Workflow Configuration

Customize incident phases, evidence handling workflows, and report templates to match your organization's processes.

Incident Phases (Lifecycle)

DFIRe comes with default incident phases based on NIST guidelines. You can customize these at Settings → Workflows:

  • Add phases: Create additional phases for your process
  • Rename phases: Use terminology your team prefers
  • Reorder phases: Adjust the workflow sequence
  • Remove phases: Delete phases you don't use

Important: Incident phases are dynamic—changes affect all incidents, including existing ones. Removing a phase will remove it from all incidents and may cause unexpected behavior. Configure your incident lifecycle before taking the system into production use.

Case Type Actions

Actions (task checklists) are defined per case type, not globally. Each case type can have its own set of actions assigned to specific phases.

  1. Configure phases first

    Ensure your incident phases are set up before defining actions, as each action is assigned to a phase.

  2. Go to Settings → Case Types

    Select or create the case type you want to configure.

  3. Define actions for each phase

    Add checklist items that should appear when an incident of this type is created.

See Case Types for details on configuring case types and their actions.

Tip: You can also export your settings to JSON via Settings → Tenant → Identity → Export JSON, edit the case type definitions in a text editor, and import the modified JSON back into DFIRe.

Report Templates

Create standardized report structures for different case types:

  • Define section headings and order
  • Include boilerplate content for each section
  • Add a writing guide for each section (helps analysts know what to include and serves as a reference for quality assurance)
  • Associate templates with case types

See Reports for more on report generation.

Evidence Handling Workflow

The evidence handling workflow defines the states evidence items can move through (e.g., Collected, In Analysis, Returned). Like incident phases, this workflow is configured at Settings → Workflows.

Configure before production: Changes to the evidence handling workflow affect all evidence items. Set up your workflow states before the system is in production use.

Notifications

DFIRe sends automatic in-app notifications to case team members for the following events:

  • Case status changes
  • Evidence added or updated
  • Notes added (case notes and evidence notes)
  • Files and photos uploaded
  • Team membership changes (investigators or viewers added/removed)
  • Compliance timer warnings (at 50%, 25%, and 10% time remaining)
  • Compliance timer breaches (deadline passed)

Notification rules are built into the system and are not user-configurable. For external integrations, see Webhooks.