Coder Social home page Coder Social logo

veeral-patel / incidents Goto Github PK

View Code? Open in Web Editor NEW
64.0 9.0 7.0 10.36 MB

Please use https://github.com/veeral-patel/true-positive instead

License: GNU Affero General Public License v3.0

Ruby 34.64% JavaScript 24.59% CoffeeScript 0.49% CSS 5.24% HTML 33.43% Dockerfile 0.11% Shell 0.65% SCSS 0.85%
security-incidents digital-forensics incident-response incident-management investigations dfir thehive-project ruby-on-rails

incidents's Introduction

INCIDENTS

True Positive is the next iteration of INCIDENTS.

INCIDENTS is a web-based tool for incident response, just like TheHive.

You can use INCIDENTS whether you're investigating a malware infection, a phishing campaign, insider abuse, an application vulnerability, a denial-of-service attempt, or any other kind of security incident.

If you work at a SOC, MSSP, incident response firm, or an internal detection/response team, INCIDENTS is for you.

Refer to documentation in the docs/ folder.

Get INCIDENTS Running Locally

This script will install INCIDENTS, provision an initial user account for you, and print out the login credentials.

Install Docker and Docker Compose first.

git clone https://github.com/veeral-patel/incidents && cd incidents
chmod +x install.sh && sudo ./install.sh

Then visit http://localhost:80

Tested on MacOS, Ubuntu, Debian, and Fedora. Other OS's probably work, too, considering the application runs in Docker containers.

If you forgot your login credentials, simply run the install script again; it'll provision a new user account for you. "Forgot my password" doesn't work in this local setup, as email sending isn't configured.

Don't run this setup in production!

Don't run this setup in production! Files are stored on disk, the database is not secured, doesn't use HTTPS, and you won't be able to invite other users, as email sending hasn't been set up. Just use this setup to try out the tool.

Common errors while installing

"Couldn't connect to the Docker daemon"

  • Be sure Docker is running. Run sudo systemctl start docker, start Docker Desktop, or run the equivalent command to start Docker for your OS.
  • Docker requires root access to run. Make you're running sudo ./install.sh, not ./install.sh.

Docker container "killed" during installation

  • Clear disk space if you're running low on it
  • Add more memory (if installing in a VM) or terminate unused, memory-intensive processes

Dark theme

INCIDENTS supports a dark theme! See "Screenshots" at the bottom of this README to see some screenshots.

Instead of running the command above, run:

chmod +x install.sh && sudo ./install.sh dark

Why INCIDENTS?

Investigations are tree-like: a piece of malware may spawn an enterprise-wide sweep, which may find a related piece of malware, which may spawn another sweep, and so on.

Unfortunately, existing ticketing systems -- like TheHive and JIRA -- don't let you create subtickets of subtickets. So effectively your tree can only have 2 levels--and they don't show you a visualization of the tree, either.

INCIDENTS models an incident as a tree of tickets, with any number of levels.

Tree

I believe this approach better captures an incident responder's mental model of an incident.

Benefits

  • Avoid missing things with centralized lead management--whether you're analysing a single system or leading a large engagement
  • Keep people on the same page--team members can glance at the tree to find out what's going on, instead of reading old status updates or reading the entire Slack channel
  • Complete investigations faster--divide large tasks into smaller tickets you assign to people to get things done in parallel. And analysts can identify open tickets to work on, without waiting for the investigation lead
  • Preserve institutional knowledge--document how investigations developed over time to reference in future incidents and for training new analysts
  • Improve your IR process--by documenting an investigation's evolution, be able to look back and find bottlenecks, areas for improvement, opportunities for automation
  • Tame incidents with large scopes--people only need to worry about the few levels in the tree below theirs, instead of being exposed to all the information about the incident

Concepts

  • Create an incident for each investigation
  • Each incident has many tickets, or pieces of work.
  • If a ticket needs to be investigated further, mark it as a lead.
  • Add comments, attachments, and observables (aka indicators) to a ticket.
  • Add child tickets to a ticket to break it down into smaller pieces, or to indicate the ticket spawned another piece of work.

Features

  • Restrict who can view an incident
  • View all an incident's attachments in one place
  • View all an incident's observables in one place
  • View all an incident's leads in one place
  • Drag/drop nodes in the tree to quickly reorganize an incident
  • Tag indicators, attachments, tickets, and incidents
  • Assign tickets to users
  • Assign statuses and priorities to tickets
  • Keyboard shortcut for creating an incident

Tech Stack

INCIDENTS is built using:

  • Ruby on Rails
  • Bulma
  • JQuery

Get in Touch

To request a feature or report a bug, please open an issue on GitHub

You can email the author at [email protected]. I reply to all emails, and most within a couple hours. I welcome feedback!

Screenshots

all_incidents all_tickets assigned_tickets delete_incident incident_attachments incident_details

incident_leads incident_members incident_observables incident_tickets incident_tree new_ticket

new_incident ticket_tree ticket_comments ticket_details search users

Screen Shot 2019-07-30 at 1 21 45 AM Screen Shot 2019-07-30 at 12 59 35 AM Screen Shot 2019-07-30 at 12 59 50 AM Screen Shot 2019-08-01 at 1 11 16 AM Screen Shot 2019-08-01 at 1 11 26 AM Screen Shot 2019-08-01 at 1 11 40 AM

Screen Shot 2019-08-01 at 1 12 00 AM

incidents's People

Contributors

veeral-patel avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

incidents's Issues

Create a settings page

  • create a settings page
  • link to Edit Profile from settings page
  • remove Edit Profile from top nav

add an user policy

Policies:

  • only an user can edit his info
  • only an admin can create or delete an user

Need to:

  • create user_policy.rb
  • enforce policies in user_controller.rb

create an API page

  • add it to the user dropdown in the top nav
  • it should show an user's authentication token
  • and it should mention API documentation is coming soon

create "incident > new ticket" form

  • add a new ticket button to the vertical incident menu on the left
  • add a new ticket button to the incident > Tickets page
  • remove shift-t keyboard shortcut
  • remove new ticket form
  • remove new > ticket from top nav

Create a 2FA page

  • link to 2FA page from settings page
  • create 2FA page which states if 2FA is enabled
  • add link to activate/deactivate 2FA to 2FA page

Initial Login

Please advise on approach for initial user login.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.