Creating and editing incidents

New event

Click on the New event button to go to the event creation form:

Here is the description of the available fields:

• Subject: short description of your incident. The one that will appear on event tables.
• Business Lines: entities concerned by this incident. You choose what you make of business lines: internal department, customers, etc.
• Category: category of the incident (ex: phishing, malware). Categories are also customizable in the admin panel.
• Status: can take three values: Open, Closed and Blocked. These are all labels defined in the admin panel
• Detection: how the incident was detected. Default values: CERT, External, Poleand Group. These values can be changed in the admin panel in the labels section
• Severity: from 1 to 4.
• Date / Time: date and time of the incident
• Is an incident: differentiates between an event and an incident
• Description: free-form text describing the event

When you are dealing with an incident, the following additional fields are available. These fields are only used for display and statistics:

• Actor: who is the leader on this incident management? Default values are CERT and Entity
• Plan: what is the named remediation plan used?
• Confidentiality: from C0 to C3

If you find yourself always filling the fields in the same way, you might want to use Incident Templates.

Click on Save, and you will be redirected to the incident details page.

Event Details

Let's decompose this page. This is the main page of FIR, the one in which all the incident handling really happens.

Here is what you have, from top to bottom:

• The information bar, containing all the informative values you specified before.

• The title with the type (Event or Incident), the Category and the Subject.

• The Description on the left

• On the right, some additional elements, when available:

  • Correlated artifacts: all the artifacts that have been found on another incident besides the current one.

  

  • Related files: all files uploaded and linked to this event.

  

  • Attributes

• The different possible information tabs:

  • Comments: these are free-form, and should describe the incident timeline (ex: "sent abuse/alert", "received evidence X", "asked for more information", etc.)

  

  • Artifacts: automatically extracted information (by default: IP addresses, hostnames, URLs, email addresses, hashes) related to this event. Correlated artifacts are displayed in red.

  

  • Investigation timeline: In contrast to the incident timeline, the investigation timeline should be used for timelining technical evidence found in a case. See the [fir_nuggets]https://github.com/certsocietegenerale/FIR/tree/master/fir_nuggets) plugin for additional details.

• The action bar, with the following buttons:

  • Add opens a submenu so that you can select what kind of element you want to add to the event (a File, an Attribute, a Todo or a Nugget by default).

  

  • Comment opens a modal allowing you to add a comment to the incident timeline.

  

  • Edit gets you back to the form you used to create an incident so that you can change any field.
  • Open, Block and Close are used to change the event status, and will get you back to the dashboard.
  • Incident followup opens a one page report meant to be printed as a PDF to be sent to the business lines.
  • Alert and Takedown: see fir_alerting