Ticket

Every ticket has its unique ID and a title as well as other parameters (both required and optional):

Type: alert / incident
Severity: lowest / low / medium / high / highest
Status: stage of the workflow the ticket is at (open / triaged / closed / deleted)
Risk score: numerical severity value
Responder: person responsible for the ongoing investigation
Description

Timeline records all relevant changes in a ticket such as ticket lifecycle stages, changes of responders,relevant user's comments, etc.

It is an investigation-oriented entity which means it shows only data currently relevant to the issue at hand.

Attributes are various indicators of compromise that might be relevant to the investigation of a given security incident.

Names of the attributes come from Schema (e.g. source.ip, source.port, user.id etc).

By default, we show a list of attibute values with a counter for each (how many times this value was received).

A complete hierarchy of directly assigned events and events from nested tickets.

A complete hierarchy of directly assigned tickets and their nested tickets.