# Investigation worksheet

## Key questions
- Initial access vector?
- First confirmed malicious event?
- Affected identities (users/service accounts)?
- Affected endpoints/servers?
- Data impacted / exfil?
- Persistence mechanism?
- Containment actions taken?

## IOCs
- IPs:
- Domains:
- Hashes:
- File paths:
- Registry keys (if any):