Lessons-learned meeting
Definition
A structured post-incident review, recommended by NIST within approximately two weeks of incident resolution, that examines what happened, what the response did well, what it missed, and what should change. The meeting's outputs update detection rules, playbooks, and the IR plan itself.
Related terms
- Containment strategy
- A deliberate decision about how to limit an incident's spread, balancing the need to stop harm immediately against the risk of alerting...
- Eradication
- The phase in which the root cause of an incident is removed from the environment: deleting malware, patching exploited vulnerabilities, revoking compromised...
- Incident response lifecycle
- The structured sequence of phases NIST SP 800-61 defines for handling computer security incidents: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity....
- Incident response plan
- A formal document that defines an organisation's approach to incident handling: roles and responsibilities, escalation paths, communication procedures, legal and regulatory obligations,...
- Indicators of compromise (IoCs)
- Artefacts observed on a network or system that suggest an intrusion or malicious activity has occurred, such as unusual outbound connections, known-malicious...
Explained in
- The NIST SP 800-61 Incident Response LifecycleA structured post-incident review, recommended by NIST within approximately two weeks of incident resolution, that examines what happened, what the response di...