circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Case management overview

Alerts generate SIEM incidents. If an incident triggers an automated workflow (playbook), a SOAR-based case is automatically created. Each case represents one or more incidents that make up a potential attack. A case is a series of events on a timeline, where each event corresponds to an individual action within a playbook.

Using cases helps you and your team track and understand what happened through the course of an investigation and automated response.

hashtag
How it works

  • A case is created when an incident triggers an automated workflow (playbook).

  • A case contains a timeline of events. Each event reflects an action within the playbook.

  • Event details show the playbook’s action data and can be used as an audit log.

  • A case includes artifacts (external references or resources a playbook uses or accesses). Artifacts can be generated automatically and can also be added manually.

  • Cases are categorized by type: Threat or Risk.

  • Each case has an owner (the individual managing the case).

  • Cases are marked by severity based on a severity score.

hashtag
Key components

hashtag
Case type

A case type is a label given to a security incident to help organize and prioritize it based on its nature, urgency, or impact. You can assign a Threat or Risk type to a case, with Threat being the default.

hashtag
Severity

Cases are marked with their potential severity based on their score:

  • Low (0–30)

  • Medium (31–60)

  • High (61–80)

  • Critical (81–100)

hashtag
Artifacts

Artifacts are the external references or resources a playbook uses or accesses. Out-of-the-box artifact types include:

  • Domain

  • Email

  • File

  • Generic Text

  • Host

  • IP Address

  • Hash Values

hashtag
Trigger event

A trigger event is a specific incident, alert, or a series of incidents and/or alerts that trigger a playbook. You can use trigger event logs to understand what triggered a playbook.

hashtag
MITRE

MITRE shows the incidents associated with a case and their MITRE tactics and techniques. To learn more about Logpoint MITRE ATT&CK Coverage, go to MITRE.

hashtag
Graph overview

Graph overview provides a visual representation of the connections among multiple events, incidents, and artifacts within a case.

Last updated

Was this helpful?