Request Tracker for Incident Response (RTIR) builds on all the features of RT and provides pre-configured queues and workflows designed for incident response teams. It's the tool of choice for many CERT and CSIRT teams all over the globe.

RTIR has tools to correlate key data from incident reports, both from people and automated tools, to find patterns and link multiple incident reports with a common root cause incident.

Manage communication to multiple interested parties including reporters, counterparts at other security teams collaborating on responses, and other internal teams coordinating countermeasures.

 

Incident Management Workflow

 

  • Incident handling workflow for security teams developed with the Janet CSIRT and Terena (now GÉANT) as described here.

  • Separate queues for incident report triage, incident handling, investigation, and countermeasures.

  • Keep communication clear with individual and bulk reply actions. Customize using RT's flexible email templating system.

  • Constituencies configuration that allows parallel workflows but with different staff. Keeps ticket data segregated for staff serving multiple different customers.

  • Tickets log all activity, store custom information in custom fields, track key dates to meet SLAs.


Key Features & Functionality

  • Cascading status change that allows actions like resolve to apply to linked tickets.

  • Reply to a single correspondent or reply to all interested parties connected to all tickets for an incident.

  • Merge/Split for incidents for flexible handling as an incident plays out.

  • Bulk operations like Bulk Abandon and Bulk Reject to handle large batches of tickets at once.

  • RT API can accept automatic data feeds from external systems such as Splunk, ArcSight, Nagios, Squil, and Qualys.

  • Create multiple incident report queues to segregate incoming reports.

  • RTIR also builds on Extensions that are compatible with Request Tracker.

  • And, of course, all the other great features of RT.

  • Dedicated incident dashboard with pre-built listings of most due tickets. Can be edited to show most important tickets at a glance.

  • Preset with useful custom fields. Can add as many additional custom fields as needed to track incident data.

  • Search tickets on any metadata attributes including status, dates, linked users, and custom fields.

  • Generate activity reports in HTML, text, or spreadsheet format.

  • Convenient linking of tickets related to an incident:

    • Box on IR creation to add an existing Incident ID

    • Link and New links next to Incident field in IR basics

    • Portlet for each linked queue that provides Create and Link links at top for key queues

  • Incident page shows all linked incident reports, investigations, countermeasures tickets along with current status of each.

  • Automatic parsing and population of IP custom fields for network-related reports.


Custom Tools

  • Key custom fields like IP address link to RTIR's Lookup Tool, finding matching values in any other tickets in the system.

  • Provides interface to tools that aid in network lookups and identification including traceroute, whois lookups, and remote site lookups for security ratings.

  • Reporting based on dates and constituencies showing activity sorted and summed by relevant custom fields.

  • Scripted actions for bulk ticket creating from a list of email addresses or IPs.