Lesson 5.2

Writing a Report That Helps

12 minutes

A bad report is “I got a phishing email, pls help.” A good report tells the SOC everything they need to know in 30 seconds of reading. The difference between the two isn’t length or polish — it’s structure. A SOC analyst triaging a queue of reports is pattern-matching fast; anything that isn’t in a predictable location gets skipped. This lesson gives you the structure.

What a SOC Actually Wants

In order of importance:

  1. The forwarded-as-attachment message — so the headers are intact and the analyst can pull IOCs directly from the source.
  2. One or two screenshots — the surface the attacker wanted the victim to see, for context.
  3. A timeline — “Received at 2:14pm, hovered link at 2:17pm, captured the URL at 2:18pm.” This tells the analyst what happened and when.
  4. What you did before reporting — did you click anything, enter any info, forward to anyone else, open an attachment? Honesty here changes the response plan.
  5. Any IOCs from your investigation — the real sender domain from the headers, the URL you captured by hovering, the urlscan.io result link. If you did the work in the earlier modules, this is where you deliver it.

Report Template

Use or adapt this template. Fill in every field you can; omit the ones that don’t apply.

Subject: Phishing report — [spoofed brand or subject line]

Summary
- Received at: [date/time]
- Arrived in: [work/personal] inbox
- Appears to impersonate: [brand/person]
- Likely attack type: [spoof / compromised account / link-based / attachment]

What I did
- [e.g., Hovered link, did not click. Forwarded-as-attachment to this address.]
- I did NOT: click links, open attachments, reply, enter credentials.

Evidence
- Attached: forwarded-as-attachment copy (preserves headers)
- Attached: screenshots (1 = inbox view, 2 = hover preview showing real URL)
- IOCs from urlscan: [paste the urlscan.io result URL]
- Real sender domain (from Return-Path): [e.g., mail-194-22-33-5.bulk-sender.tk]

Suggested priority: [low/medium/high — high if credential harvester or financial]

Every section of this template exists for a reason. The Summary tells the analyst what they’re looking at. The What I did section dictates the response — if you clicked and entered credentials, the SOC needs to reset accounts and walk through breach containment; if you only hovered, that’s a triage-and-file. The Evidence section is where the IOCs go so the analyst can feed them straight into the systems that do the heavy lifting. The Suggested priority gives the queue a hint.

The Five-Minute Report

If you are in a hurry, skip the template and send this instead:

  • A subject line naming the brand or suspicious behavior.
  • The original message forwarded as an attachment.
  • One sentence of context. Example: “Phishing attempt impersonating Chase, I hovered the link, it points to a .tk domain, didn’t click.”

A five-minute report is dramatically better than no report. A report that gets filed beats a report that gets drafted and abandoned. The long template is for when you have time; the short form is for when you don’t.

What NOT to Include

A few things you should strip out before sending:

  • Screenshots that contain your own sensitive data. Blur or crop your full email address, any account numbers, any personal identifiers visible in the UI.
  • Your reasoning about why you almost fell for it — unless the reasoning is useful context. Example of useful: “This arrived an hour after a real package delivery notification, so the timing was convincing.” Example of not useful: “I was tired and almost clicked because I’d had a long day.” The first gives the SOC a campaign signal (timing-based targeting); the second doesn’t.
  • Speculation about the attacker. “I bet this is a Russian state actor” isn’t evidence — it’s noise. Stick to observations.
  • Editorializing. “This is disgusting and whoever sent it should be arrested” is understandable but not actionable.

You were told to "report suspicious emails." No one told you what a useful report looks like. Now you have a template.

Key Takeaways

  1. A good report leads with forward-as-attachment + screenshots + timeline + IOCs, in that order.
  2. Use the template when you have time; use the five-minute version when you don’t. Both beat silence.
  3. Strip your own sensitive data from screenshots before sending. Useful context stays; speculation and editorializing go.
  4. The IOCs from your earlier investigation — real sender domain, hovered URL, urlscan link — are the highest-value part of the report. Put them in the Evidence section.