Cases facilitate a seamless Logpoint SIEM and SOAR workflow and allow you and your team to work collaboratively on SOAR automated threat investigations.
Alerts generate SIEM incidents. If the incident triggers an automated workflow, or playbook, a case is automatically created. Each case represents one or more incidents that make up a potential attack. A case is a series of events where event corresponds to an individual action within a playbook. Using cases, you and your team track and understand what happened through the course of an investigation and automated response.
Go to Investigation >> Cases from the navigation bar to open the Cases page.
Cases List¶
The list is an overview of all your organization’s cases. You can use the filters to filter cases according to:
Owner
Severity
Status
Created
Last Modified
When you sort the SOAR cases list or apply a filter, the list is saved with these change even after navigating away or logging out. To reset the list, click Reset View.
Filtered Cases¶
Cases can have dedicated owners, individuals who manage a case. If you have the right permissions, you can assign a case to yourself or to someone else. You can also reassign a case to a new owner.
All cases are marked with their potential severity. Their level of severity depends on their severity score:
Low 0 - 30
Medium 31 - 60
High 61 - 80
Critical 81 - 100
You can sort the case list according to severity level.