Cases

Create Cases & Case Templates - Manage Security Events

Overview

A Case provides analysts the ability to group events together that may be linked to an incident. It also provides the ability for analysts to add notes, search event observables, create and track tasks, and provide a history of all actions related to the investigation. Cases are used to escalate potentially suspicious Events to your clients for further investigation.

Creating Cases

There are two ways to create a Case in Case-Hub, from the "Event Rules" page or directly from the "Event-Queue" page:

From Event-Queue Page (Event-Card)

  1. Navigate to the "Event Queue" page from the dashboard, and identify and select a relevant event for which you want to create a Case.

  2. Click the "briefcase icon" located in the bottom left of the Event card underneath observables, this will open the case creation wizard.

  3. Enter the necessary case details like Name, Case Template (if needed), Owner, Description, TLP, and Severity.

    Note: Enabling Generate Event Rule option, will auto-generate a rule based on the event observables selected, which is not recommended.

  4. Click Create

From Cases Page

  1. Navigate to the "Cases" page from the dashboard.

  2. Click the "New Case" button, this will open the case creation wizard.

  3. Enter the necessary case details like Name, Case Template (if needed), Owner, Description, TLP, and Severity.

  4. Click Create

  5. This method requires you to merge all the relevant events into this newly created case.

Merging Event into Case

  1. Navigate to the "Event Queue" page from the dashboard.

  2. Identify and select all the relevant events you want to merge into an existing Case.

  3. Click on the "# Events" dropdown located at the top left of the Event's section and choose "Merge into Case".

  4. Then choose an existing case from the dropdown (you want to merge into) and click Merge.

PreviousEventsNextCase-Templates

Last updated