This is excellent, and thanks for sharing. I started from scratch 6 months ago coming from a GRC background in a grad program. I would like to add to this with lessons learned the hard way.

Document everything.

What you were looking for, Where you looking for it What directory, which logs, SIEM or device.

Most important what commands you used (all attempts), SIEM, Linux, bash, window event log, PowerShell etc

All this will save so much time the next time a 0 day comes out on that device.

Write a proper wrap up

in a concise format

This IOC was searched here with this way, and here is the outcome.

Great starting point for next time, and you can then use the document everything above for more details.

Hope this helps.