Chronicle SOAR ingests alerts from a variety of sources. Each alert is ingested with its underlying base security events. Those security events are analyzed and their indicators (sources, destinations, artifacts etc.) are extracted into objects. Those objects are called Entities. Each entity stored in the platform starts collecting data on it (comments, enrichment data, reports etc.) so analysts can review this history when handling future cases the entity appears in. The same entities are also placed on the canvas for the visual representation of the threat.

The Cases screen provides the analysts a way to investigate the incoming security alerts and safeguard workstations. Cases are generated by alerts from the SIEM platform. Further alerts linked to the same entities may be grouped to an existing case based on a flexible configuration. In addition, Analysts can create manual cases and simulated cases and ingest specific data. 

A list of cases that are ingested into the system from the various connectors appear in the Cases queue located on the left side of the screen. The Cases queue displays the cases with their basic details such as case name, case timestamp, case ID number (unique to a case), number of alerts associated with the case and a thumbnail picture of the analyst handling the case. The analyst can choose between the default view which displays all of the information, or the compact view, which displays the name, avatar of the assignee and the number of alerts.

The analyst can also navigate to another view, known as the List View, where all the cases can be viewed in a table format, enabling a bird's-eye view of all the cases to be worked on.

The Case Top Bar displays important identifying information as well as actions that can be performed on cases. The left side of the Case Top Bar displays the case’s title, id, priority, stage, timestamp, and manage tags feature. Any tags associated with the case are displayed here. The right side of the Case Top Bar displays the following features:  the analyst name or role, chat, Close Case, Refresh, and Explore and Actions Menu. For more information, see What’s on the Cases Screen?

The Case Overview tab displays information relevant to the case. The displayed information is based on widgets that can be configured by the Admin. For more information, see What’s on the Case Overview Tab? The Case Wall Tab is a case event log that contains all the case information since it was created until it is closed. For more information, see What’s on the Case Wall Tab?  Alerts attached to the case are displayed in the Alert Overview Tab. This tab displays crucial information and events associated with the case.

Playbooks are a defined set of actions that gather information about the alerts from internal and external sources and take appropriate decisions on how to proceed with them or conduct an operation on a remote system (i.e. blocking firewall port, disabling active directory user, etc.). Chronicle SOAR performs these actions automatically or semi automatically based on the playbook triggers upon any alert ingestion.

You can refresh the case queue items regularly, sort them as required, use filters to narrow your case queue items, add cases to the existing queue, and close cases.