Work with cases
Alerts generate SIEM incidents. If an incident triggers an automated workflow (playbook), a SOAR-based case is automatically created. Each case represents one or more incidents that make up a potential attack. A case is a series of events on a timeline, where each event corresponds to an individual action within a playbook.
Using cases helps you and your team track and understand what happened through the course of an investigation and automated response.
Open and find cases
Open the Cases page using one of the following navigation paths:
Go to Investigation >> Cases.
In the SIEM navigation bar, go to Incidents Cases and click Cases.
Use the list to review your organization’s cases.
Sort the list by using the column titles (ascending or descending), including:
Owner
Severity
Status
Created date
Last Modified
Filter cases using the available filters, including:
Type
Owner
Severity
Status
Created
Last Modified
Use search to find specific cases:
Enter criteria in Search.
Use Created from and Created to to search by date.
(Optional) Click Reset View to clear sorting and filters.
Result: You can see a list of cases and narrow the list to the cases relevant to your investigation.
Work with the case timeline
Open a case.
Review the timeline of events on the left.
(Optional) For larger cases, scroll through the timeline.
(Optional) Find specific case events by using the search filters at the top of Event Details.
Click an event in the timeline.
Review the event’s details on the right.
Result: The selected event’s details are displayed, showing the playbook’s action data.
Change a case type
A case can be categorized as Threat or Risk (Threat is the default). Change the case type using the Status action block.
Click Playbooks in the navigation bar.
Find the playbook by filtering the list using Category or entering the Playbook Name.
Click the Status action block.
In Action, select Set Case Type.
In Type, select Threat or Risk.
Click Save Data.
Result: The case type is set to the selected value.
Assign or change a case owner
Open a case.
At the top of event details, use the owner field to select an owner from the drop-down.
To reassign, change the owner to a new one from the drop-down.
Result: A new event is added to the case detailing who the owner is or who the owner is changed to.
Add tags to a case
Open a case.
At the top of the case timeline, click + New Tag.
Enter the tag name.
Click Enter.
Result: The tag is added to the case.
Note: The case list contains case tags, but you can’t use the tags column to sort the list.
Add case comments
Open a case.
Go to the bottom of the case timeline.
Enter your comment.
Click Save.
Result: Your comment becomes part of the case timeline.
View case artifacts
Open the relevant case.
Select or click an event in the timeline.
Click Artifacts at the top.
(Optional) Use the Artifacts column headers to sort the artifacts in ascending or descending order.
Result: A list of artifacts for the selected case event is displayed.
Add an artifact manually
Open the relevant case.
Select or click an event in the timeline.
Click Artifacts at the top.
Next to the search field, click Add Artifact.
Select a type.
Add the relevant data and external reference or file.
Click Save.
Result: The artifact is added to the case event.
Add an artifact type
Add an artifact type that does not fall under the out-of-the-box artifact types.
Open a relevant case.
Click an event in the timeline.
Next to the search field, click Add Artifact.
In Add Artifact, go to Add New Artifact Type.
Enter the type’s name.
Click Add.
Result: The new type is added to the list.
Search trigger event data
Use trigger event logs to understand what triggered a playbook.
Open the Cases list:
Go to Investigation from the navigation bar and click Cases, or
Go to Incidents Cases and click Cases.
Search for the relevant case by applying filters or entering the case name.
In the case, click Trigger Event.
Click Query Incident Data.
Result: You are redirected to Logpoint Search.
Add search results to a case
Go to Investigation from the navigation bar and click Cases.
Click a case and click Trigger Event.
Click Query Incident Data (or Search, as shown in some documentation). You are redirected to Logpoint Search.
Enter a query/queries to drill down on the trigger event data.
Click Add Search To.
Click Case.
Result: The search results are added to the case.
Notes:
If a search has no values in its results, you can’t add it to a case.
Only 25 logs from a search can be saved to a case at a time.
Run a playbook from a case
When you run a playbook from the case or from an artifact, it is added as an event to the case.
Open a case.
At the top right, click Run Playbook.
In the playbook list, find the relevant playbook.
(Optional) Filter the list using Tags and Category/Categories.
Click Run.
Enter the relevant playbook parameters. Input parameters correspond to Logpoint SIEM based data. These parameters are the data SOAR will retrieve and use from SIEM.
Click Run Playbook.
Result: A new event is added to the case for the playbook run.
Respond to a prompt event
Respond to a playbook prompt action directly from a case timeline.
Go to the Cases list:
Go to Investigation from the navigation bar and click Cases, or
Go to Incidents Cases and click Cases.
Search for the case by applying filters or entering the case name.
Inside your case timeline, click Prompt.
In Prompt, type your response.
Click Continue and Yes.
Click Close.
Result: The playbook continues after the prompt is responded to.
Note: If you click Stop and No, the playbook stops.
Use graph overview
Graph overview provides a visual representation of the connections among multiple events, incidents, and artifacts within a case.
Open a case.
Open Graph Overview.
Arrange artifacts as needed.
To group artifacts, hold down Shift and click the artifacts you want to group.
Result: Artifacts are arranged and (optionally) grouped in graph overview.
Validation: After moving or arranging artifacts, refresh your session or log in again and confirm their positions stay the same.
Export a case as PDF
Open a case.
Click Generate PDF.
Result: The case details are exported in PDF.
Last updated
Was this helpful?