Thank you for the response, that definitely helps.<span></span><br><br>On Thursday, February 14, 2013, Carlos Fuentes Bermejo wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="auto"><div>Hiya Kevin,</div><div><br></div><div>First answer the question about blocks, the blocks are used to interact with the Network guys, i.e. for asking a block of an IP(s) or port in the network, so you will be able to keep tracking of the talks with NOC guys, and all the actions you take over the network to solve the incident. In case you see the block queue is not useful for you, you can deactivate in the RTIR config file.</div>
<div><br></div><div>About incidents, if you have two complaints in your incident reports queue related to two different IPs of your institution, or related to two different issues, you won't want to open only one single incident to handle everything, and mix the information you can receive, what you have to do is to open two different incidents, and each IR will be linked to its own incident, handling them separately, and launching investigations to fix the problems. You can be in front of cases where you have a incident report asking something, where you will have to open an incident, but an investigation won't be needed as you are acting as a security helpdesk team.</div>
<div><br></div><div>I hope it clarify a bit more your workflow understanding, as James said the document is a bit basic, and I think it should be more complete, having use cases and more examples.</div><div><br></div><div>
Cheers,</div><div>Carlos<br><br>Sent from my iPad</div><div><br>On 14/02/2013, at 21:12, Kevin Holleran <<a href="javascript:_e({}, 'cvml', 'kdawg44@gmail.com');" target="_blank">kdawg44@gmail.com</a>> wrote:<br>
<br></div><blockquote type="cite"><div><div dir="ltr">Thanks again. I am not understanding some of the workflow.<div><br></div><div>An incident can be defined. One (or more?) incident reports can be linked to the incident. One or more investigations can be linked to the incident. What are the blocks for? </div>
<div><br></div><div>Thank you!</div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div dir="ltr">--<br>Kevin Holleran<br>Master of Science, Computer Information Systems<br>Grand Valley State University<br>
Master of Business Administration<br>Western Michigan University<br><span style="font-family:arial;font-size:small">SANS GCFA, </span>SANS GCFE, CCNA, ISA, MCSA, MCDST, MCP<br><div><br>"Do today what others won't, do tomorrow what others can't" - SEALFit<div>
<br></div><div>"We are what we repeatedly do. Excellence, then, is not an act, but a habit." - Aristotle<br></div></div></div></div>
<br><br><div class="gmail_quote">On Tue, Feb 12, 2013 at 10:33 AM, James Davis <span dir="ltr"><<a href="javascript:_e({}, 'cvml', 'james.davis@ja.net');" target="_blank">james.davis@ja.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<div><br>
On 12/02/2013 15:20, Kevin Holleran wrote:<br>
<br>
> I just set up RT 3.8 with RT/IR. I am new to this and need to ramp<br>
> up quickly. What is a good resource rather than just fumbling<br>
> around and learning through trial and error or stumbling through<br>
> bits and pieces of documentation? I noticed the RT Essentials book<br>
> but I was wondering if it was dated based on the publication date.<br>
><br>
</div><a href="http://bestpractical.com/static/rtir/janet-workflow.pdf" target="_blank">http://bestpractical.com/static/rtir/janet-workflow.pdf</a> is a useful<br>
resource that explains the RTIR workflow[1].<br>
<br>
James<br>
<br>
1. I may be a little biased.<br>
<br>
- --<br>
James Davis 0300 999 2340 <a href="tel:%28%2B44%201235%20822340" value="+441235822340" target="_blank">(+44 1235 822340</a>)<br>
Senior CSIRT Member<br>
Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.11 (Darwin)<br>
Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
iF4EAREIAAYFAlEaYL0ACgkQjsS2Y6D6yLyQWAEAlUIuiH+glbsOFXEQP45B9zXI<br>
SAK+txSS2PeVfWcESMIBANIJ5SNcMH+hxXEfKEEeY923XsgoxPEIBgIr8rbi7ryE<br>
=m8+Z<br>
-----END PGP SIGNATURE-----<br>
<br>
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a<br>
not-for-profit company which is registered in England under No. 2881024<br>
and whose Registered Office is at Lumen House, Library Avenue,<br>
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238<br>
<br>
_______________________________________________<br>
Rtir mailing list<br>
<a href="javascript:_e({}, 'cvml', 'Rtir@lists.bestpractical.com');" target="_blank">Rtir@lists.bestpractical.com</a><br>
<a href="http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rtir" target="_blank">http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rtir</a><br>
</blockquote></div><br></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Rtir mailing list</span><br><span><a href="javascript:_e({}, 'cvml', 'Rtir@lists.bestpractical.com');" target="_blank">Rtir@lists.bestpractical.com</a></span><br>
<span><a href="http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rtir" target="_blank">http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rtir</a></span><br></div></blockquote></div></blockquote><br><br>-- <br>
<div dir="ltr">--<br>Kevin Holleran<br>Master of Science, Computer Information Systems<br>Grand Valley State University<br>Master of Business Administration<br>Western Michigan University<br><span style="font-family:arial;font-size:small">SANS GCFA, </span>SANS GCFE, CCNA, ISA, MCSA, MCDST, MCP<br>
<div><br>"Do today what others won't, do tomorrow what others can't" - SEALFit<div><br></div><div>"We are what we repeatedly do. Excellence, then, is not an act, but a habit." - Aristotle<br></div>
</div></div><br>