Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/veeral-patel/incidents

Please use https://github.com/veeral-patel/true-positive instead
https://github.com/veeral-patel/incidents

dfir digital-forensics incident-management incident-response investigations ruby-on-rails security-incidents thehive-project

Last synced: 27 days ago
JSON representation

Please use https://github.com/veeral-patel/true-positive instead

Host: GitHub
URL: https://github.com/veeral-patel/incidents
Owner: veeral-patel
License: agpl-3.0
Created: 2019-05-31T04:20:40.000Z (about 5 years ago)
Default Branch: master
Last Pushed: 2023-01-19T20:51:44.000Z (over 1 year ago)
Last Synced: 2024-02-14T03:31:22.761Z (4 months ago)
Topics: dfir, digital-forensics, incident-management, incident-response, investigations, ruby-on-rails, security-incidents, thehive-project
Language: Ruby
Homepage:
Size: 10.1 MB
Stars: 61
Watchers: 9
Forks: 7
Open Issues: 13
Metadata Files:
- Readme: README.md
- License: LICENSE

Lists

awesome-forensics - Incidents - Web application for organizing non-trivial security investigations. Built on the idea that incidents are trees of tickets, where some tickets are leads (Tools / Management)
awesome-forensics-TOOLS - Incidents - Web application for organizing non-trivial security investigations. Built on the idea that incidents are trees of tickets, where some tickets are leads (Tools / Management)
awesome-forensics-TOOLS - Incidents - Web application for organizing non-trivial security investigations. Built on the idea that incidents are trees of tickets, where some tickets are leads (Tools / Management)
Awesome-Forensics - Incidents - Web application for organizing non-trivial security investigations. Built on the idea that incidents are trees of tickets, where some tickets are leads (Tools / Management)
awesome-forensic-analysis-tools - Incidents - Web application for organizing non-trivial security investigations. Built on the idea that incidents are trees of tickets, where some tickets are leads (Tools / Management)
ForensicsTools - Incidents - Web application for organizing non-trivial security investigations. Built on the idea that incidents are trees of tickets, where some tickets are leads (Challenges / Management)

README

# INCIDENTS

> [True Positive](https://truepositive.app) is the next iteration of
> INCIDENTS.

INCIDENTS is a web-based tool for incident response, just like
[TheHive](https://thehive-project.org).

You can use INCIDENTS whether you're investigating a malware infection, a
phishing campaign, insider abuse, an application vulnerability, a
denial-of-service attempt, or any other kind of security incident.

If you work at a SOC, MSSP, incident response firm, or an internal
detection/response team, INCIDENTS is for you.

Refer to documentation in the [docs/](docs/) folder.

## Get INCIDENTS Running Locally

This script will install INCIDENTS, provision an initial user account for you, and print out the login credentials.

Install [Docker](https://docs.docker.com/install/) and [Docker Compose](https://docs.docker.com/compose/install/) first.

```
git clone https://github.com/veeral-patel/incidents && cd incidents
chmod +x install.sh && sudo ./install.sh
```

Then visit http://localhost:80

Tested on MacOS, Ubuntu, Debian, and Fedora. Other OS's probably work, too, considering the application runs in Docker containers.

If you forgot your login credentials, simply run the install script again; it'll
provision a new user account for you. "Forgot my password" doesn't work in this
local setup, as email sending isn't configured.

### Don't run this setup in production!

**Don't run this setup in production!** Files are stored on disk, the database is not secured, doesn't use HTTPS, and you won't be able to invite other users, as email sending hasn't been set up. Just use this setup to try out the tool.

### Common errors while installing

#### "Couldn't connect to the Docker daemon"
- Be sure Docker is running. Run `sudo systemctl start docker`, start Docker
Desktop, or run the equivalent command to start Docker for your OS.
- Docker requires root access to run. Make you're running `sudo ./install.sh`, not `./install.sh`.

#### Docker container "killed" during installation
- Clear disk space if you're running low on it
- Add more memory (if installing in a VM) or terminate unused,
memory-intensive processes

### Dark theme

INCIDENTS supports a dark theme! See "Screenshots" at the bottom of this README to see some screenshots.

Instead of running the command above, run:

```
chmod +x install.sh && sudo ./install.sh dark
```

## Why INCIDENTS?

Investigations are tree-like: a piece of malware may spawn an enterprise-wide sweep, which may find a related piece of malware, which may spawn
another sweep, and so on.

Unfortunately, existing ticketing systems -- like TheHive and JIRA -- don't let you create subtickets of subtickets. So effectively your
tree can only have 2 levels--and they don't show you a visualization of the tree, either.

INCIDENTS models an incident as a tree of tickets, with any number of levels.

![Tree](https://user-images.githubusercontent.com/12554095/62274952-b8c83a00-b3f5-11e9-8066-b864883b1979.png)

I believe this approach better captures an incident responder's mental model of
an incident.

## Benefits

- **Avoid missing things with centralized lead management**--whether you're analysing a single system or leading a large engagement
- **Keep people on the same page**--team members can glance at the tree to find out what's going on, instead of reading old status updates or reading the entire Slack channel
- **Complete investigations faster**--divide large tasks into smaller tickets you assign to people to get things done in parallel. And analysts can identify open tickets to work on, without waiting for the investigation lead
- **Preserve institutional knowledge**--document how investigations developed over time to reference in future incidents and for training new analysts
- **Improve your IR process**--by documenting an investigation's evolution, be able to look back and find bottlenecks, areas for improvement, opportunities for automation
- **Tame incidents with large scopes**--people only need to worry about the few levels in the tree below theirs, instead of being exposed to all the information about the incident

## Concepts

- Create an **incident** for each investigation
- Each incident has many **tickets**, or pieces of work.
- If a ticket needs to be investigated further, mark it as a **lead**.
- Add **comments**, **attachments**, and **observables** (aka indicators) to a ticket.
- Add **child tickets** to a ticket to break it down into smaller pieces, or to indicate the ticket spawned another piece of work.

## Features

- Restrict who can view an incident
- View all an incident's attachments in one place
- View all an incident's observables in one place
- View all an incident's leads in one place
- Drag/drop nodes in the tree to quickly reorganize an incident
- Tag indicators, attachments, tickets, and incidents
- Assign tickets to users
- Assign statuses and priorities to tickets
- Keyboard shortcut for creating an incident

## Tech Stack

INCIDENTS is built using:

- Ruby on Rails
- Bulma
- JQuery

## Get in Touch

To request a feature or report a bug, [please open an issue on GitHub](https://github.com/veeral-patel/incidents/issues)

You can email the author at [[email protected]](mailto:[email protected]). I reply to all emails, and most within a couple hours. I welcome feedback!

## Screenshots

all_incidents
all_tickets
assigned_tickets
delete_incident
incident_attachments
incident_details