Manage Cases
Quick Summary
Cases are the management unit for security threats in Chronicle SOAR. Cases
have all the required ticketing capabilities and much more to support
management use cases in the SOC.
Cases can be viewed and managed from the
Cases Queue. It is also possible to search for Cases in the Search screen.
Overview
When data is ingested into Chronicle SOAR (usually in a form of security
alerts or events) it is wrapped inside a Case for management purposes
(tracking activity, incident response etc).
A Case will always include at
least one alert (or more if Siemplify applies grouping). Each alert contains
both the original raw data coming from the data source and the objects
Chronicle SOAR extracted based on it (Entities, enrichment etc).
The grouping of alerts is performed automatically by Chronicle SOAR regardless of the source of each alert to allow better contextual understanding of a threat.
Security analysts then can:
- Understand the threat presented by the case
- Review the case graph for more context (via the Explore button)
- Review enrichment collected manually or with automation
- Review the tasks performed on the case (with Case Wall)
- Manage the case as a ticket (close, re-open, merge, tag, track history, report and more)
- Run actions and playbooks on the alerts in the case
Example
Let’s read a case and close it.
- Navigate to Cases, click the + sign above the cases queue and select Simulate Cases.
- Select the Zero to Hero case and click Create.
-
Choose an Environment from the drop-down list and click Simulate.
- Click on the Email case in your queue.
- To assign the case – select a team or a user from the dropdown on the right side of the Case Top Bar (in this case, assign it to yourself).
- The Case Wall tab has now a new entry that shows that the case was reassigned.
-
Go back to the Case Overview tab and check out the:
- Name and time of the alert
- A list of Entities Highlights are displayed. Entities marked in red are suspicious.
- We found malicious activity in the case – let’s mark it as an incident from the Case Actions menu on the right (this will also adjust the priority of the case).
-
Playbooks are attached to alerts. To view a playbook, click on one of the
Alerts in the case (remember, you might have several alerts).
- Click on the steps of the playbook to see more info about the actions.
- Assuming you handled the threat with success, close the case by clicking Close Case button on top and then filling out the reasons in the dialog box.