AdminGit2026/nis2-agile
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
094d453e8e
nis2-agile/docs/nis2/incidente_r01/incident-detail.html
DevEnv nis2-agile 5c545ea3d0 [FEAT] Integrazione analisi docs/nis2 v1.7.0 — scoring asset, tassonomia incidenti, PIR, NIST CSF, fonti certe 
Fase 1 - Asset Relevance Scoring NIS2 (GV.OC-04): metodologia 0-100 a 6 criteri,
  AssetScoringService + endpoint scoringGrid/score/relevantSystems + UI assets.html + registro stampabile.
Fase 2 - Tassonomia incidenti Determina ACN 164179/2025: IS-1..4 + regime essenziale/importante (Allegati 3/4).
Fase 3 - Post-Incident Review (5-Whys) + metriche TTD/TTC/TTR + timestamp di fase.
Fase 4 - Mapping NIST CSF 2.0 (43 controlli) reference-only.
Fonti certe: registry config/nis2_sources.php + grounding AI (vieta riferimenti inventati) +
  citazioni help.js + ingest PDF normativi nella KB RAG (scripts/ingest-nis2-sources.php).
Migrazioni 020/021/022 (additive idempotenti). Fix VectorService IP Qdrant (drift .5->.3).
Analisi concorrenza Evix (docs/EVIX_ANALISI_CONCORRENZA.html, gap-driven).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-29 17:15:13 +02:00

1806 lines
75 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html lang="it">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Dettaglio Incidente INC-2024-047 - NIS2</title>
<style>
:root {
--bg-primary: #0d1117;
--bg-secondary: #161b22;
--bg-tertiary: #1c2128;
--border-color: #30363d;
--text-primary: #c9d1d9;
--text-secondary: #8b949e;
--accent-primary: #58a6ff;
--accent-secondary: #1f6feb;
--success: #3fb950;
--warning: #d29922;
--danger: #f85149;
--essential-bg: #fef3c7;
--essential-text: #92400e;
--essential-border: #f59e0b;
}
* {
margin: 0;
padding: 0;
box-sizing: border-box;
}
body {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Noto Sans', Helvetica, Arial, sans-serif;
background-color: var(--bg-primary);
color: var(--text-primary);
line-height: 1.6;
overflow-y: auto;
}
.container {
max-width: 1600px;
margin: 0 auto;
padding: 20px;
}
.header {
background-color: var(--bg-secondary);
border-bottom: 1px solid var(--border-color);
padding: 24px 0;
margin-bottom: 32px;
position: sticky;
top: 0;
z-index: 100;
}
.header-content {
max-width: 1600px;
margin: 0 auto;
padding: 0 20px;
display: flex;
justify-content: space-between;
align-items: center;
flex-wrap: wrap;
gap: 16px;
}
.header-left {
flex: 1;
}
.header h1 {
font-size: 24px;
font-weight: 600;
color: var(--text-primary);
display: flex;
align-items: center;
gap: 12px;
}
.breadcrumb {
font-size: 13px;
color: var(--text-secondary);
margin-top: 4px;
}
.breadcrumb a {
color: var(--accent-primary);
text-decoration: none;
}
.header-right {
display: flex;
gap: 8px;
flex-wrap: wrap;
}
.btn {
padding: 8px 16px;
background-color: var(--bg-tertiary);
border: 1px solid var(--border-color);
border-radius: 6px;
color: var(--text-primary);
font-size: 13px;
font-weight: 500;
cursor: pointer;
transition: all 0.2s;
text-decoration: none;
display: inline-block;
}
.btn:hover {
border-color: var(--accent-primary);
color: var(--accent-primary);
}
.btn-primary {
background-color: var(--accent-primary);
border-color: var(--accent-primary);
color: white;
}
.btn-primary:hover {
background-color: var(--accent-secondary);
color: white;
}
.btn-danger {
background-color: rgba(248, 81, 73, 0.1);
border-color: var(--danger);
color: var(--danger);
}
.btn-danger:hover {
background-color: var(--danger);
color: white;
}
.btn-success {
background-color: rgba(63, 185, 80, 0.1);
border-color: var(--success);
color: var(--success);
}
.btn-success:hover {
background-color: var(--success);
color: white;
}
/* Status Badge */
.status-badge {
display: inline-block;
padding: 6px 12px;
border-radius: 4px;
font-size: 12px;
font-weight: 600;
text-transform: uppercase;
}
.status-contenuto {
background-color: rgba(210, 153, 34, 0.2);
color: var(--warning);
border: 1px solid var(--warning);
}
.sev-1 {
background-color: rgba(248, 81, 73, 0.2);
color: var(--danger);
border: 1px solid var(--danger);
font-weight: 700;
}
/* Info Grid */
.info-grid {
display: grid;
grid-template-columns: repeat(auto-fit, minmax(250px, 1fr));
gap: 16px;
margin-bottom: 32px;
}
.info-card {
background-color: var(--bg-secondary);
border: 1px solid var(--border-color);
border-radius: 6px;
padding: 16px;
}
.info-label {
font-size: 11px;
color: var(--text-secondary);
text-transform: uppercase;
letter-spacing: 0.5px;
margin-bottom: 8px;
}
.info-value {
font-size: 16px;
font-weight: 600;
color: var(--text-primary);
}
/* Tabs */
.tabs {
display: flex;
gap: 8px;
margin-bottom: 24px;
border-bottom: 1px solid var(--border-color);
padding-bottom: 0;
flex-wrap: wrap;
}
.tab {
padding: 12px 16px;
background: transparent;
border: none;
color: var(--text-secondary);
cursor: pointer;
font-size: 14px;
font-weight: 500;
border-bottom: 2px solid transparent;
transition: all 0.2s;
}
.tab:hover {
color: var(--text-primary);
background-color: var(--bg-tertiary);
}
.tab.active {
color: var(--accent-primary);
border-bottom-color: var(--accent-primary);
}
/* Section */
.section {
background-color: var(--bg-secondary);
border: 1px solid var(--border-color);
border-radius: 6px;
padding: 24px;
margin-bottom: 24px;
display: none;
}
.section.active {
display: block;
}
.section-header {
display: flex;
justify-content: space-between;
align-items: center;
margin-bottom: 24px;
padding-bottom: 16px;
border-bottom: 1px solid var(--border-color);
}
.section-title {
font-size: 18px
font-weight: 600;
color: var(--text-primary);
display: flex;
align-items: center;
gap: 8px;
}
/* Help Icon */
.help-icon {
display: inline-flex;
align-items: center;
justify-content: center;
width: 22px;
height: 22px;
background-color: rgba(167, 139, 250, 0.2);
border: 2px solid #a78bfa;
border-radius: 50%;
font-size: 13px;
font-weight: 700;
color: #a78bfa;
cursor: help;
position: relative;
}
.help-icon:hover {
background-color: rgba(167, 139, 250, 0.3);
transform: scale(1.1);
}
.tooltip {
visibility: hidden;
position: absolute;
z-index: 1000;
background-color: var(--bg-tertiary);
color: var(--text-primary);
padding: 12px;
border-radius: 6px;
border: 1px solid var(--border-color);
box-shadow: 0 8px 24px rgba(0, 0, 0, 0.5);
width: 320px;
top: 28px;
left: 50%;
transform: translateX(-50%);
font-size: 12px;
line-height: 1.5;
opacity: 0;
transition: opacity 0.2s;
white-space: normal;
}
.tooltip::before {
content: '';
position: absolute;
top: -6px;
left: 50%;
transform: translateX(-50%);
border-left: 6px solid transparent;
border-right: 6px solid transparent;
border-bottom: 6px solid var(--border-color);
}
.tooltip-title {
color: var(--accent-primary);
font-weight: 600;
margin-bottom: 8px;
font-size: 11px;
text-transform: uppercase;
letter-spacing: 0.5px;
}
.help-icon:hover .tooltip {
visibility: visible;
opacity: 1;
}
/* Timeline */
.timeline {
position: relative;
padding-left: 30px;
}
.timeline::before {
content: '';
position: absolute;
left: 10px;
top: 0;
bottom: 0;
width: 2px;
background: var(--border-color);
}
.timeline-item {
position: relative;
margin-bottom: 24px;
padding-left: 20px;
}
.timeline-item::before {
content: '';
position: absolute;
left: -24px;
top: 4px;
width: 12px;
height: 12px;
border-radius: 50%;
background: var(--accent-primary);
border: 2px solid var(--bg-secondary);
}
.timeline-item.critical::before {
background: var(--danger);
}
.timeline-item.success::before {
background: var(--success);
}
.timeline-time {
font-size: 12px;
color: var(--text-secondary);
margin-bottom: 4px;
}
.timeline-content {
font-size: 13px;
color: var(--text-primary);
}
.timeline-user {
font-size: 12px;
color: var(--text-secondary);
font-style: italic;
margin-top: 4px;
}
/* Alert Box */
.alert-box {
background-color: rgba(248, 81, 73, 0.1);
border: 1px solid var(--danger);
border-left: 4px solid var(--danger);
border-radius: 6px;
padding: 20px;
margin-bottom: 24px;
}
.alert-box.warning {
background-color: rgba(210, 153, 34, 0.1);
border-color: var(--warning);
border-left-color: var(--warning);
}
.alert-box.info {
background-color: rgba(88, 166, 255, 0.1);
border-color: var(--accent-primary);
border-left-color: var(--accent-primary);
}
.alert-title {
font-weight: 600;
margin-bottom: 8px;
font-size: 15px;
display: flex;
align-items: center;
gap: 8px;
}
.alert-content {
font-size: 13px;
color: var(--text-secondary);
line-height: 1.6;
}
/* Data Table */
.data-table {
width: 100%;
border-collapse: collapse;
font-size: 13px;
}
.data-table th {
background-color: var(--bg-tertiary);
color: var(--text-secondary);
font-weight: 600;
text-align: left;
padding: 10px 12px;
border: 1px solid var(--border-color);
font-size: 11px;
text-transform: uppercase;
letter-spacing: 0.5px;
}
.data-table td {
padding: 10px 12px;
border: 1px solid var(--border-color);
color: var(--text-primary);
}
.data-table tr:hover {
background-color: var(--bg-tertiary);
}
/* Action Log */
.action-log {
background-color: var(--bg-tertiary);
border: 1px solid var(--border-color);
border-radius: 6px;
padding: 16px;
margin-bottom: 16px;
}
.action-log-header {
display: flex;
justify-content: space-between;
align-items: center;
margin-bottom: 12px;
}
.action-log-time {
font-size: 12px;
color: var(--text-secondary);
}
.action-log-user {
font-size: 12px;
color: var(--accent-primary);
font-weight: 600;
}
.action-log-content {
font-size: 13px;
color: var(--text-primary);
line-height: 1.6;
}
/* Phase Progress */
.phase-progress {
display: flex;
justify-content: space-between;
margin-bottom: 32px;
position: relative;
}
.phase-progress::before {
content: '';
position: absolute;
top: 20px;
left: 0;
right: 0;
height: 2px;
background: var(--border-color);
z-index: 0;
}
.phase-item {
flex: 1;
text-align: center;
position: relative;
z-index: 1;
}
.phase-circle {
width: 40px;
height: 40px;
border-radius: 50%;
background: var(--bg-tertiary);
border: 2px solid var(--border-color);
margin: 0 auto 8px;
display: flex;
align-items: center;
justify-content: center;
font-weight: 700;
font-size: 14px;
}
.phase-item.completed .phase-circle {
background: var(--success);
border-color: var(--success);
color: white;
}
.phase-item.active .phase-circle {
background: var(--accent-primary);
border-color: var(--accent-primary);
color: white;
animation: pulse 2s infinite;
}
@keyframes pulse {
0%, 100% { box-shadow: 0 0 0 0 rgba(88, 166, 255, 0.7); }
50% { box-shadow: 0 0 0 10px rgba(88, 166, 255, 0); }
}
.phase-label {
font-size: 11px;
color: var(--text-secondary);
font-weight: 600;
}
.phase-item.completed .phase-label,
.phase-item.active .phase-label {
color: var(--text-primary);
}
/* Metrics */
.metrics-grid {
display: grid;
grid-template-columns: repeat(auto-fit, minmax(150px, 1fr));
gap: 16px;
margin-bottom: 24px;
}
.metric-card {
background-color: var(--bg-tertiary);
border: 1px solid var(--border-color);
border-radius: 6px;
padding: 16px;
text-align: center;
}
.metric-label {
font-size: 11px;
color: var(--text-secondary);
text-transform: uppercase;
letter-spacing: 0.5px;
margin-bottom: 8px;
}
.metric-value {
font-size: 24px;
font-weight: 700;
color: var(--text-primary);
}
.metric-value.danger {
color: var(--danger);
}
.metric-value.warning {
color: var(--warning);
}
.metric-value.success {
color: var(--success);
}
/* Responsive */
@media (max-width: 768px) {
.header-content {
flex-direction: column;
align-items: flex-start;
}
.info-grid {
grid-template-columns: 1fr;
}
.phase-progress {
flex-direction: column;
align-items: flex-start;
}
.phase-progress::before {
display: none;
}
.phase-item {
display: flex;
align-items: center;
gap: 12px;
margin-bottom: 16px;
}
.phase-circle {
margin: 0;
}
}
</style>
</head>
<body>
<div class="header">
<div class="header-content">
<div class="header-left">
<h1>
<span class="status-badge sev-1">SEV-1</span>
INC-2024-047 - Tentativo Ransomware
</h1>
<div class="breadcrumb">
<a href="dashboard.html">Dashboard NIS2</a> /
<a href="incident-dashboard.html">Gestione Incidenti</a> /
INC-2024-047
</div>
</div>
<div class="header-right">
<button class="btn" onclick="exportIncident()">📄 Esporta</button>
<button class="btn" onclick="updateIncident()">✏️ Modifica</button>
<button class="btn btn-primary" onclick="addAction()"> Aggiungi Azione</button>
<button class="btn btn-success" onclick="changePhase()">▶️ Avanza Fase</button>
</div>
</div>
</div>
<div class="container">
<!-- Alert Notifica CSIRT -->
<div class="alert-box warning">
<div class="alert-title">
⏰ Scadenza Notifica CSIRT
</div>
<div class="alert-content">
<strong>Preallarme da inviare entro:</strong> 2024-03-07 08:15 (rimangono 18 ore)<br>
<strong>Notifica completa da inviare entro:</strong> 2024-03-09 08:15 (72 ore)<br>
<button class="btn btn-primary" style="margin-top: 12px;" onclick="window.location.href='incident-notification.html?id=INC-2024-047'">
Gestisci Notifica CSIRT
</button>
</div>
</div>
<!-- Info Cards -->
<div class="info-grid">
<div class="info-card">
<div class="info-label">Data/Ora Rilevazione</div>
<div class="info-value">2024-03-06 08:15</div>
</div>
<div class="info-card">
<div class="info-label">Stato Attuale</div>
<div class="info-value"><span class="status-badge status-contenuto">Contenuto</span></div>
</div>
<div class="info-card">
<div class="info-label">Severità</div>
<div class="info-value"><span class="status-badge sev-1">SEV-1 Critico</span></div>
</div>
<div class="info-card">
<div class="info-label">Classificazione NIS2</div>
<div class="info-value">IS-2</div>
</div>
<div class="info-card">
<div class="info-label">Responsabile</div>
<div class="info-value">CISO</div>
</div>
<div class="info-card">
<div class="info-label">Team Attivo</div>
<div class="info-value">Crisis Team</div>
</div>
</div>
<!-- Phase Progress -->
<div class="phase-progress">
<div class="phase-item completed">
<div class="phase-circle"></div>
<div class="phase-label">Rilevazione</div>
</div>
<div class="phase-item completed">
<div class="phase-circle"></div>
<div class="phase-label">Triage</div>
</div>
<div class="phase-item active">
<div class="phase-circle">3</div>
<div class="phase-label">Contenimento</div>
</div>
<div class="phase-item">
<div class="phase-circle">4</div>
<div class="phase-label">Eradicazione</div>
</div>
<div class="phase-item">
<div class="phase-circle">5</div>
<div class="phase-label">Ripristino</div>
</div>
<div class="phase-item">
<div class="phase-circle">6</div>
<div class="phase-label">Lesson Learned</div>
</div>
</div>
<!-- Metrics -->
<div class="metrics-grid">
<div class="metric-card">
<div class="metric-label">TTD (Time to Detect)</div>
<div class="metric-value success">0.5h</div>
</div>
<div class="metric-card">
<div class="metric-label">TTC (Time to Contain)</div>
<div class="metric-value success">2.2h</div>
</div>
<div class="metric-card">
<div class="metric-label">Tempo Gestione</div>
<div class="metric-value">26h 45m</div>
</div>
<div class="metric-card">
<div class="metric-label">Sistemi Impattati</div>
<div class="metric-value warning">3</div>
</div>
<div class="metric-card">
<div class="metric-label">Utenti Impattati</div>
<div class="metric-value warning">45</div>
</div>
<div class="metric-card">
<div class="metric-label">Azioni Registrate</div>
<div class="metric-value">18</div>
</div>
</div>
<!-- Tabs -->
<div class="tabs">
<button class="tab active" onclick="showTab('overview')">Panoramica</button>
<button class="tab" onclick="showTab('timeline')">Timeline Azioni</button>
<button class="tab" onclick="showTab('systems')">Sistemi e Dati</button>
<button class="tab" onclick="showTab('containment')">Contenimento</button>
<button class="tab" onclick="showTab('communications')">Comunicazioni</button>
<button class="tab" onclick="showTab('evidence')">Evidenze</button>
</div>
<!-- Overview Section -->
<div class="section active" id="section-overview">
<div class="section-header">
<div class="section-title">
Panoramica Incidente
<span class="help-icon">?
<div class="tooltip">
<div class="tooltip-title">HELP DELLA SEZIONE</div>
Riepilogo completo dell'incidente con informazioni chiave, classificazione, impatto e stato corrente della gestione.
</div>
</span>
</div>
</div>
<h3 style="font-size: 16px; font-weight: 600; margin-bottom: 16px;">Descrizione</h3>
<p style="color: var(--text-secondary); margin-bottom: 24px; line-height: 1.6;">
Alle ore 08:15 del 06/03/2024, l'EDR ha rilevato un tentativo di esecuzione di ransomware sul server ERP-PROD-01 (HW-SRV-001).
Il malware è stato identificato come variante di <strong>BlackCat/ALPHV</strong>. L'EDR ha bloccato automaticamente l'esecuzione
e messo in quarantena il file malevolo. Il server è stato immediatamente isolato dalla rete come misura precauzionale.
<br><br>
L'analisi preliminare indica che il vettore di ingresso è stato un allegato email di phishing ricevuto da un account utente
amministrativo. Le credenziali dell'utente erano state precedentemente compromesse in un attacco di credential stuffing.
</p>
<h3 style="font-size: 16px; font-weight: 600; margin-bottom: 16px;">Classificazione e Impatto</h3>
<table class="data-table" style="margin-bottom: 24px;">
<tr>
<th style="width: 200px;">Parametro</th>
<th>Valore</th>
</tr>
<tr>
<td><strong>Severità</strong></td>
<td><span class="status-badge sev-1">SEV-1 Critico</span></td>
</tr>
<tr>
<td><strong>Classificazione NIS2</strong></td>
<td><strong>IS-2</strong> - Impatto su integrità/riservatezza dati</td>
</tr>
<tr>
<td><strong>Categoria MITRE ATT&CK</strong></td>
<td>Impact (Ransomware)</td>
</tr>
<tr>
<td><strong>Vettore di Attacco</strong></td>
<td>Phishing → Credential Compromise → Ransomware</td>
</tr>
<tr>
<td><strong>Impatto</strong></td>
<td>
<span style="display: inline-block; padding: 4px 8px; background: rgba(248, 81, 73, 0.2); border-radius: 3px; margin-right: 8px;">Disponibilità</span>
<span style="display: inline-block; padding: 4px 8px; background: rgba(248, 81, 73, 0.2); border-radius: 3px;">Integrità</span>
</td>
</tr>
<tr>
<td><strong>Root Cause</strong></td>
<td>Credenziali compromesse + Phishing</td>
</tr>
<tr>
<td><strong>Notifica CSIRT</strong></td>
<td><span style="color: var(--warning); font-weight: 600;">⏳ Preallarme da inviare</span></td>
</tr>
<tr>
<td><strong>Notifica Garante Privacy</strong></td>
<td><span style="color: var(--text-secondary);">❌ Non richiesta (nessun dato esfiltrato)</span></td>
</tr>
</table>
<h3 style="font-size: 16px; font-weight: 600; margin-bottom: 16px;">Sistemi e Servizi Impattati</h3>
<table class="data-table">
<thead>
<tr>
<th>Codice Asset</th>
<th>Tipo</th>
<th>Nome</th>
<th>Stato</th>
<th>Azioni</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>HW-SRV-001</strong></td>
<td>Server Fisico</td>
<td>ERP-PROD-01</td>
<td><span style="color: var(--warning);">🔒 Isolato</span></td>
<td>Sistema primario compromesso</td>
</tr>
<tr>
<td><strong>SW-ERP-001</strong></td>
<td>Applicazione</td>
<td>SAP ERP</td>
<td><span style="color: var(--danger);">⏸️ Offline</span></td>
<td>Servizio interrotto preventivamente</td>
</tr>
<tr>
<td><strong>HW-SRV-002</strong></td>
<td>Server Backup</td>
<td>ERP-BACKUP-01</td>
<td><span style="color: var(--success);">✅ Integro</span></td>
<td>Backup immutabile verificato</td>
</tr>
</tbody>
</table>
</div>
<!-- Timeline Section -->
<div class="section" id="section-timeline">
<div class="section-header">
<div class="section-title">
Timeline Completa Azioni
<span class="help-icon">?
<div class="tooltip">
<div class="tooltip-title">HELP DELLA SEZIONE</div>
Registro cronologico completo di tutte le azioni effettuate durante la gestione dell'incidente. Ogni azione è tracciata con timestamp, responsabile e dettagli.
</div>
</span>
</div>
<button class="btn btn-primary" onclick="addAction()"> Aggiungi Azione</button>
</div>
<div class="timeline">
<div class="timeline-item critical">
<div class="timeline-time">2024-03-06 08:15:23</div>
<div class="timeline-content">
<strong>🚨 INCIDENTE RILEVATO</strong><br>
EDR ha rilevato tentativo esecuzione ransomware BlackCat/ALPHV su server ERP-PROD-01.
File malevolo bloccato e messo in quarantena automaticamente.
</div>
<div class="timeline-user">Sistema EDR (Automatico)</div>
</div>
<div class="timeline-item">
<div class="timeline-time">2024-03-06 08:17:45</div>
<div class="timeline-content">
<strong>Alert SOC</strong><br>
Analista SOC riceve alert critico e avvia procedura incident response SEV-1.
</div>
<div class="timeline-user">Analista SOC - M. Bianchi</div>
</div>
<div class="timeline-item critical">
<div class="timeline-time">2024-03-06 08:22:10</div>
<div class="timeline-content">
<strong>CONTENIMENTO IMMEDIATO</strong><br>
Server ERP-PROD-01 isolato dalla rete. Tutte le connessioni di rete disabilitate.
Servizio ERP offline preventivamente.
</div>
<div class="timeline-user">System Admin - G. Rossi</div>
</div>
<div class="timeline-item">
<div class="timeline-time">2024-03-06 08:25:00</div>
<div class="timeline-content">
<strong>Escalation Crisis Team</strong><br>
CISO notificato. Crisis Team attivato. Convocata call di emergenza.
</div>
<div class="timeline-user">SOC Lead - L. Verdi</div>
</div>
<div class="timeline-item">
<div class="timeline-time">2024-03-06 08:35:12</div>
<div class="timeline-content">
<strong>Preservazione Evidenze</strong><br>
Creato snapshot completo del server. Dump memoria RAM acquisito.
Log di sistema e EDR copiati su storage forense.
</div>
<div class="timeline-user">Forensics Team - A. Neri</div>
</div>
<div class="timeline-item">
<div class="timeline-time">2024-03-06 09:10:30</div>
<div class="timeline-content">
<strong>Analisi Vettore di Attacco</strong><br>
Identificato vettore: email phishing ricevuta da utente admin (m.ferrari@azienda.it)
alle 07:45. Allegato ZIP contenente payload ransomware. Credenziali utente compromesse
in precedente attacco credential stuffing (non rilevato).
</div>
<div class="timeline-user">CISO - P. Lombardi</div>
</div>
<div class="timeline-item">
<div class="timeline-time">2024-03-06 09:30:00</div>
<div class="timeline-content">
<strong>Blocco Account Compromesso</strong><br>
Account m.ferrari@azienda.it disabilitato. Tutte le sessioni attive revocate.
Reset password forzato. MFA abilitato obbligatoriamente.
</div>
<div class="timeline-user">System Admin - G. Rossi</div>
</div>
<div class="timeline-item">
<div class="timeline-time">2024-03-06 10:15:00</div>
<div class="timeline-content">
<strong>Verifica Estensione Compromissione</strong><br>
Scansione completa rete aziendale. Nessun altro sistema compromesso rilevato.
Malware non si è propagato. Contenimento efficace.
</div>
<div class="timeline-user">SOC Team</div>
</div>
<div class="timeline-item success">
<div class="timeline-time">2024-03-06 10:45:00</div>
<div class="timeline-content">
<strong>✅ CONTENIMENTO CONFERMATO</strong><br>
Minaccia contenuta con successo. Nessuna crittografia dati avvenuta.
Nessuna esfiltrazione rilevata. Incidente limitato a singolo server.
<br><strong>TTC (Time to Contain): 2.2 ore</strong>
</div>
<div class="timeline-user">CISO - P. Lombardi</div>
</div>
<div class="timeline-item">
<div class="timeline-time">2024-03-06 11:30:00</div>
<div class="timeline-content">
<strong>Comunicazione Interna</strong><br>
Direzione informata. Responsabili Divisione notificati.
Comunicazione a utenti: servizio ERP temporaneamente offline per manutenzione straordinaria.
</div>
<div class="timeline-user">CISO - P. Lombardi</div>
</div>
<div class="timeline-item">
<div class="timeline-time">2024-03-06 14:30:00</div>
<div class="timeline-content">
<strong>📡 Preallarme CSIRT Preparato</strong><br>
Documentazione preallarme CSIRT Italia completata. In attesa approvazione Direzione per invio.
</div>
<div class="timeline-user">CISO - P. Lombardi</div>
</div>
<div class="timeline-item">
<div class="timeline-time">2024-03-06 16:00:00</div>
<div class="timeline-content">
<strong>Analisi Forense Preliminare</strong><br>
Identificato malware: BlackCat/ALPHV variant 2.0.
IoC estratti e condivisi con CSIRT. Nessun dato esfiltrato confermato.
Tentativo crittografia bloccato in fase iniziale.
</div>
<div class="timeline-user">Forensics Team - A. Neri</div>
</div>
<div class="timeline-item">
<div class="timeline-time">2024-03-07 09:00:00</div>
<div class="timeline-content">
<strong>Inizio Eradicazione</strong><br>
Avviata rimozione completa malware. Pulizia sistema. Verifica assenza persistenza.
Pianificazione ripristino da backup immutabile.
</div>
<div class="timeline-user">System Admin - G. Rossi</div>
</div>
</div>
</div>
<!-- Systems Section -->
<div class="section" id="section-systems">
<div class="section-header">
<div class="section-title">
Sistemi e Dati Impattati
<span class="help-icon">?
<div class="tooltip">
<div class="tooltip-title">HELP DELLA SEZIONE</div>
Dettaglio completo di tutti i sistemi, asset, dati e servizi coinvolti nell'incidente. Include valutazione impatto e stato corrente.
</div>
</span>
</div>
</div>
<h3 style="font-size: 16px; font-weight: 600; margin-bottom: 16px;">Asset Impattati</h3>
<table class="data-table" style="margin-bottom: 32px;">
<thead>
<tr>
<th>Codice</th>
<th>Tipo</th>
<th>Nome/Descrizione</th>
<th>Rilevanza NIS2</th>
<th>Punteggio</th>
<th>Stato</th>
<th>Impatto</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>HW-SRV-001</strong></td>
<td>Server Fisico</td>
<td>ERP-PROD-01 - Server ERP Principale</td>
<td><span style="color: var(--success); font-weight: 600;">SI</span></td>
<td><strong>91</strong></td>
<td><span style="color: var(--warning);">🔒 Isolato</span></td>
<td>Compromissione tentata, bloccata da EDR</td>
</tr>
<tr>
<td><strong>SW-ERP-001</strong></td>
<td>Applicazione</td>
<td>SAP ERP Sistema Gestionale</td>
<td><span style="color: var(--success); font-weight: 600;">SI</span></td>
<td><strong>88</strong></td>
<td><span style="color: var(--danger);">⏸️ Offline</span></td>
<td>Servizio interrotto preventivamente</td>
</tr>
<tr>
<td><strong>ACC-ADMIN-042</strong></td>
<td>Account Utente</td>
<td>m.ferrari@azienda.it (Admin)</td>
<td>-</td>
<td>-</td>
<td><span style="color: var(--danger);">🚫 Disabilitato</span></td>
<td>Credenziali compromesse, vettore iniziale</td>
</tr>
</tbody>
</table>
<h3 style="font-size: 16px; font-weight: 600; margin-bottom: 16px;">Dati Coinvolti</h3>
<table class="data-table" style="margin-bottom: 32px;">
<thead>
<tr>
<th>Tipologia Dati</th>
<th>Classificazione</th>
<th>Volume Stimato</th>
<th>Stato</th>
<th>Note</th>
</tr>
</thead>
<tbody>
<tr>
<td>Dati Aziendali ERP</td>
<td><span style="color: var(--danger); font-weight: 600;">Critico</span></td>
<td>~2.5 TB</td>
<td><span style="color: var(--success);">✅ Integri</span></td>
<td>Nessuna crittografia avvenuta, backup verificato</td>
</tr>
<tr>
<td>Dati Personali Dipendenti</td>
<td><span style="color: var(--warning); font-weight: 600;">Riservato</span></td>
<td>~450 record</td>
<td><span style="color: var(--success);">✅ Integri</span></td>
<td>Nessuna esfiltrazione rilevata</td>
</tr>
<tr>
<td>Credenziali Utente</td>
<td><span style="color: var(--warning); font-weight: 600;">Riservato</span></td>
<td>1 account</td>
<td><span style="color: var(--danger);">❌ Compromesso</span></td>
<td>Account disabilitato, password reset forzato</td>
</tr>
</tbody>
</table>
<h3 style="font-size: 16px; font-weight: 600; margin-bottom: 16px;">Servizi Impattati</h3>
<table class="data-table">
<thead>
<tr>
<th>Codice Servizio</th>
<th>Nome Servizio</th>
<th>Rilevanza NIS2</th>
<th>Stato</th>
<th>Utenti Impattati</th>
<th>Downtime</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>SRV-ERP-001</strong></td>
<td>Sistema Gestionale ERP</td>
<td><span style="color: var(--success); font-weight: 600;">SI</span></td>
<td><span style="color: var(--danger);">⏸️ Offline</span></td>
<td>45 utenti interni</td>
<td>26h 45m (in corso)</td>
</tr>
<tr>
<td><strong>SRV-FIN-001</strong></td>
<td>Modulo Finanziario</td>
<td><span style="color: var(--success); font-weight: 600;">SI</span></td>
<td><span style="color: var(--danger);">⏸️ Offline</span></td>
<td>12 utenti interni</td>
<td>26h 45m (in corso)</td>
</tr>
</tbody>
</table>
</div>
<!-- Containment Section -->
<div class="section" id="section-containment">
<div class="section-header">
<div class="section-title">
Azioni di Contenimento ed Eradicazione
<span class="help-icon">?
<div class="tooltip">
<div class="tooltip-title">HELP DELLA SEZIONE</div>
Documentazione completa delle azioni di contenimento immediato e eradicazione della minaccia. Include checklist, evidenze e verifiche effettuate.
</div>
</span>
</div>
</div>
<div class="alert-box info" style="margin-bottom: 24px;">
<div class="alert-title">✅ Contenimento Completato</div>
<div class="alert-content">
Minaccia contenuta con successo in <strong>2.2 ore</strong> dalla rilevazione.
Nessuna crittografia dati avvenuta. Nessuna esfiltrazione rilevata.
Incidente limitato a singolo server. Attualmente in fase di eradicazione.
</div>
</div>
<h3 style="font-size: 16px; font-weight: 600; margin-bottom: 16px;">Checklist Contenimento Immediato</h3>
<table class="data-table" style="margin-bottom: 32px;">
<thead>
<tr>
<th style="width: 50px;">Stato</th>
<th>Azione</th>
<th>Timestamp</th>
<th>Responsabile</th>
<th>Note</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center;"><span style="color: var(--success); font-size: 20px;"></span></td>
<td>Sistema compromesso isolato dalla rete</td>
<td>2024-03-06 08:22</td>
<td>G. Rossi</td>
<td>Tutte le interfacce di rete disabilitate</td>
</tr>
<tr>
<td style="text-align: center;"><span style="color: var(--success); font-size: 20px;"></span></td>
<td>Account compromessi bloccati</td>
<td>2024-03-06 09:30</td>
<td>G. Rossi</td>
<td>Account m.ferrari@azienda.it disabilitato</td>
</tr>
<tr>
<td style="text-align: center;"><span style="color: var(--success); font-size: 20px;"></span></td>
<td>IP/domini malevoli bloccati su firewall</td>
<td>2024-03-06 09:45</td>
<td>L. Verdi</td>
<td>3 IP C2 bloccati, 2 domini in blacklist</td>
</tr>
<tr>
<td style="text-align: center;"><span style="color: var(--success); font-size: 20px;"></span></td>
<td>Evidenze preservate</td>
<td>2024-03-06 08:35</td>
<td>A. Neri</td>
<td>Snapshot, dump RAM, log acquisiti</td>
</tr>
<tr>
<td style="text-align: center;"><span style="color: var(--success); font-size: 20px;"></span></td>
<td>Monitoraggio intensivo attivato</td>
<td>2024-03-06 10:00</td>
<td>SOC Team</td>
<td>Scansione completa rete, nessun altro sistema compromesso</td>
</tr>
<tr>
<td style="text-align: center;"><span style="color: var(--success); font-size: 20px;"></span></td>
<td>Crisis Team notificato</td>
<td>2024-03-06 08:25</td>
<td>L. Verdi</td>
<td>Call emergenza convocata, CISO e Direzione informati</td>
</tr>
<tr>
<td style="text-align: center;"><span style="color: var(--success); font-size: 20px;"></span></td>
<td>Direzione informata</td>
<td>2024-03-06 11:30</td>
<td>P. Lombardi</td>
<td>Report completo fornito a CdA</td>
</tr>
</tbody>
</table>
<h3 style="font-size: 16px; font-weight: 600; margin-bottom: 16px;">Eradicazione in Corso</h3>
<div class="action-log">
<div class="action-log-header">
<div class="action-log-time">2024-03-07 09:00</div>
<div class="action-log-user">System Admin - G. Rossi</div>
</div>
<div class="action-log-content">
<strong>Rimozione Malware</strong><br>
File malevolo rimosso da quarantena EDR. Scansione completa filesystem con 3 antimalware diversi.
Nessun residuo rilevato. Verifica hash file sistema contro baseline.
</div>
</div>
<div class="action-log">
<div class="action-log-header">
<div class="action-log-time">2024-03-07 11:30</div>
<div class="action-log-user">Forensics Team - A. Neri</div>
</div>
<div class="action-log-content">
<strong>Verifica Assenza Persistenza</strong><br>
Analisi chiavi registro, task schedulati, servizi, startup. Nessun meccanismo di persistenza rilevato.
Malware non ha avuto tempo di installarsi prima del blocco EDR.
</div>
</div>
<div class="action-log">
<div class="action-log-header">
<div class="action-log-time">2024-03-07 14:00</div>
<div class="action-log-user">System Admin - G. Rossi</div>
</div>
<div class="action-log-content">
<strong>Hardening Sistema</strong><br>
Applicati ultimi security patch. Configurazione hardened secondo baseline CIS.
Disabilitati protocolli legacy. Abilitato logging avanzato.
Configurazione EDR rafforzata con regole custom anti-ransomware.
</div>
</div>
<div class="alert-box warning">
<div class="alert-title">⏳ Prossima Fase: Ripristino</div>
<div class="alert-content">
Completata eradicazione. Sistema pronto per ripristino.
Pianificato ripristino da backup immutabile verificato.
<br><br>
<button class="btn btn-primary" onclick="window.location.href='incident-recovery.html?id=INC-2024-047'">
Avvia Processo di Ripristino
</button>
</div>
</div>
</div>
<!-- Communications Section -->
<div class="section" id="section-communications">
<div class="section-header">
<div class="section-title">
Comunicazioni e Notifiche
<span class="help-icon">?
<div class="tooltip">
<div class="tooltip-title">HELP DELLA SEZIONE</div>
Registro completo di tutte le comunicazioni effettuate: interne, CSIRT, Garante Privacy, utenti, fornitori. Include tracking scadenze notifiche obbligatorie.
</div>
</span>
</div>
<button class="btn btn-primary" onclick="window.location.href='incident-notification.html?id=INC-2024-047'">
Gestisci Notifica CSIRT
</button>
</div>
<h3 style="font-size: 16px; font-weight: 600; margin-bottom: 16px;">Notifiche Obbligatorie</h3>
<table class="data-table" style="margin-bottom: 32px;">
<thead>
<tr>
<th>Destinatario</th>
<th>Tipo Notifica</th>
<th>Scadenza</th>
<th>Stato</th>
<th>Azioni</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>CSIRT Italia</strong></td>
<td>Preallarme (24h)</td>
<td>2024-03-07 08:15</td>
<td><span style="color: var(--warning); font-weight: 600;">⏳ Da inviare (18h rimaste)</span></td>
<td>
<button class="btn btn-danger" onclick="sendPrealert()">Invia Ora</button>
</td>
</tr>
<tr>
<td><strong>CSIRT Italia</strong></td>
<td>Notifica Completa (72h)</td>
<td>2024-03-09 08:15</td>
<td><span style="color: var(--text-secondary);">⏸️ In attesa preallarme</span></td>
<td>-</td>
</tr>
<tr>
<td><strong>CSIRT Italia</strong></td>
<td>Relazione Finale (1 mese)</td>
<td>2024-04-09</td>
<td><span style="color: var(--text-secondary);">⏸️ In attesa notifica completa</span></td>
<td>-</td>
</tr>
<tr>
<td><strong>Garante Privacy</strong></td>
<td>Data Breach (72h)</td>
<td>-</td>
<td><span style="color: var(--success);">✅ Non richiesta</span></td>
<td>Nessun dato personale esfiltrato</td>
</tr>
</tbody>
</table>
<h3 style="font-size: 16px; font-weight: 600; margin-bottom: 16px;">Comunicazioni Interne</h3>
<div class="action-log">
<div class="action-log-header">
<div class="action-log-time">2024-03-06 08:25</div>
<div class="action-log-user">CISO → Crisis Team</div>
</div>
<div class="action-log-content">
<strong>Attivazione Crisis Team</strong><br>
Email + call di emergenza. Convocati: CISO, Direzione, Responsabili IT, Legale, Comunicazione.
Briefing situazione e attivazione procedura SEV-1.
</div>
</div>
<div class="action-log">
<div class="action-log-header">
<div class="action-log-time">2024-03-06 11:30</div>
<div class="action-log-user">CISO → Direzione</div>
</div>
<div class="action-log-content">
<strong>Report Direzione</strong><br>
Report completo incidente fornito a CdA. Situazione sotto controllo, minaccia contenuta,
nessun danno permanente. Servizio ERP offline preventivamente, ripristino pianificato entro 48h.
</div>
</div>
<div class="action-log">
<div class="action-log-header">
<div class="action-log-time">2024-03-06 12:00</div>
<div class="action-log-user">Comunicazione → Utenti Interni</div>
</div>
<div class="action-log-content">
<strong>Comunicazione Utenti</strong><br>
Email a tutti gli utenti ERP: "Servizio ERP temporaneamente offline per manutenzione straordinaria urgente.
Previsto ripristino entro 48 ore. Ci scusiamo per il disagio."
</div>
</div>
<h3 style="font-size: 16px; font-weight: 600; margin-bottom: 16px;">Comunicazioni Esterne</h3>
<p style="color: var(--text-secondary); font-size: 13px;">
Nessuna comunicazione esterna necessaria. Incidente contenuto internamente senza impatto su clienti o partner.
</p>
</div>
<!-- Evidence Section -->
<div class="section" id="section-evidence">
<div class="section-header">
<div class="section-title">
Evidenze e Documentazione Forense
<span class="help-icon">?
<div class="tooltip">
<div class="tooltip-title">HELP DELLA SEZIONE</div>
Raccolta e catalogazione di tutte le evidenze forensi acquisite durante l'incidente. Include file, log, snapshot, IoC e analisi tecniche.
</div>
</span>
</div>
</div>
<h3 style="font-size: 16px; font-weight: 600; margin-bottom: 16px;">Evidenze Acquisite</h3>
<table class="data-table" style="margin-bottom: 32px;">
<thead>
<tr>
<th>Tipo Evidenza</th>
<th>Descrizione</th>
<th>Data/Ora Acquisizione</th>
<th>Hash SHA-256</th>
<th>Dimensione</th>
<th>Azioni</th>
</tr>
</thead>
<tbody>
<tr>
<td>Snapshot VM</td>
<td>Snapshot completo server ERP-PROD-01</td>
<td>2024-03-06 08:35</td>
<td><code style="font-size: 10px;">a3f5...8d2c</code></td>
<td>2.5 TB</td>
<td><button class="btn" onclick="viewEvidence('snapshot')">Dettagli</button></td>
</tr>
<tr>
<td>Memory Dump</td>
<td>Dump RAM completo</td>
<td>2024-03-06 08:40</td>
<td><code style="font-size: 10px;">b7e2...4f1a</code></td>
<td>32 GB</td>
<td><button class="btn" onclick="viewEvidence('memory')">Dettagli</button></td>
</tr>
<tr>
<td>Malware Sample</td>
<td>File ransomware in quarantena</td>
<td>2024-03-06 08:15</td>
<td><code style="font-size: 10px;">c9d4...7e3b</code></td>
<td>2.4 MB</td>
<td><button class="btn" onclick="viewEvidence('malware')">Dettagli</button></td>
</tr>
<tr>
<td>Log EDR</td>
<td>Log completi EDR 06/03 07:00-10:00</td>
<td>2024-03-06 10:00</td>
<td><code style="font-size: 10px;">d1a8...9c5f</code></td>
<td>450 MB</td>
<td><button class="btn" onclick="viewEvidence('edr-log')">Dettagli</button></td>
</tr>
<tr>
<td>Log Sistema</td>
<td>Event Log Windows ERP-PROD-01</td>
<td>2024-03-06 10:00</td>
<td><code style="font-size: 10px;">e2b9...1d6a</code></td>
<td>120 MB</td>
<td><button class="btn" onclick="viewEvidence('sys-log')">Dettagli</button></td>
</tr>
<tr>
<td>Email Phishing</td>
<td>Email originale con allegato malevolo</td>
<td>2024-03-06 09:15</td>
<td><code style="font-size: 10px;">f3c1...2e7d</code></td>
<td>3.2 MB</td>
<td><button class="btn" onclick="viewEvidence('email')">Dettagli</button></td>
</tr>
</tbody>
</table>
<h3 style="font-size: 16px; font-weight: 600; margin-bottom: 16px;">Indicatori di Compromissione (IoC)</h3>
<table class="data-table" style="margin-bottom: 32px;">
<thead>
<tr>
<th>Tipo IoC</th>
<th>Valore</th>
<th>Descrizione</th>
<th>Azioni</th>
</tr>
</thead>
<tbody>
<tr>
<td>File Hash</td>
<td><code style="font-size: 11px;">c9d4a7e3b2f1...</code></td>
<td>Hash SHA-256 file ransomware</td>
<td><button class="btn" onclick="shareIoC('hash')">Condividi CSIRT</button></td>
</tr>
<tr>
<td>IP C2</td>
<td><code>185.220.101.47</code></td>
<td>Server Command & Control</td>
<td><button class="btn" onclick="shareIoC('ip1')">Condividi CSIRT</button></td>
</tr>
<tr>
<td>IP C2</td>
<td><code>91.219.236.232</code></td>
<td>Server Command & Control (backup)</td>
<td><button class="btn" onclick="shareIoC('ip2')">Condividi CSIRT</button></td>
</tr>
<tr>
<td>Dominio</td>
<td><code>blackcat-ransom[.]onion</code></td>
<td>Portale pagamento riscatto</td>
<td><button class="btn" onclick="shareIoC('domain1')">Condividi CSIRT</button></td>
</tr>
<tr>
<td>Email</td>
<td><code>invoice@fake-supplier[.]com</code></td>
<td>Mittente email phishing</td>
<td><button class="btn" onclick="shareIoC('email')">Condividi CSIRT</button></td>
</tr>
</tbody>
</table>
<h3 style="font-size: 16px; font-weight: 600; margin-bottom: 16px;">Analisi Forense</h3>
<div class="action-log">
<div class="action-log-header">
<div class="action-log-time">2024-03-06 16:00</div>
<div class="action-log-user">Forensics Team - A. Neri</div>
</div>
<div class="action-log-content">
<strong>Report Analisi Malware</strong><br>
<strong>Famiglia:</strong> BlackCat/ALPHV<br>
<strong>Variante:</strong> 2.0 (Rust-based)<br>
<strong>Comportamento:</strong> Ransomware con doppia estorsione (crittografia + esfiltrazione)<br>
<strong>Vettore:</strong> Dropper via email phishing<br>
<strong>Persistenza:</strong> Non installata (bloccato in fase iniziale)<br>
<strong>Comunicazione C2:</strong> Tentata ma bloccata da firewall<br>
<strong>Crittografia:</strong> Non avvenuta (EDR ha bloccato prima dell'esecuzione)<br>
<strong>Esfiltrazione:</strong> Non rilevata<br>
<br>
<strong>Conclusione:</strong> Attacco bloccato in fase molto precoce. Nessun danno effettivo.
EDR efficace nel contenimento. Credenziali compromesse erano il punto debole.
</div>
</div>
<div class="alert-box info">
<div class="alert-title">📤 Condivisione IoC</div>
<div class="alert-content">
Gli indicatori di compromissione sono stati condivisi con CSIRT Italia per supportare
la threat intelligence nazionale. IoC inseriti in blacklist firewall e SIEM.
</div>
</div>
</div>
</div>
<script>
function showTab(tabName) {
// Nascondi tutte le sezioni
document.querySelectorAll('.section').forEach(section => {
section.classList.remove('active');
});
// Rimuovi active da tutti i tab
document.querySelectorAll('.tab').forEach(tab => {
tab.classList.remove('active');
});
// Mostra la sezione selezionata
document.getElementById('section-' + tabName).classList.add('active');
// Attiva il tab selezionato
event.target.classList.add('active');
}
function exportIncident() {
const tooltip = document.createElement('div');
tooltip.style.cssText = `
position: fixed;
top: 50%;
left: 50%;
transform: translate(-50%, -50%);
background: var(--bg-secondary);
border: 1px solid var(--border-color);
border-radius: 8px;
padding: 24px;
box-shadow: 0 8px 24px rgba(0,0,0,0.5);
z-index: 10000;
max-width: 500px;
`;
tooltip.innerHTML = `
<h3 style="margin-bottom: 16px; color: var(--text-primary);">📄 Export Documentazione Incidente</h3>
<p style="color: var(--text-secondary); margin-bottom: 16px; font-size: 13px;">
Esportazione completa documentazione INC-2024-047
</p>
<div style="background: var(--bg-tertiary); padding: 16px; border-radius: 4px; margin-bottom: 16px; font-family: monospace; font-size: 12px;">
📄 INC-2024-047_Report_Completo.pdf<br>
📄 INC-2024-047_Timeline.xlsx<br>
📄 INC-2024-047_Evidenze_Forensi.zip<br>
📄 INC-2024-047_IoC_List.csv<br>
📄 INC-2024-047_Comunicazioni.pdf
</div>
<button onclick="this.parentElement.remove()" style="width: 100%; padding: 10px; background: var(--accent-primary); border: none; border-radius: 6px; color: white; font-weight: 600; cursor: pointer;">
Chiudi
</button>
`;
document.body.appendChild(tooltip);
}
function updateIncident() {
alert('Funzione di modifica incidente. Permette di aggiornare i dati dell\'incidente.');
}
function addAction() {
const tooltip = document.createElement('div');
tooltip.style.cssText = `
position: fixed;
top: 50%;
left: 50%;
transform: translate(-50%, -50%);
background: var(--bg-secondary);
border: 2px solid var(--border-color);
border-radius: 8px;
padding: 24px;
box-shadow: 0 8px 24px rgba(0,0,0,0.5);
z-index: 10000;
max-width: 600px;
width: 90%;
`;
tooltip.innerHTML = `
<h3 style="margin-bottom: 16px; color: var(--text-primary);"> Aggiungi Azione Timeline</h3>
<div style="margin-bottom: 16px;">
<label style="display: block; font-size: 13px; font-weight: 600; margin-bottom: 8px; color: var(--text-primary);">Data/Ora</label>
<input type="datetime-local" style="width: 100%; padding: 10px; background: var(--bg-tertiary); border: 1px solid var(--border-color); border-radius: 6px; color: var(--text-primary);">
</div>
<div style="margin-bottom: 16px;">
<label style="display: block; font-size: 13px; font-weight: 600; margin-bottom: 8px; color: var(--text-primary);">Responsabile</label>
<input type="text" placeholder="Nome responsabile" style="width: 100%; padding: 10px; background: var(--bg-tertiary); border: 1px solid var(--border-color); border-radius: 6px; color: var(--text-primary);">
</div>
<div style="margin-bottom: 16px;">
<label style="display: block; font-size: 13px; font-weight: 600; margin-bottom: 8px; color: var(--text-primary);">Descrizione Azione</label>
<textarea style="width: 100%; padding: 10px; background: var(--bg-tertiary); border: 1px solid var(--border-color); border-radius: 6px; color: var(--text-primary); min-height: 100px;" placeholder="Descrivi l'azione effettuata..."></textarea>
</div>
<div style="display: flex; gap: 12px;">
<button onclick="this.parentElement.parentElement.remove()" style="flex: 1; padding: 10px; background: var(--bg-tertiary); border: 1px solid var(--border-color); border-radius: 6px; color: var(--text-primary); font-weight: 600; cursor: pointer;">
Annulla
</button>
<button onclick="alert('Azione aggiunta alla timeline'); this.parentElement.parentElement.remove();" style="flex: 1; padding: 10px; background: var(--accent-primary); border: none; border-radius: 6px; color: white; font-weight: 600; cursor: pointer;">
Salva Azione
</button>
</div>
`;
document.body.appendChild(tooltip);
}
function changePhase() {
const tooltip = document.createElement('div');
tooltip.style.cssText = `
position: fixed;
top: 50%;
left: 50%;
transform: translate(-50%, -50%);
background: var(--bg-secondary);
border: 2px solid var(--success);
border-radius: 8px;
padding: 24px;
box-shadow: 0 8px 24px rgba(0,0,0,0.5);
z-index: 10000;
max-width: 500px;
`;
tooltip.innerHTML = `
<h3 style="margin-bottom: 16px; color: var(--success);">▶️ Avanza Fase Gestione</h3>
<p style="color: var(--text-secondary); margin-bottom: 16px; font-size: 13px;">
Fase corrente: <strong style="color: var(--text-primary);">Contenimento</strong><br>
Prossima fase: <strong style="color: var(--success);">Eradicazione</strong>
</p>
<div style="background: var(--bg-tertiary); padding: 16px; border-radius: 6px; margin-bottom: 16px;">
<p style="font-size: 13px; color: var(--text-secondary); margin-bottom: 12px;">
<strong style="color: var(--text-primary);">Verifiche richieste:</strong>
</p>
<ul style="font-size: 13px; color: var(--text-secondary); margin-left: 20px;">
<li>Contenimento completato e verificato</li>
<li>Nessuna propagazione rilevata</li>
<li>Evidenze preservate</li>
<li>Root cause identificata</li>
</ul>
</div>
<div style="display: flex; gap: 12px;">
<button onclick="this.parentElement.remove()" style="flex: 1; padding: 10px; background: var(--bg-tertiary); border: 1px solid var(--border-color); border-radius: 6px; color: var(--text-primary); font-weight: 600; cursor: pointer;">
Annulla
</button>
<button onclick="alert('Fase avanzata a: Eradicazione'); this.parentElement.remove(); location.reload();" style="flex: 1; padding: 10px; background: var(--success); border: none; border-radius: 6px; color: white; font-weight: 600; cursor: pointer;">
Conferma Avanzamento
</button>
</div>
`;
document.body.appendChild(tooltip);
}
function sendPrealert() {
window.location.href = 'incident-notification.html?id=INC-2024-047&action=prealert';
}
function viewEvidence(type) {
const evidenceDetails = {
'snapshot': {
title: 'Snapshot VM ERP-PROD-01',
content: `
<strong>Tipo:</strong> Snapshot VMware completo<br>
<strong>Data acquisizione:</strong> 2024-03-06 08:35:12<br>
<strong>Dimensione:</strong> 2.5 TB<br>
<strong>Hash SHA-256:</strong> a3f5d7c2e9b1f4a8d6c3e7b2f5a9d8c4e1b7f3a6d9c2e5b8f1a4d7c3e6b9f2a5<br>
<strong>Percorso storage:</strong> /forensics/INC-2024-047/snapshot_20240306_0835.vmdk<br>
<strong>Integrità:</strong> ✅ Verificata<br>
<strong>Chain of Custody:</strong> A. Neri → Storage Forense (accesso limitato)
`
},
'memory': {
title: 'Memory Dump RAM',
content: `
<strong>Tipo:</strong> Dump completo RAM<br>
<strong>Data acquisizione:</strong> 2024-03-06 08:40:33<br>
<strong>Dimensione:</strong> 32 GB<br>
<strong>Hash SHA-256:</strong> b7e2f9a4c1d8e5b3f7a2d9c6e4b1f8a5d3c7e2b9f6a4d1c8e5b3f7a2d9c6e4b1<br>
<strong>Tool utilizzato:</strong> WinPmem<br>
<strong>Analisi:</strong> Volatility Framework<br>
<strong>Artefatti rilevati:</strong> Processo malevolo (PID 4532), connessioni C2 tentate
`
},
'malware': {
title: 'Sample Malware Ransomware',
content: `
<strong>Tipo:</strong> Eseguibile PE32<br>
<strong>Famiglia:</strong> BlackCat/ALPHV<br>
<strong>Hash SHA-256:</strong> c9d4a7e3b2f1d8c5e9a6f3b7d2c8e4a1f9b5d3c7e2a8f6b4d1c9e5a3f7b2d8c6<br>
<strong>Dimensione:</strong> 2.4 MB<br>
<strong>Linguaggio:</strong> Rust<br>
<strong>Comportamento:</strong> Ransomware con doppia estorsione<br>
<strong>VirusTotal:</strong> 58/70 detection<br>
<strong>Storage:</strong> Quarantena sicura, password-protected
`
},
'edr-log': {
title: 'Log EDR Completi',
content: `
<strong>Periodo:</strong> 2024-03-06 07:00 - 10:00<br>
<strong>Eventi totali:</strong> 12,847<br>
<strong>Eventi critici:</strong> 23<br>
<strong>Formato:</strong> JSON + SYSLOG<br>
<strong>Dimensione:</strong> 450 MB<br>
<strong>Alert principali:</strong><br>
- 08:15:23 - Ransomware execution blocked<br>
- 08:15:24 - File quarantined<br>
- 08:15:25 - Process terminated (PID 4532)
`
},
'sys-log': {
title: 'Event Log Windows',
content: `
<strong>Sistema:</strong> ERP-PROD-01 (Windows Server 2019)<br>
<strong>Log acquisiti:</strong> Security, System, Application<br>
<strong>Periodo:</strong> 2024-03-06 00:00 - 12:00<br>
<strong>Dimensione:</strong> 120 MB<br>
<strong>Eventi rilevanti:</strong><br>
- 08:14:52 - Logon account m.ferrari (Event ID 4624)<br>
- 08:15:20 - Process creation suspicious (Event ID 4688)<br>
- 08:15:23 - EDR intervention (Event ID 1102)
`
},
'email': {
title: 'Email Phishing Originale',
content: `
<strong>Mittente:</strong> invoice@fake-supplier[.]com<br>
<strong>Destinatario:</strong> m.ferrari@azienda.it<br>
<strong>Oggetto:</strong> "Fattura urgente - Pagamento scaduto"<br>
<strong>Data ricezione:</strong> 2024-03-06 07:45:12<br>
<strong>Allegato:</strong> invoice_2024_03_06.zip (2.4 MB)<br>
<strong>Contenuto ZIP:</strong> invoice.exe (ransomware dropper)<br>
<strong>Headers:</strong> SPF fail, DKIM fail<br>
<strong>Analisi:</strong> Phishing mirato, social engineering
`
}
};
const detail = evidenceDetails[type];
const tooltip = document.createElement('div');
tooltip.style.cssText = `
position: fixed;
top: 50%;
left: 50%;
transform: translate(-50%, -50%);
background: var(--bg-secondary);
border: 1px solid var(--border-color);
border-radius: 8px;
padding: 24px;
box-shadow: 0 8px 24px rgba(0,0,0,0.5);
z-index: 10000;
max-width: 600px;
width: 90%;
`;
tooltip.innerHTML = `
<h3 style="margin-bottom: 16px; color: var(--text-primary);">🔍 ${detail.title}</h3>
<div style="background: var(--bg-tertiary); padding: 16px; border-radius: 6px; margin-bottom: 16px; font-size: 13px; line-height: 1.8;">
${detail.content}
</div>
<button onclick="this.parentElement.remove()" style="width: 100%; padding: 10px; background: var(--accent-primary); border: none; border-radius: 6px; color: white; font-weight: 600; cursor: pointer;">
Chiudi
</button>
`;
document.body.appendChild(tooltip);
}
function shareIoC(type) {
alert('IoC condiviso con CSIRT Italia tramite portale dedicato. Inserito in blacklist firewall e SIEM.');
}
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink