Request Tracker for Incident Response (RTIR) builds on all the features of RT and provides pre-configured queues and workflows designed for incident response teams. It's the tool of choice for many CERT and CSIRT teams all over the globe.
RTIR has tools to correlate key data from incident reports, both from people and automated tools, to find patterns and link multiple incident reports with a common root cause incident.
Manage communication to multiple interested parties including reporters, counterparts at other security teams collaborating on responses, and other internal teams coordinating countermeasures.
Incident Management Workflow
Separate queues for incident report triage, incident handling, investigation, and countermeasures.
Keep communication clear with individual and bulk reply actions. Customize using RT's flexible email templating system.
Constituencies configuration that allows parallel workflows but with different staff. Keeps ticket data segregated for staff serving multiple different customers.
Tickets log all activity, store custom information in custom fields, track key dates to meet SLAs.
Key Features & Functionality
Cascading status change that allows actions like resolve to apply to linked tickets.
Reply to a singled correspondent or reply to all interested parties connected to all tickets for an incident.
Merge/Split for incidents for flexible handling as an incident plays out.
Bulk operations like Bulk Abandon and Bulk Reject to handle large batches of tickets at once.
RT API can accept automatic data feeds from external systems such as Splunk, ArcSight, Nagios, Squil, and Qualys.
Create multiple incident report queues to segregate incoming reports.
RTIR also builds on Extensions that are compatible with Request Tracker.
And, of course, all the other great features of RT.
Dedicated incident dashboard with pre-built listings of most due tickets. Can be edited to show most important tickets at a glance.
Preset with useful custom fields. Can add as many additional custom fields as needed to track incident data.
Search tickets on any metadata attributes including status, dates, linked users, and custom fields.
Generate activity reports in HTML, text, or spreadsheet format.
Convenient linking of tickets related to an incident:
Box on IR creation to add an existing Incident ID
Link and New links next to Incident field in IR basics
Portlet for each linked queue that provides Create and Link links at top for key queues
Incident page shows all linked incident reports, investigations, countermeasures tickets along with current status of each.
Automatic parsing and population of IP custom fields for network-related reports.
Key custom fields like IP address link to RTIR's Lookup Tool, finding matching values in any other tickets in the system.
Provides interface to tools that aid in network lookups and identification including traceroute, whois lookups, and remote site lookups for security ratings.
Reporting based on dates and constituencies showing activity sorted and summed by relevant custom fields.
Scripted actions for bulk ticket creating from a list of email addresses or IPs.
Technical Specifications for Our Products
RT is a server-side, database-backed web application which works with any modern browser, including many popular mobile devices, and the email interface works with any mail client, from Outlook to Apple Mail to Thunderbird to Gmail to Mutt. On the server side, RT requires a Unix-like or Linux operating system, SQL database, web server, and Perl. You must have RT installed in order to run RTIR.
Linux (all distros we've tried), Mac OS X, FreeBSD, Solaris, or another Unix-like operating system
MySQL, MariaDB, PostgreSQL, and Oracle
Apache, Lighttpd, nginx, or any other server which supports FastCGI
The README describes the install process. You can use packaged versions for most of the above. RT is written in Perl and uses additional modules from CPAN. You can find details on managing a Perl for RT in the RT documentation.