One ticket represents one piece of work in an incident.
For example, if you find a piece of malware on an employee's laptop, you may create three tickets:
- Obtain malware sample
- Reverse engineer malware sample
- Re-image user's laptop
- Add/remove observables (aka indicators)
- Add/remove attachments
- Add comments
- Change its status
- Change its priority
- Add tags
- Assign it to someone
- Mark it as a lead
- Change its parent ticket
Because INCIDENTS models investigations as trees, tickets can have parent tickets. If a ticket does not have a parent ticket, then its parent is the root.