1) Where it has been occurred and how to detect ?
2) How it has been entered? (MEDIUM)
3) What are the malicious activities occurred after the entry ?
4) when it has been occured ?
5) who did it ?
6) what are the intension ?
7) Harm made to the organisation?
8) what are the measures taken ?
9) Future precautions ?