{"id":690,"date":"2020-10-07T16:44:47","date_gmt":"2020-10-07T16:44:47","guid":{"rendered":"https:\/\/sites.rutgers.edu\/soc\/?page_id=690"},"modified":"2020-10-13T20:39:05","modified_gmt":"2020-10-13T20:39:05","slug":"rtir-request-tracker-for-incident-response","status":"publish","type":"page","link":"https:\/\/sites.rutgers.edu\/soc-archive\/incident_response\/rtir-request-tracker-for-incident-response\/","title":{"rendered":"RTIR: Request Tracker for Incident Response"},"content":{"rendered":"<h1>Introduction<\/h1>\n<h1 class=\"title page-title\"><span style=\"font-size: 1rem\">RTIR provides several advantages. \u00a0Since it was designed for incident response, most of the incident reports are created automatically rather than via manual data entry. \u00a0<\/span><strong style=\"font-size: 1rem\">\u00a0<\/strong><\/h1>\n<h1 class=\"title page-title\"><strong style=\"font-size: 1rem\">Incident reports<\/strong><span style=\"font-size: 1rem\">\u00a0(and there are often multiple reports on the same incident) are grouped into\u00a0<\/span><strong style=\"font-size: 1rem\">incidents<\/strong><span style=\"font-size: 1rem\">.<\/span><\/h1>\n<div id=\"block-system-main\" class=\"block block-system\">\n<div class=\"content\">\n<div id=\"node-73\" class=\"node node-book clearfix\">\n<div class=\"content\">\n<div class=\"field field-name-body field-type-text-with-summary field-label-hidden\">\n<div class=\"field-items\">\n<div class=\"field-item even\">\n<p>Please respond to the\u00a0<strong>incident\u00a0<\/strong>by sending an email message to<strong>\u00a0<a href=\"mailto:abuse@rutgers.edu\">abuse@rutgers.edu<\/a>. \u00a0<\/strong>Refer to the incident reports only for the detailed information they contain.<\/p>\n<p><strong>Note: \u00a0Access to\u00a0<a title=\"https:\/\/rt.ips.rutgers.edu\" href=\"https:\/\/rt.ips.rutgers.edu\/\">https:\/\/rt.ips.rutgers.edu<\/a>\u00a0is restricted to RUNet. \u00a0<\/strong><\/p>\n<p>To respond to incidents dispatched by the RU CIRT:<\/p>\n<ul>\n<li>respond in email to the RTIR email message and answer the Four Questions, keeping\u00a0the<strong>\u00a0SUBJECT:<\/strong>\u00a0\u00a0and\u00a0<strong>REPLY-TO:<\/strong>\u00a0fields intact. \u00a0OR<\/li>\n<li><strong><em>CLICK<\/em><\/strong>\u00a0on the Ticket URL included near the top of the email message ONLY to access incident and incident report information.<\/li>\n<\/ul>\n<p>Either way, answers to the questions below are needed in order to resolve this issue.<\/p>\n<ul>\n<li>Was sensitive information (Social Security Numbers, credit card\u00a0numbers, or other confidential data) stored on the host? If so,\u00a0please briefly describe the data. Note: Please do not send sensitive information in email.<\/li>\n<li>What are results of your investigation?<\/li>\n<li>What steps were taken to fix the problem?<\/li>\n<li>Was the report valid or a false positive?<\/li>\n<\/ul>\n<p>The ticket owner can assign another ticket owner as long as that person has RTIR access. \u00a0The RU CIRT will happily add additional departmental staff for\u00a0\u00a0RTIR access.\u00a0\u00a0Kindly send requests to\u00a0<a href=\"mailto:abuse@rutgers.edu\">abuse@rutgers.edu<\/a>. Please include the OIT netid and full name of the staff member.<\/p>\n<h1>Incident Details and Log Files<\/h1>\n<p><strong>Note: \u00a0Access to\u00a0<a title=\"https:\/\/rt.ips.rutgers.edu\" href=\"https:\/\/rt.ips.rutgers.edu\/\">https:\/\/rt.ips.rutgers.edu<\/a>\u00a0is restricted to RUNet. \u00a0<\/strong><br \/>\nAccess incident reports only for more detailed information. \u00a0Comment and reply work differently than most people expect, so please respond with an email message to\u00a0<a href=\"mailto:abuse@rutgers.edu\">abuse@rutgers.edu<\/a>, keeping the subject line (with the ticket number) intact.<\/p>\n<ul>\n<li>To access the INCIDENT details, two methods are available.\n<ul>\n<li>Browse to\u00a0<a title=\"https:\/\/rt.ips.rutgers.edu\" href=\"https:\/\/rt.ips.rutgers.edu\/\">https:\/\/rt.ips.rutgers.edu<\/a>\u00a0and authenticate with NetID\u00a0and password. \u00a0Tickets owned by you will show up in the dashboard.<\/li>\n<li>Click the URL included in the abuse report from RU CIRT. The\u00a0format is\u00a0<a href=\"https:\/\/rt.ips.rutgers.edu\/Ticket\/Display.html?id=12345%C2%A0%C2%A0where\">https:\/\/rt.ips.rutgers.edu\/Ticket\/Display.html?id=12345\u00a0\u00a0where<\/a>\u00a0your ticket number is substituted for &#8220;12345&#8221;.<\/li>\n<\/ul>\n<\/li>\n<li>\u00a0Click on the items shown in INCIDENT REPORTS on the right hand side. \u00a0There may be more than one depending on how many incident reports have been received about the same IP address.<\/li>\n<li>Within the INCIDENT REPORT, look for the line:\n<ul>\n<li>&#8220;Message body is not shown because sender requested not to inline it.&#8221;<\/li>\n<\/ul>\n<\/li>\n<li>To the far right there will be a button labeled &#8220;Download&#8221; followed by a file name. \u00a0Click on the button to display the log file.<\/li>\n<li>The most common log file \u00a0formats:\n<ul>\n<li>For Snort IDS logs, the \u00a0first column in each log file entry is &#8220;Conf&#8221; which stands for Confidence level. \u00a0A higher confidence level indicates that the IDS signature is more reliable and thus the line is considered more important.<\/li>\n<li>Stealthwatch logs are in .CSV format. \u00a0The column headings are labeled.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h1>Blocks<\/h1>\n<p>While we regret the use of drastic measures, hosts will be blocked from RUNet for critical issues and overdue tickets<br \/>\nRequests to re-establish RUNet access for blocked devices must come from the manager, dean or department chair and be directed to\u00a0<a href=\"mailto:abuse@rutgers.edu\">abuse@rutgers.edu<\/a>. \u00a0 \u00a0The request should come from a person with administrative\/budgetary responsibility for IT in the organization and affirm the following:<\/p>\n<ul>\n<li>the host is clear of sensitive data<\/li>\n<li>the security issue has been addressed<\/li>\n<li>the reason for the block has been discussed with the technical staff<\/li>\n<\/ul>\n<p>Please include the RTIR ticket number and\/or the IP address of the device. \u00a0After receipt and evaluation, IPS will notifiy the NOC that RUNet access can be restored.<br \/>\nAdditional measures will be taken if more than three (3) block requests have been made to the NOC within the past 12 months for a device in a department or administrative area.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Introduction RTIR provides several advantages. \u00a0Since it was designed for incident response, most of the incident reports are created automatically rather than via manual data entry. \u00a0\u00a0 Incident reports\u00a0(and there &hellip; <a href=\"https:\/\/sites.rutgers.edu\/soc-archive\/incident_response\/rtir-request-tracker-for-incident-response\/\" class=\"\">Read More<\/a><\/p>\n","protected":false},"author":112,"featured_media":0,"parent":694,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-690","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>RTIR: Request Tracker for Incident Response - Security Operations Center<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/sites.rutgers.edu\/soc-archive\/incident_response\/rtir-request-tracker-for-incident-response\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"RTIR: Request Tracker for Incident Response - Security Operations Center\" \/>\n<meta property=\"og:description\" content=\"Introduction RTIR provides several advantages. \u00a0Since it was designed for incident response, most of the incident reports are created automatically rather than via manual data entry. \u00a0\u00a0 Incident reports\u00a0(and there &hellip; Read More\" \/>\n<meta property=\"og:url\" content=\"https:\/\/sites.rutgers.edu\/soc-archive\/incident_response\/rtir-request-tracker-for-incident-response\/\" \/>\n<meta property=\"og:site_name\" content=\"Security Operations Center\" \/>\n<meta property=\"article:modified_time\" content=\"2020-10-13T20:39:05+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/sites.rutgers.edu\/soc-archive\/incident_response\/rtir-request-tracker-for-incident-response\/\",\"url\":\"https:\/\/sites.rutgers.edu\/soc-archive\/incident_response\/rtir-request-tracker-for-incident-response\/\",\"name\":\"RTIR: Request Tracker for Incident Response - Security Operations Center\",\"isPartOf\":{\"@id\":\"https:\/\/sites.rutgers.edu\/soc-archive\/#website\"},\"datePublished\":\"2020-10-07T16:44:47+00:00\",\"dateModified\":\"2020-10-13T20:39:05+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/sites.rutgers.edu\/soc-archive\/incident_response\/rtir-request-tracker-for-incident-response\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/sites.rutgers.edu\/soc-archive\/incident_response\/rtir-request-tracker-for-incident-response\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/sites.rutgers.edu\/soc-archive\/incident_response\/rtir-request-tracker-for-incident-response\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/sites.rutgers.edu\/soc-archive\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Incident Response\",\"item\":\"https:\/\/sites.rutgers.edu\/soc-archive\/incident_response\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"RTIR: Request Tracker for Incident Response\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/sites.rutgers.edu\/soc-archive\/#website\",\"url\":\"https:\/\/sites.rutgers.edu\/soc-archive\/\",\"name\":\"Security Operations Center\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/sites.rutgers.edu\/soc-archive\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"RTIR: Request Tracker for Incident Response - Security Operations Center","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/sites.rutgers.edu\/soc-archive\/incident_response\/rtir-request-tracker-for-incident-response\/","og_locale":"en_US","og_type":"article","og_title":"RTIR: Request Tracker for Incident Response - Security Operations Center","og_description":"Introduction RTIR provides several advantages. \u00a0Since it was designed for incident response, most of the incident reports are created automatically rather than via manual data entry. \u00a0\u00a0 Incident reports\u00a0(and there &hellip; Read More","og_url":"https:\/\/sites.rutgers.edu\/soc-archive\/incident_response\/rtir-request-tracker-for-incident-response\/","og_site_name":"Security Operations Center","article_modified_time":"2020-10-13T20:39:05+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/sites.rutgers.edu\/soc-archive\/incident_response\/rtir-request-tracker-for-incident-response\/","url":"https:\/\/sites.rutgers.edu\/soc-archive\/incident_response\/rtir-request-tracker-for-incident-response\/","name":"RTIR: Request Tracker for Incident Response - Security Operations Center","isPartOf":{"@id":"https:\/\/sites.rutgers.edu\/soc-archive\/#website"},"datePublished":"2020-10-07T16:44:47+00:00","dateModified":"2020-10-13T20:39:05+00:00","breadcrumb":{"@id":"https:\/\/sites.rutgers.edu\/soc-archive\/incident_response\/rtir-request-tracker-for-incident-response\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/sites.rutgers.edu\/soc-archive\/incident_response\/rtir-request-tracker-for-incident-response\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/sites.rutgers.edu\/soc-archive\/incident_response\/rtir-request-tracker-for-incident-response\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/sites.rutgers.edu\/soc-archive\/"},{"@type":"ListItem","position":2,"name":"Incident Response","item":"https:\/\/sites.rutgers.edu\/soc-archive\/incident_response\/"},{"@type":"ListItem","position":3,"name":"RTIR: Request Tracker for Incident Response"}]},{"@type":"WebSite","@id":"https:\/\/sites.rutgers.edu\/soc-archive\/#website","url":"https:\/\/sites.rutgers.edu\/soc-archive\/","name":"Security Operations Center","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/sites.rutgers.edu\/soc-archive\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/sites.rutgers.edu\/soc-archive\/wp-json\/wp\/v2\/pages\/690"}],"collection":[{"href":"https:\/\/sites.rutgers.edu\/soc-archive\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/sites.rutgers.edu\/soc-archive\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/sites.rutgers.edu\/soc-archive\/wp-json\/wp\/v2\/users\/112"}],"replies":[{"embeddable":true,"href":"https:\/\/sites.rutgers.edu\/soc-archive\/wp-json\/wp\/v2\/comments?post=690"}],"version-history":[{"count":7,"href":"https:\/\/sites.rutgers.edu\/soc-archive\/wp-json\/wp\/v2\/pages\/690\/revisions"}],"predecessor-version":[{"id":731,"href":"https:\/\/sites.rutgers.edu\/soc-archive\/wp-json\/wp\/v2\/pages\/690\/revisions\/731"}],"up":[{"embeddable":true,"href":"https:\/\/sites.rutgers.edu\/soc-archive\/wp-json\/wp\/v2\/pages\/694"}],"wp:attachment":[{"href":"https:\/\/sites.rutgers.edu\/soc-archive\/wp-json\/wp\/v2\/media?parent=690"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}