We have installed RTIR+RTFM and are currently testing it. One of the
things that we have noticed is that Scripted Actions under Tools create
new Investigation ticket + new Incident ticket for each email address/IP
We wanted to have an option where Scripted Action would create new
Investigations (one per address/IP) and link all of them to a single
incident. This would come in handy with cases like the following:
- we receive a report on a DDoS attack with a list of bots
- we create an Incident and link this report to it
- via Scripted Actions we send out messages to admins of systems running
DDoS bots (each resulting in an Investigation), but keep them under
the same Incident ticket.
To achieve this, I have copied ScriptedAction.html from
share/html/RTIR/Tools to local/html/RTIR/Tools and added another field
to the form (labeled “Link to incident”). If not empty, all resulting
Investigations will be linked to the supplied Incident.
Attached is a diff between the original and modified ScriptedAction.html.
Future possible enhancements of this patch could include:
- a separate “Link to existing incident” checkbox which would (I guess)
make the page more readable
- a dropdown list of new/open incidents owned by the user for easier
selection of the Incident you wish to link to, so you could either
select from a list or manually enter the incident number
Am I doing something which was already done? And is this list the right
place to publish local additions/patches/enhancements?
Gorazd Bozic firstname.lastname@example.org
ARNES SI-CERT, Jamova 39 p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 88 22, fax: +386 1 479 88 99
ScriptedAction.diff.txt (1.88 KB)