Educause Security Discussion mailing list archives

Re: incident response tracking software

From: "Beyer, Justin R" <JBEYER () WCUPA EDU>
Date: Tue, 2 Oct 2018 18:50:20 +0000

Hi Bryan,
I've had good experience with Request Tracker (RT) with/without the Incident Response Module add in (RTIR) from Best 
Practical Solutions. It's FOSS and is a pretty basic email based ticketing system that lives off of Linux and Perl. You 
can do some fun automation with it but you will need to Script-Kiddie some Perl at a minimum. They also just added a 
REST module to give it an API but I haven't played with it too much.
I will say, though, that RTIR can be somewhat overkill if you use it the right way when it comes to small incidents, 
like a single account compromise that leads to spam email being sent or a single endpoint with malicious activity, 
since you end up creating an Incident Report, an Incident, at least one investigation, and at least one countermeasure.

I also played a bit with Hive but ended up not really seeing too much benefit since we didn't want to move our data 
directly into it especially since we were happy with our current Log Management/SIEM solution.

Thanks,
Justin

RT Link:
https://bestpractical.com/request-tracker/

Justin Beyer
Information Security Analyst
Information Services & Technology
West Chester University of Pennsylvania
P: 610-436-2844 | JBeyer () wcupa edu
PGP Key: BF3A643DD48A66CF603A4DA630EA4F8119D7B674<https://pgp.mit.edu/pks/lookup?op=get&search=0x30EA4F8119D7B674>

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Ford, Bryan
Sent: Tuesday, October 2, 2018 2:39 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] incident response tracking software

Anyone using any Incident tracking software that you would recommend ?
We are in the process of creating a Security Operation Center and are looking at any incident response tracking 
software.  Kind of curious on what works well, how simple and doesn't work.
Any insight would be appreciated.

Thanks
Bryan

Bryan Ford
Information Security
NORTH DAKOTA
University System
Core Technology Services
4349 James Ray Drive
Grand Forks, ND 58203
   701.777.6484 (o)
   cts.ndus.edu

Current thread:

incident response tracking software Ford, Bryan (Oct 02)
- Re: incident response tracking software Baillio, Aaron (Oct 02)
- Re: incident response tracking software Andrew Weisskopf (Oct 02)
- Re: incident response tracking software STURGIS, JOHN (Oct 02)
- Re: incident response tracking software Beyer, Justin R (Oct 02)