamp | Source | Event | Adversary action | SOC action

Include every event from the investigation notes. Flag the gap 
between adversary access (14:32) and SOC containment (15:15) as 
the dwell time.

Step 3: Generate improvement recommendations

Role: You are conducting the post-incident review.

Context: [Same investigation notes]

Task: Identify:
1. What detection worked (what caught this incident)
2. What detection failed (what should have caught it earlier)
3. What hardening would have prevented the initial compromise
4. What hardening would have prevented the persistence (forwarding, 
   OAuth)
5. Specific action items with owners, deadlines, and success criteria

Step 4: Compile and review

Combine the AI-generated sections into a complete IR report. Review each section:

Make corrections and save the final report as a reference for future AI-assisted IR documentation.

Verification checklist

← All Labs