Cases enable you to regroup your investigation findings across multiple perimeters, alerts and analysts and share your results with your end-users in an efficient manner.
You can either create a new case from an existing alert or add alerts to an existing case.
The listing page lists all the cases across your community. They can be listed following multiple filters:
- Status (open or closed cases)
- Assigned to or Created by
- Tags associated
You can also sort your cases depending on:
- Last edition (default)
- Creation date
- Priority (
Create a case
To create a new case, you can:
- Open the Cases page
- Click on
- Provide a title and a description (mandatory fields)
- Select an assignee
- Define a priority
- Add tags if needed
- Click on
Edit a case
To edit a case, you just have to click on a case and reach the
edit button available on the details view.
The case must be open in order to be edited.
The Case details page contains multiple elements.
In the header, you can find the name of the case, the person that created it, the last edition date, a tag with the case ID that you can easily copy by clicking on it, the priority and the status.
The different sections of the page are then separated into 5 tabs:
The Details tab contains basic information about the case:
- Authors, the community, and the dates of creation and edition of the case
- A description of the case that uses Markdown to enable you to format your text
- A timeline displaying comments
The Alerts tab contains a list of alerts that were added to the case.
To add alerts to a case, you can either:
- Use the
Add alertsbutton on this tab
- Use the
Add to casebutton on the detailed page of any alert
To add multiple alerts to a case, we recommend you copy the ID of your case in the case details page, then paste it into the modal that shows up after clicking on the
Add to case modal.
The Tasks tab allows you to manage tasks and subtasks associated with the case.
The Events tab lists the events that are associated with the case in a display similar to the Events page.
Events associated with the case are:
- Events that raised an alert that was added to the case.
- Events that were directly added to the case.
When interacting with individual values, it is possible to:
- Filter for: only applies to the events associated with the case
- Filter out: only applies to the events associated with the case
- Search events with this value
Value Selection mode can be toggled with the button at the top right of the event list to select multiple values in displayed events. The selected values can then be used to:
- Create a Sigma Rule
- Search events with these values
Search Events with this value
The "Search Events with this value" feature can be used to perform a search into all events that occurred during the case's timeframe (+- 1 hour).
The search query is automatically created from selected values.
To search events with a value:
- On the
casepage, go to
- Click on
Toggle value selectionbutton in the upper right of the logs list
valuesyou want to search for by clicking on them in the logs list
- Click on the button
Perform a searchas shown in the screenshot
A side panel opens with the search results, allowing you to investigate a case without leaving the page.
The Graph Investigation Tab is presenting the analyst with a graphical visualization of the Case.
The following items appear on the graph:
Observables: these are automatically extracted from events (IP addresses, Domain Names, URLs, User Account, etc.)
Observable Relationships: relationships between observables are represented by arrows linking them on the graph. Relationships are extracted from events using the Smart Description definitions
CTI Objects: STIX objects from the Intelligence Center that provide additional context
STIX relationshipsbetween Threat Objects
All changes performed inside the Graph Investigation are temporary. A new graph is generated at each visit based on the list of events associated with the case.
You can access Threat Intelligence by clicking on any CTI object on the graph. The left panel will display its description and lists all known relationships. Related objects can then be added to the graph to pivot into the Threat Intelligence database.
You can access Observable Details by clicking on any Observable on the graph. The left panel will display all events inside the alert related to this observable, with their “Smart Description”. Full Events can be accessed in the right side panel by clicking on "Full Events". It is also possible to Search events with this value by clicking on the button next to the name of the observable.