[Rtir] linking incident-reports and investigations

[Rudolph Pereira]

On Wed, Nov 03, 2004 at 09:41:38AM +0100, Przemek Jaroszewski wrote:
> Rudolph Pereira wrote:
> 
> >For those cases, it would be nice to be able to link incident-reports
> >and investigations/blocks, and have them as children of a single
> >incident. 
> 
> If I understand you right, this is exactly how things work in RTIR :) 
> You can link multiple incident reports and launch multiple 
> investigations and blocks from a single incident (use 'Link' form IR and 
> 'New investigation' from Incident). And you can resolve one or more of 
> them without resolving whole incident - just click on the link to get 
> the investigation / incident report displayed and click 'Resolve' :)
Sorry, I should have been clearer: the above achieves the objective of
having multiple investigations and incident reports per incident, but
doesn't in any way link an investigation to an incident report.

For example, we may have an incident being "ssh bruteforcing attempts
across campus" and a whole bunch of incident reports (one or more per host) 
and investigations (again, one or more per host). As investigations are
resolved, it would be nice to resolve the incident report(s) associated
with just that host (in this incident), 
without having to go searching or doing lookups and
working out which one it was (there may be multiple incident reports
against the same host in different incidents). For example, this may
look like the incident reports "pane" of an incident, except it would be
displayed in an investigation (display).

I imagine in RT-speak, the investigation and incident reports would be
siblings (or just refer to each other?)