Hello,
the current (as I understand it) workflow that RTIR has of
incident report -> incident -> investigation
(i.e incident being the parent, investigation and incident report being
children of the incident) works ok for most things, but not for what our
organisation considers one incident, e.g a campus-wide virus outbreak.
For those cases, it would be nice to be able to link incident-reports
and investigations/blocks, and have them as children of a single
incident. There are probably a number of code mods that need to be done
to do this (e.g allow an incident-report/investigation to be resolved
without resolving the parent incident, etc), so before I start
design/coding for this, does anyone have any suggestions on how this
could otherwise be done? Or pointers to what others are doing in this
case?
Any information about this would be appreciated.
Thanks
Rudolph Pereira wrote:
For those cases, it would be nice to be able to link incident-reports
and investigations/blocks, and have them as children of a single
incident.
If I understand you right, this is exactly how things work in RTIR 
You can link multiple incident reports and launch multiple
investigations and blocks from a single incident (use ‘Link’ form IR and
‘New investigation’ from Incident). And you can resolve one or more of
them without resolving whole incident - just click on the link to get
the investigation / incident report displayed and click ‘Resolve’
Regards,
Przemek
Rudolph Pereira wrote:
For those cases, it would be nice to be able to link incident-reports
and investigations/blocks, and have them as children of a single
incident.
If I understand you right, this is exactly how things work in RTIR
You can link multiple incident reports and launch multiple
investigations and blocks from a single incident (use ‘Link’ form IR and
‘New investigation’ from Incident). And you can resolve one or more of
them without resolving whole incident - just click on the link to get
the investigation / incident report displayed and click ‘Resolve’
Sorry, I should have been clearer: the above achieves the objective of
having multiple investigations and incident reports per incident, but
doesn’t in any way link an investigation to an incident report.
For example, we may have an incident being “ssh bruteforcing attempts
across campus” and a whole bunch of incident reports (one or more per host)
and investigations (again, one or more per host). As investigations are
resolved, it would be nice to resolve the incident report(s) associated
with just that host (in this incident),
without having to go searching or doing lookups and
working out which one it was (there may be multiple incident reports
against the same host in different incidents). For example, this may
look like the incident reports “pane” of an incident, except it would be
displayed in an investigation (display).
I imagine in RT-speak, the investigation and incident reports would be
siblings (or just refer to each other?)