If you are using Case Management version 9.0, you should refer to this page
The Subflow 2 - Create Case plays a crucial role in determining how an alert is managed within the On New Table Record - Process Alert workflow. Its primary function is to assess whether the alert should be linked to an existing case or used to create a new case. This decision is critical for maintaining an organized and efficient incident response process, ensuring that related alerts are grouped under a single case while new cases are initiated for unique incidents.

How It Works

  1. Duplication Check:
    • The subflow begins by invoking the Subflow 2.1 - Get Duplication Rule Workflow to retrieve the predefined duplication rules from the system. These rules define the criteria for identifying whether an alert matches an existing case, such as matching observables (e.g., IP addresses, file hashes, or usernames) or similar timestamps.
    • Next, the Subflow 2.2 - Check for Case Duplicates is executed. This process compares the alert’s observables against existing cases in the system to identify any potential matches.
  2. Linking to an Existing Case:
    • If a duplicate case is found, the Subflow 2.3 - Link Alert to Existing Case is triggered. This action associates the alert with the identified case, consolidating all related information under one case for efficient analysis and response.
    • For instance, if an alert contains the IP 192.168.1.100 and a file hash abc123, and these match observables in an open case, the alert is linked to that case automatically.
  3. Creating a New Case:
    • If no duplicate is found, the subflow uses the Create Case step to generate a new incident case. This involves pulling relevant alert data, such as observables and metadata, and structuring them into a new case record.
    • For example, a new alert with observables such as device.external_ip (e.g., 203.0.113.42) and sha256 (e.g., xyz789) will initiate a fresh case if no prior match exists in the system.
  4. Case Updates:
    • Regardless of whether a new case is created or an alert is linked to an existing case, the subflow ensures that the case metadata is updated appropriately. This includes appending new observables, adding timestamps, and updating case status.
  5. Output and Continuation:
    • Once the case association is completed, the subflow passes the updated case details back to the main workflow, enabling subsequent processes like enrichment (Subflow 3) and response actions (Subflow 4).