Cases facilitate a more seamless Logpoint SIEM and SOAR workflow and allow you and your team to work collaboratively on SOAR automated threat investigations.
Alerts generate SIEM incidents. If the incident triggers an automated workflow, or playbook, a case is automatically created. Each case represents one or more incidents that make up a potential attack. A case is a series of events, an event corresponds to an individual action within a playbook. Using cases can help you and your team track and understand what happened through the course of an automated investigation.
Go to Investigation >> Cases from the navigation bar to open the Cases page.
Cases List¶
The list is an overview of all your organization’s cases. You can use the column titles to sort the list in ascending or descending order according to:
Owner
Severity
Status
Created date
Last Modified Dates
Enter criteria in Search to find specific cases or use Created from and Created to to search by date.
Cases can have dedicated owners, individuals who manage a case. If you have the right permissions, you can assign a case to yourself or to someone else. You can also reassign a case to a new owner.
All cases are marked with their potential severity. Their level of severity depends on their severity score:
Low 0 - 30
Medium 31 - 60
High 61 - 80
Critical 81 - 100
You can sort the case list according to severity level.