Blink's Automated Case Management
Important Terminology
Alerts - Incidents generated by 3rd party security systems or through custom detection workflows.
Observables - field of interest extracted from incoming alerts. Examples include IP address, file hash, DNS, or User, Email, etc. Observables are used to identify and correlate multiple alerts as well as measure the risk of the alert.
Cases - A collection of related alerts that are grouped together for investigation and response. Cases help analysts track and manage security incidents more efficiently.
Alert Ingestion - The process of receiving/ingesting alerts from 3rd party sources.
Alert Processing - The process of extracting data such as name, severity and observables from ingested alerts and either creating a new case for the alert or appending the alert to an already existing case.
Enrichment- The process of enriching observables with additional information from 3rd party sources. This may either be threat intelligence to score the risk of the observable (e.g. DNS
www.evilabc.com
is Malicious), or may be simple enrichment such as providing additional information on the observable (e.g. User ‘John Smith’ works at R&D and reports to ‘Bob Shnider’)Response- The process of investigating and taking action with regards to the case. This can either be automated or manual. For example, isolating an infected device or automatically closing the case because it’s a ‘False Positive’
Case Management Automated Processes
Alert Ingestion
In the Alert Ingestion process, alerts are harvested from external systems, such as SIEMs (Security Information and Event Management) or other monitoring tools, in real time. This step collects raw alert data as soon as it is generated by the vendor. The primary action in this stage is to open an alert record, which stores the received payload for further processing. This is the starting point of the workflow where data enters the system.
Alert Processing
The Alert Processing phase extracts key observables from raw alert data using predefined templates in the Alert Templates Table. The system checks whether each alert has already been processed and flags unprocessed alerts for further attention, ensuring efficient and accurate data handling.
Enrichments
The Enrichment process is designed to enrich and maintain the enrichment of observables. This phase is fully customizable for each customer, allowing adjustments based on their specific toolset and preferred enrichment methods. It consists of vendor-specific subflows, which can be selected or tailored per client.
Response
The Response process is designed to automate the response process for cases. This phase can be fully customized to suit each customer's specific tools and preferred workflows.