[Rtir] creating large numbers of investigations

Linda L. Julien julien at bestpractical.com
Thu Aug 19 12:35:15 EDT 2004


You should take a look at the "Scripted Action" tool in RTIR.  That will 
allow you to create bulk investigations from a list of email addresses, 
or, given a list of IPs, from a field in a WHOIS lookup.

Hope this helps,

Rudolph Pereira wrote:

>I'm currently looking into/using RTIR for our incident
>tracking/response. One of the issues that have come up is that of bulk
>creation of investigations; we're a pretty decentralised institution and
>so most incidents go something like
>- detect issue (e.g port scans, etc)
>- verify
>- send out mail notification to "system owner"
>We have tools to do all the above, but I'd like to use RTIR to tie it
>all together. At the same time, we usually deal with clusters of
>incidents, some of which have to be dealt with very quickly.
>Hence, using the web interface to go through the workflow (modified from
>1. get incident report/detection
>2. look up system owner
>3. look up/insert related information (e.g port scan details, flow logs,
>switchport information)
>4. send off notification to system owner
>is quite time consuming, and hard to aggregate (e.g sending one
>notification per system owner regardless of number of systems), 
>not to mention doesn't include the
>actual shutdown of switchport, etc (which again, isn't likely to be done
>optimally through a web interface)
>So my question is: for those in similar situations (or others), how are
>you dealing with similar situations? The best idea I've come up with is
>configuring RTIR to allow investigation creation via email (with some
>kind of authentication) so that one could insert whatever output in the
>mail, prepend a few field tags (e.g "Incident: n" to attach to an
>incident) and RTIR could be used as (at least) the starting point for
>these kinds of things
>Any suggestions/ideas?
>Rtir mailing list
>Rtir at lists.bestpractical.com

More information about the Rtir mailing list