What actions can you take on a case?
Mark as Important
When an analyst wants to highlight a case, they can mark it as important via > Mark as Important in the top right corner of the screen. A yellow triangle icon is then displayed with the case. The analyst can also remove the Important tag if required from the same menu.
Incident
When a case is considered extremely crucial and needs immediate attention, the analyst can mark it as an incident. Raising an incident sets the case priority to critical, changes the case stage to Incident, assigns the case to the SOC Manager and a notification is sent to all analysts.
To mark a case that is assigned to you as an Incident:
- Click on the icon in the top right corner of the screen and select Incident.
- Click Yes in the Confirmation dialog box.
Stage
You can change a case stage, if it’s assigned to you, based on your organizational case management methods.
- Select a case from the queue, then choose > Stage in the top right corner of the screen.
-
Select a stage from the following:
- Triage - Default and the initial phase of a case once it is created.
- Assessment - The case is assigned to the next tier for assessment.
- Investigation - The case is assigned for further investigation of the alerts and entities involved.
- Improvement - Can mark case as Improvement as a reminder to improve SOC rules or for further investigation after the analysts have finished handling it.
- Research - The case is further researched for factors such as how the external entities got into your organization and so on.
- Incident - The last phase of the case where it becomes crucial. After marking a case as an incident, you cannot revert/change it to any other stage.
- Click Save.
Priority
Google recommends changing the priority of an alert and not the priority of a
case as best practice.
For more information, see
here.
You can change the priority of a case based on the importance with which it must be handled.
- Select a case from the queue, then click > Priority in the top right corner of the screen.
-
Select a priority from the following. Note that each priority is represented
by the following colors:
- Informative (grey)
- Low (blue)
- Medium (yellow)
- High (orange)
- Critical (red)
- Click OK. The case priority is changed.
- You can also click the color directly on left side of the top bar and change it from there.
You can download a report as a .doc, .xlsx, or a .csv file which contains the following information:
- Case details
- Alerts, entities and insights of the case
- User and system activities on the case
- Playbook action and Case Activity
- Select a case from the queue, then click > Report in the top right corner of the screen.
- Select the file type from the drop-down menu, and then click Select.
- Open the downloaded document to see the results.