4.52 Finalize Eradication Documentation and Reporting
Task Document All Eradication Activities and Validate Final Reporting for Handoff and Retention
Conditions
After eradication and recovery monitoring have been completed and validated, the operator and IR team will finalize all eradication-related documentation. This serves as the official record of eradication actions, validates clean state of systems, and provides inputs for post-incident reporting and lessons learned.
Operator Note: Eradication documentation ensures traceability, enables post-incident analysis, and supports audits and regulatory compliance. Every step taken during eradication should be captured clearly and accurately.
Standards
- Team member collects and consolidates all eradication action logs, records, and outputs.
- Team member completes eradication summary documentation for each impacted system.
- Team member records all findings, residual risks, and validations performed.
- Team member prepares and submits eradication completion report to Incident Response Lead.
- Team member ensures records are stored securely and made available for after-action review.
End State
A complete eradication report package is created, reviewed, and submitted for retention. This package includes records of all actions, validation outcomes, and supporting evidence.
Notes
- Eradication documentation should link to original source records (e.g., AV scan results, system inventories, validation logs).
- Reports may be reviewed months later → clear, detailed language should be used.
- Coordination with recovery and enterprise teams ensures completeness.
Manual Steps
Step 1: Gather Eradication Records and Evidence
Records to collect:
- Task, script, and action logs (e.g., scheduled task removals, user account deletions)
- Scan results (AV, persistence checks, EDR scans)
- Network logs (confirmation of no beaconing or malicious activity)
- System validation results (recovery readiness validation)
- Operator notes and IR coordination records
Operator Note: Use incident ticketing systems, centralized IR drives, and SIEM exports to collect source records.
Step 2: Prepare Eradication Summary Report
Report Sections
- Incident Overview
- Timeline
- Affected systems
- Root cause summary (if determined)
- Eradication Actions
- Steps taken to remove attacker access and artifacts
- Tools and commands/scripts used
- Operator responsible for actions
- Validation Summary
- How clean state was confirmed
- Any residual risks or deferred remediation actions
- Transition to Recovery
- Recovery approval
- Recovery activities started
- Supporting Evidence
- Links to or attachments of key artifacts
Operator Note: Use standardized templates if available for consistency.
Step 3: Review and Approve Documentation
- Review eradication report internally (IR lead + operators)
- Validate completeness and clarity
- Approve for submission and archiving
Operator Note: IR Lead is responsible for final approval of eradication documentation.
Step 4: Submit and Archive Documentation
- Submit final eradication report to:
- Incident Manager / Crisis Management Team
- Cybersecurity leadership
- Compliance (if regulatory incident)
- Archive eradication records securely:
- Incident Response SharePoint or Document Management System
- Long-term retention repository
Operator Note: Follow organization policy for document retention (typically 1-3 years minimum for security incidents).
Step 5: Prepare for Lessons Learned Phase
- Tag documentation for handoff to Lessons Learned team (if separate)
- Include open items or recommendations for future improvements
Operator Note: All eradication gaps or challenges should be flagged for discussion in After Action Review.
Running Script (Example - Record Cleanup Validation to File)
Get-Date | Out-File EradicationCompletion.txt
Write-Output "Eradication activities completed and validated. No remaining attacker artifacts found." | Out-File -Append EradicationCompletion.txt
Dependencies
- Completed eradication and recovery monitoring phases
- Full set of logs and records from eradication phase
- IR lead available for review and approval
| Tool |
Platform |
Installation |
Usage |
| ITSM / Incident Tracking (ServiceNow, Jira) |
Cross-platform |
Enterprise tool |
Link and record eradication actions |
| SharePoint / Confluence |
Cross-platform |
Enterprise tool |
Archive eradication report |
| SIEM (Splunk, Sentinel, ELK) |
Cross-platform |
Enterprise tool |
Export supporting log evidence |
| Word / PDF Templates |
Cross-platform |
Standard Office tools |
Generate eradication report documents |
Operator Note: Use enterprise-standard formats for reporting (Word, PDF) for ease of distribution and review.
Operator Checklist
Best Practices
- Provide concise but detailed narrative in eradication summary.
- Include evidence to support each eradication claim.
- Clearly document any residual risks or deferred actions.
- Retain eradication report and supporting records for audit and future incidents.
References
NIST SP 800-61 - Incident Handling Reporting
SANS Post-Incident Reporting
Revision History
| Date |
Version |
Description |
Author |
| 2025-05-02 |
1.0 |
Fully generated operator guide for eradication documentation and reporting |
Leo |