While drafting a post-incident report for a ransomware outbreak, a security analyst inserts a detailed chronological table that starts with the initial alert and ends with full restoration of services. According to CompTIA's incident-response reporting elements, which report section should contain this information?
The timeline section documents events in chronological order so investigators can reconstruct exactly what happened, evaluate response speed, and correlate evidence. "When" is one of the 5 Ws and records specific timestamps but is not meant to show the complete sequence. "Executive summary" provides a high-level narrative for leadership, and "Evidence" lists artifacts collected; neither presents the full chronology.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is creating a timeline important during the incident response reporting phase?
Open an interactive chat with Bash
What tools can be used to create and manage an incident timeline?
Open an interactive chat with Bash
How does 'When' differ from 'Who', 'Where', and 'Why' in incident analysis?