Skip to content

Incident views

Jump to bottom
Gael Muller edited this page Mar 11, 2015 · 1 revision

Dashboard

The dashboard is split in two. At the top, you have a list of the starred incidents. You can star/unstar any incident by just clicking on the star icon in any incident list.

Then, there is tabs, that can contain any view interesting for the incident handler. By default, FIR has the following tabs:

  • Open: list of incidents with the status Open
  • Closed: list of incidents with the status Blocked
  • Old: list of the top 20 incidents with the status Open that have not received the love they deserved recently
  • Tasks: this is provided by the fir_todos plugin, and will display all todo items with CERT as accountable

Incidents and events

The Incidents and Events panes are an unfiltered list of all the incidents and events. In FIR nomenclature, incidents are events that have escalated and that need actions to be taken (identification, containment, eradication, etc.). This is why an "Actor" and a "Plan" appear when you click on the "Is an incident" checkbox.

You can use these views to sort and search through incidents or events.

Incidents and events will display differently depending on their status:

  • Blocked incidents will be displayed in red
  • Closed incidents will be grayed out

Searchbar

In all FIR views, you will always have a searchbar at your disposal at the top of the webpage. The search bar will search by default in incidents' and events' subject, description, and comments. You can also use the following meta-keywords for more advanced filtering:

  • plan:<param> - E.g. plan:A for all incidents that have their plan field set to A
  • bl:<param> - Will search for business lines. bl:demo will yield results for all incidents whose business lines contain the word demo. Case insensitive.
  • category:<param> - Will search for the specified term in the category field. Case insensitive.
  • status:<param> - E.g. status:C will only show closed incidents.
  • starred - This keyword will only show starred incidents.
  • `severity[:<>] - Will filter by severity level

To search for all closed incidents regarding a phishing incident on John Doe's mailbox from the Demo business line, you would use a query like [email protected] status:C category:phishing bl:demo

Clone this wiki locally