About

"Incidents" in this template serve as organizational containers that reference related items stored in separate databases. Rather than storing data directly, an Incident maintains relationships with Timeline entries, IOCs, Assets, and Accounts through database references. Each referenced item exists in its own dedicated database, where the relationship back to the Incident is also tracked. This distributed structure allows for powerful correlation capabilities across multiple incidents while maintaining data organization.

Components of an Incident

graph TD
  Incident <--> |References| C[Timeline Entry]
  Incident <--> |References| Task
  Alert <--> |References| Incident
  subgraph Alert Database
    direction BT
    Alert
  end
  subgraph Task Database
    direction BT
    Task
  end
  subgraph Incident Database
    direction BT
    Incident
  end
  subgraph Timeline Database
    direction BT
    C
  end
  subgraph IOC Database
    direction BT
    IOC
  end
  subgraph Asset Database
    direction BT
    Asset
  end
  subgraph Account Database
    direction BT
    Account
  end
  subgraph Tactics Database
    direction BT
    Tactic
  end
  subgraph Techniques Database
    direction BT
    Technique
  end
  C <--> |References| IOC
  C <--> |References| Asset
  C <--> |References| Account
  C --> |References| Tactic
  C --> |References| Technique

🗓️Incident Timeline

A table view of all activities observed during an incident. Each timeline entry can be linked to the following observed entities:

• Assets
• Accounts
• Indicators of Compromise (IOCs)
• Tactics
• Techniques

Read more: Timelines

✅ Incident Tasks

All user-created tasks associated with an incident. Read more: Tasks

Incident Properties

Pinned Properties

• Incident ID
  • Automatically assigned unique ID
• Status
  • Incident status