Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC StormCast for Monday, August 31st 2015

Automating Metrics using RTIR REST API

Published: 2015-08-29
Last Updated: 2015-08-29 02:21:40 UTC
by Tom Webb (Version: 1)
0 comment(s)

Metrics are an important part of incident response. You should know your average time to detect compromised systems and how successful phishing campaigns are against your users.  To start successful metrics, you need to choose a taxonomy to use. In this example, we will be using the VERIS(1) taxonomy. It is well documented and allows you to compare yourself to the DBIR report.


One of the problems with metrics is the amount of time it takes to enter data and correlate it. While it may take less than 5 minutes to determine how many people responded to a phish, it may take up to 20 minutes to create the tickets in your tracking system. To greatly increase your efficiency and accuracy, scripting should be used.

RTIR(2) is an open source ticketing system for incident response based on Request Tracker. This system can be built based on the VERIS taxonomy by creating custom fields that match the categories. This system supports using a REST API(3) to automate the creation of tickets.


We need to create the following custom fields for our use case. Some of these will have static values and others will need to enter as a command line argument.

hacking.discovery_method, hacking.targeted, impact.security_incident, social.variety, social.vector,,, misuse.variety


Additionally, we want to track other stats that aren't used in VERIS, but are very useful for tracking campaigns.

victim-username,ioc.attacker.ip, ioc.attacker.domain


Now that we have the basic breakdown of what fields we want to enter data in, we need to script it (4). You need to make sure you put in your credentials to the script along with the IP/DNS name of your server. The two main parts that you can adjust to fit any incident type are the arguments and the post_data. The ticket will be created and closed when the script is complete.


To run this script as posted, do the following:

> --username bob --ip --domain malware.bad --creator twebb --time 5


While metrics are important, they shouldn’t be demanding to create. Anything that your SOC does that doesn’t require lots of documentation should be easily scripted.













Tom Webb

Keywords: Metrics REST RTIR
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Test File: PDF With Embedded DOC Dropping EICAR
2 days ago by DidierStevens (4 comments)

PDF + maldoc1 = maldoc2
3 days ago by DidierStevens (2 comments)

Actor that tried Neutrino exploit kit now back to Angler
5 days ago by Brad Duncan (1 comment)

Dropbox Phishing via Compromised Wordpress Site
5 days ago by Johannes (1 comment)

Are You Protecting your Backdoor ?
6 days ago by Johannes (4 comments)

View All Diaries →

Latest Discussions

Which dshield block list should I be using?
created 6 days ago by Anonymous (0 replies)

Encryption at rest, what am I missing?
created 2 weeks ago by CT (5 replies)

MS-ISAC ADVISORY NUMBER:2015-088 Mac OSX zero day
created 3 weeks ago by GeorgeMarkham (1 reply)

Archived .vbe attachments in malspam
created 3 weeks ago by Brad Duncan (0 replies)

what should be logged to the DShield sensor
created 3 weeks ago by Andrew (0 replies)

View All Forums →

Latest News

View All News →