Case Management
  • 5 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

Case Management

  • Dark
    Light
  • PDF

Case management is streamlined to speed up investigations, provide proactive incident response, and facilitate process compliance, making it easier to close more security alerts in less time. This enables your security team to focus on high-priority security events while the low-priority events are automatically dealt. It is a means to analyze data connected to specific events and incidents to ensure that threats do not slip through. This further helps in decreasing the response time and increasing the overall security and efficiency.

Analyze incidents in real time

Analysts can access a single record view to dynamically analyze and interact with all the concurrent connections that were accessed by the particular compromised user. This facilitates easier compliance and quick response to security events as soon as they are detected or identified.

Standardization and compliance

Workflow-driven case management ensures that Analysts are working with the right data at all times and are able to follow the correct incident response processes for any use case quickly and intuitively.

Interactive case management

Users can easily research, assess and perform additional investigations from within each individual case without leaving the DNIF platform to search in third-party systems.

Reduce Investigation Effort and Increase Threat Recognition

A summarized view into the incident details, makes it easier for a security professional to understand context and actions that should be taken. Security teams are better equipped to dynamically defend the organization’s technical infrastructure while at the same time, avoid getting overburdened and exhausted with an increasing number of security incidents in real-time.

Reduce mean-time-to-resolution

Mean time to resolution denotes the average time required to troubleshoot and repair an issue. A low mean time to resolution indicates that an entity or service can be repaired quickly and, consequently, that any IT issues associated with it will probably have a reduced impact on the business.

How to view Cases?

  • Click Cases icon on the left navigation bar of the Home screen, the following screen will be displayed.

image.png

The top section of the cases listing page displays the following:

Field Description
Severity Displays the count of cases under each severity level.
  • High
  • Low
  • Medium
  • Status Displays the count of cases in various status
  • Open Assigned
  • Open unassigned
  • Closed
  • Top Handlers Displays the count and names of top handlers
    Oldest open case Displays the oldest open case and the duration for which it was open.
    Mean time to resolution Displays the average duration of closed cases.
    Open cases age Displays the average duration of open cases.

    Global Cases will display list of all the cases across all Clusters.

    The Cases screen displays the details of each case. Click the dropdown above the grid to filter cases as follows:

    • Assigned to me: Lists cases that are assigned to the logged in user.
    • Open: Lists all the open cases
    • Closed: Lists all closed cases.

    The listing page includes the following details in th grid format

    Field Description
    Case Name Displays the case name
    Severity Displays the severity level of cases
    Artifacts Displays the list of suspects
    Signals / Risk Score Displays the number of signals raised and the risk score assigned to this case
    Status Displays whether the case is open/closed
    Handler Displays the name of the user investigating this case
    • On the cases list page, click on a particular case to view the details of all the signals assigned to that particular case.

    image.png

    • This screen displays all the summary of all the signals and artifacts that are associated with the selected case.

      • Signals : All the potential threats that are assigned to the selected case will be displayed, it would include the following details.

        • Name of the signal
        • Date and time of the signal
        • Technique and tactic of the signal
        • Target / Suspect Host IP Address
        • Graphical view of signals
      • Artifacts: Artifacts are the evidence that are gathered against the potential threats i.e. the suspect that should be investigated.

    • For example, in this scenario, it displays the signals and artifacts that are part of the graph, multiple systems have been suspected of targeting this one system

    You will be able to identify the following from the graph

    • The targets
    • The suspects
    • Compromised users
    • All the concurrent connections that were accessed by the particular compromised user.
    • The different anomalies detected - Authentication anomalies / User location anomalies.

    image.png

    • Click the Artifacts tab to view the list of suspects associated with the cases. For further investigation refer the Investigate Anywhere doc.

    image.png

    • Click the Responses tab to view the list of suspects associated with the cases and the responders associated with the entity.

    image.png

    • The top bar of the cases screen displays the case name, handler name, severity level and status of the individual case. You can also update these details as per requirement by clicking on the existing details.
      Example: To edit the case name click the existing case name and so on.

    Killchain view

    The kill chain model mainly maps to the Mitre attack techniques and tactics and helps us to understand the sequence of events involved in an attack on the network. The purpose of the model is to better understand the stages an attacker must have gone through to conduct an attack, and help security teams stop an attack at each stage. Understanding the kill chain model can help IT security teams to put strategies and technologies in place to “kill” or contain the attack at various stages, and secure the IT ecosystem.

    image.png

    Notes

    Notes is a secure communications tool, built for teams to communicate with other team members without navigating away from DNIF. You can also use notes to transfer files/ screenshots etc. with other team members for assistance, thus reducing the time in solving problems and making this a proactive, seamless user experience

    image.png

    How to create a new case?

    • Click the Signals icon on the left navigation bar of the Home screen, the following screen will be displayed.

    image.png

    • Every signal can have cases assigned to it, select the case icon against the particular signal, the below screen will be displayed.

    image.png

    • Click the plus icon to create a new case or click the icon next to an existing case to add this signal to that particular case.

    image.png

    The above screen will be displayed on adding a new case. Enter the following details

    Field Name Description
    Name Enter a case name
    Severity Enter a severity level for the signal
    Handler image.png Click and select the handler/user who will investigate the case from the dropdown.

    image.png

    • Enter the above details and click Save, case will be listed and assigned to this particular signal.

    A signal can be assigned to multiple cases.


    Was this article helpful?