Incident Response

Use DFIRe's Incident mode for active security incidents requiring coordinated response with phase-based workflows, action checklists, and compliance tracking.

Incident Response in DFIRe

DFIRe's Incident mode provides a structured framework for managing security incidents from detection through resolution. Every aspect is configurable to match your organization's incident response procedures.

Key Features

  • Phase-based workflow: Move through configurable incident phases with visual progress tracking
  • Action checklists: Pre-configured response steps organized by phase, assignable to team members
  • Compliance timers: Track regulatory notification deadlines with countdown timers
  • Timeline: Chronological record of all incident activity
  • CAN Report: Real-time Conditions, Actions, Needs summary for stakeholder updates
  • Evidence & Photos: Capture and track digital artifacts and visual evidence
  • Attachments: Store case-related files with encrypted storage
  • Sidebar status: At-a-glance view of phase, progress, duration, and compliance status

Fully Configurable: Incident phases, action templates, compliance timers, and case types can all be customized in System Settings to match your organization's procedures.

Default Incident Phases

DFIRe ships with a default set of incident phases based on the NIST Incident Response framework. These phases are fully configurable in System Settings > Incident Phases.

Phase Description
Preparation & Immediate Actions Case opened, immediate actions may be required but formal response hasn't started
Detection & Analysis Initial detection, scoping, and analysis of the incident
Containment Short-term and long-term containment strategies to limit spread
Eradication Removal of threat actors, malware, and attack artifacts
Recovery Restoration of systems and services to normal operation
Post-Incident Activities Lessons learned, documentation, and process improvements
Resolved Incident is closed (final phase)

Each phase has a color indicator displayed in the sidebar and phase header for quick visual identification.

The Actions Tab

The Actions tab is the command center for incident response, displaying pre-configured action items organized by phase.

How Actions Work

  • Phase organization: Actions are grouped under their assigned phase and collapse/expand for focus
  • Pre-populated: When you create an incident with a case type (e.g., "Ransomware Attack"), the Actions tab is automatically populated with relevant response steps
  • Progress tracking: Visual progress bar shows completed vs total actions
  • Ongoing actions: Currently in-progress actions are highlighted at the top for visibility

Action States

State Description
Pending Not yet started (default state)
Started Currently being worked on by an assignee
Done Completed successfully
Skipped Not applicable to this incident

Assigning Actions

When you start an action, you can assign it to:

  • Case Investigators: DFIRe users assigned to this case
  • Legal Entities: Teams, organizations, government agencies, or individuals defined in your entity library

This allows you to create internal teams (e.g., "Network Team", "Legal Department") and assign actions to them, enabling coordination across organizational boundaries.

Completing Actions

When you mark an action as done, DFIRe prompts you to:

  • Add an optional completion note documenting what was done
  • Choose whether to post the note to the timeline for visibility

Custom Actions: You can add new actions at any time using the "Add Action" button. Custom actions are assigned to the current phase by default.

Example: General Incident Response Workflow

Here's an example of how the default "General Incident Response" case type organizes actions across phases:

Preparation & Immediate Actions

  1. Assign Incident Commander and Scribe
  2. Set up a dedicated secure communication channel
  3. Inform the CISO and Legal (if data breach suspected)

Detection & Analysis

  1. Determine scope: Query EDR/Logs for similar indicators
  2. Capture forensic image of volatile memory (RAM) before isolation

Containment

  1. Isolate affected endpoints from the network
  2. Block attacker IPs/Domains at Firewall and Web Proxy
  3. Disable compromised user accounts (AD/SSO)

Eradication

  1. Remove malicious artifacts (Files, Registry Keys, Persistence)
  2. Patch the vulnerability exploited (Root Cause Fix)
  3. Force password reset for all affected identities (2x)

Recovery

  1. Reimage workstations / Restore servers from clean backups

Post-Incident Activities

  1. Schedule a post-incident review meeting
  2. Save PIR findings document and ticket findings

Resolved

  1. Mark Incident as Resolved

Each case type comes with its own tailored action checklist. See Default Case Types for all available types.

Phase Transitions

Moving between phases is an important milestone in incident response.

Advancing Phases

When all actions in the current phase are complete, DFIRe displays a suggestion to advance to the next phase. You can:

  • Click the suggestion to advance immediately
  • Use the phase dropdown in the case header to change phases manually
  • Advance without completing all actions (with confirmation)
  • Return to a previous phase if needed (action progress is preserved)

Phase Duration Tracking

DFIRe automatically tracks:

  • Time spent in each phase
  • Total incident duration (displayed in the sidebar)
  • Phase change timestamps in the timeline

The duration counter stops when the incident reaches the final phase or is set to Closed status.

The Incident Sidebar

The collapsible sidebar provides at-a-glance status information:

  • Incident Phase: Current phase with color indicator and timestamp of last change
  • Actions Progress: Visual progress bar showing completed/total actions, with breakdown of done vs skipped
  • Incident Duration: Live counter showing elapsed time since incident creation
  • Compliance Status: Overview of active compliance timers with warning indicators (click to navigate to Compliance tab)
  • Case Info: Project, Classification, Reference ID, Lead Investigator, Team Members
  • Attributes: Custom fields defined by your case type

Compliance Timers

Many regulations require notification within specific timeframes. DFIRe tracks these deadlines with countdown timers that start when an incident is created.

Default Compliance Timers

Regulation Deadline Notes
GDPR 72 hours Data Protection Authority notification
NIS2 Early Warning 24 hours Initial report to CSIRT
NIS2 Incident Notification 72 hours Detailed incident notification
SEC Form 8-K 4 business days Material cybersecurity incident disclosure
CIRCIA 72 hours Covered cyber incident report to CISA
PCI-DSS Immediate Account data compromise notification

The Compliance tab shows active timers with countdown progress bars, completion status, and links to external resources. See Compliance Timers for configuration details.

Photos & Evidence Gallery

The Photos tab provides an evidence gallery for capturing visual documentation:

  • Upload photos: Click to upload JPEG, PNG, GIF, or WebP images (up to 32MB)
  • Take photos: Use your device's webcam to capture images directly
  • Automatic thumbnails: Uploaded images are processed for quick previews
  • Evidence item photos: Photos uploaded directly to evidence items appear in the gallery with their own section
  • Full-screen viewer: Click any photo to view full resolution
  • Encrypted storage: All photos are encrypted at rest using the same encryption model as evidence attachments

Use photos to document physical evidence, screenshots of malware behavior, network diagrams, or any visual information relevant to the incident.

Attachments

The Attachments tab stores case-related files:

  • Chain of custody forms
  • Log exports and analysis reports
  • Vendor communications
  • Legal documentation
  • Any file relevant to the incident

All attachments are encrypted at rest using the case's encryption key. See Evidence Tracking - File Attachments for encryption details.

Creating an Incident

  1. Click "New Case" on the Dashboard
  2. Select "Incident" Mode

    This enables phase-based workflows, actions, compliance timers, and timeline.

  3. Choose an Incident Type

    Select from pre-configured case types. The Actions tab will be populated with the type's action checklist.

  4. Set the Severity
    • Critical: Immediate business impact, executive notification required
    • High: Significant impact, urgent response
    • Medium: Moderate impact, standard response
    • Low: Minor impact, routine handling
    • Info: Informational only
  5. Enter Details and Create

    Fill in title, description, and any custom fields. Click "Create Case".

  6. Assign Team Members

    Use "Manage Team" to assign investigators who will work on the incident.

Escalating an Investigation

If a routine investigation reveals an active threat, you can escalate it to an incident:

  1. Open the Investigation case
  2. Click "Edit Case" in the header
  3. Change Mode to "Incident"
  4. Select an incident type and set the initial phase

All existing evidence, notes, and attachments are preserved. The case gains access to the Actions tab, Timeline, Compliance timers, and phase-based workflows.

Closing an Incident

To properly close an incident:

  1. Ensure the incident is in the final phase (typically "Resolved")
  2. Complete or skip all remaining actions
  3. Complete the final incident report
  4. Change the case status to Closed

Closed incidents become read-only but remain searchable for future reference and metrics.

Post-Incident Review: Schedule a lessons learned meeting while details are fresh. Use the Timeline and Actions tabs to review the response and identify improvements.

Configuration

All aspects of incident response are configurable:

Setting Location
Incident Phases System Settings > Incident Phases
Case Types & Action Templates System Settings > Case Types
Compliance Timers System Settings > Compliance Timers
Legal Entities (Teams) Entities (top navigation)

See Configuration for detailed setup instructions.