Skip to content


What is a ticket?

One ticket represents one piece of work in an incident.

For example, if you find a piece of malware on an employee's laptop, you may create three tickets:

  • Obtain malware sample
  • Reverse engineer malware sample
  • Re-image user's laptop

What can you do with a ticket?

  • Add/remove observables (aka indicators)
  • Add/remove attachments
  • Add comments
  • Change its status
  • Change its priority
  • Add tags
  • Assign it to someone
  • Mark it as a lead
  • Change its parent ticket

Parent tickets

Because INCIDENTS models investigations as trees, tickets can have parent tickets. If a ticket does not have a parent ticket, then its parent is the root.