> ## Documentation Index
> Fetch the complete documentation index at: https://docs.blinkops.com/llms.txt
> Use this file to discover all available pages before exploring further.
# About Automated Case Management Process
> Overview of Blink's automated case management system for end-to-end security incident handling.
export const VersionBadges = () => {
return
v9.0
;
};
Blink’s Automated Case Management Process streamlines how security teams ingest, enrich, investigate, and respond to alerts from multiple monitoring tools and 3rd-party sources. By automating these tasks end-to-end, it enables faster and more consistent triage of potential threats.
The purpose of Blink’s Automated Case Management Process is to reduce manual overhead, maintain data consistency, and accelerate incident response by connecting alert data with contextual information, enrichment tools, and response actions.
This documentation provides a breakdown of each phase in the automated case management pipeline, including data transformations, enrichment logic, response strategies and use case examples.
***
## Key Stages
The process is composed of four key stages and is designed to streamline the entire incident handling from alert ingestion to case remediation
| Stage | Description |
| ------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Alert Ingestion](/docs/case-management/blinks-automated-case-management/alert-ingestion) | In the **Alert Ingestion** process, alerts are harvested from external systems, such as SIEMs (Security Information and Event Management) or other monitoring tools, in **real time**. This process collects raw alert data as soon as it is generated by the vendor. The primary action in this stage is to open an alert record, which stores the received payload for further processing. This is the starting point of the workflow where data enters the system. |
| [Alert Processing](/docs/case-management/blinks-automated-case-management/alert-processing/alert-processing) | The **Alert Processing** phase extracts key observables from raw alert data using predefined templates in the [Alert Templates Table](/docs/case-management/blinks-automated-case-management/alert-processing/alert-template-table). The system checks whether each alert has already been processed and flags unprocessed alerts for further attention, ensuring efficient and accurate data handling. |
| [Enrichments](/docs/case-management/blinks-automated-case-management/enrichments) | The **Enrichment** process is designed to enrich and maintain the enrichment of observables. This phase is fully customizable for each customer, allowing adjustments based on their specific toolset and preferred enrichment methods. It consists of vendor-specific subflows, which can be selected or tailored per client. |
| [Response](/docs/case-management/blinks-automated-case-management/response) | The **Response** process is designed to automate the response process for cases. This phase can be fully customized to suit each customer's specific tools and preferred workflows. |
## Flow Diagram Showing the Case Management Automated Processes
The following flow diagram provides an in-depth explanation of how Blink handles alert and case processing, offering insights into each stage of the workflow, associated subflows, data transformations, and examples for testing.
***
## Detailed Guide of the Automated Case Management Process - Use Case Example
Blink's Automated Case Management Process is fully customizable to support a wide range of client requirements, workflows, and tools.
**Scenario**: CrowdStrike detected a suspicious file `/Users/wilder/whoami.rtf` being executed as a command, despite its `rtf` extension suggesting a benign document. This behavior is characteristic of the Masquerading technique, where adversaries disguise executable files using misleading extensions.
**Description:** This workflow is triggered by a [CrowdStrike Webhook Event](/docs/integrations/crowdstrike/triggers/crowdstrike-webhook-event), initiating the 'Alert Ingestion' process automatically upon receiving an event from CrowdStrike.
**How It Works:** Upon receiving a webhook event from CrowdStrike, the workflow performs the following steps:
* Get Alert Details – Retrieves detailed information about the alert using the configured CrowdStrike connector.
* Create Alert – Uses the retrieved data to create a new alert record in the [Alert Table](/docs/case-management/alerts/alerts)
* From there, it proceeds to the next stage in the pipeline—[Alert Processing](/docs/case-management/blinks-automated-case-management/alert-processing/alert-processing), where additional alert analysis and case handling actions are performed.
```json theme={"dark"}
{
"agent_id": "88a37ca1562e4abc800f4e548e83f899",
"aggregate_id": "aggind:bc44a7a3e758465f857867dcf4ac8c17:565469335392665337",
"alleged_filetype": "rtf",
"cid": "5686234480df4be090fbcf044a2708d4",
"cloud_indicator": false,
"cmdline": "./whoami.rtf",
"composite_id": "5686234480df4be090fbcf044a2708d4:ind:bc44a7a3e758465f857867dcf4ac8c17:565469335361356727-145-335777",
"confidence": 50,
"context_timestamp": "2024-07-24T15:25:00.113Z",
"control_graph_id": "ctg:bc44a7a3e758465f857867dcf4ac8c17:565469335392665337",
"crawled_timestamp": "2024-07-24T19:24:30.660636531Z",
"created_timestamp": "2024-07-24T15:26:04.807574447Z",
"data_domains": [
"Endpoint"
],
"description": "An executable was run with a contradicting file extension",
"device": {
"agent_load_flags": "0",
"agent_local_time": "2024-07-16T13:16:41.364Z",
"agent_version": "7.17.18604.0",
"cid": "5686234480df4be090fbcf044a2708d4",
"config_id_base": "65994763",
"config_id_build": "18604",
"config_id_platform": "4",
"device_id": "bc44a7a3e758465f857867dcf4ac8c17",
"external_ip": "180.112.146.250",
"first_seen": "2024-05-16T12:50:44Z",
"hostname": "DESKTOP-HLLEERH",
"last_seen": "2024-07-24T14:58:25Z",
"local_ip": "10.200.200.4",
"mac_address": "b0-de-28-07-15-64",
"major_version": "21",
"minor_version": "3",
"modified_timestamp": "2024-07-24T15:22:09Z",
"os_version": "Monterey (12)",
"ou": null,
"platform_id": "1",
"platform_name": "Mac",
"pod_labels": null,
"product_type_desc": "Workstation",
"status": "normal",
"system_manufacturer": "Apple Inc.",
"system_product_name": "MacBookPro18,1"
},
"display_name": "FalseExecutableExtension",
"documents_accessed": [
{
"filename": "dtracehelper",
"filepath": "/dev/",
"timestamp": "1721834700"
}
],
"email_sent": true,
"falcon_host_link": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/5686234480df4be090fbcf044a2708d4:ind:bc44a7a3e758465f857867dcf4ac8c17:565469335361356727-145-335777?_cid=g04000ul2m72oytvdbnm7n4e6bu5pkj4",
"filename": "whoami.rtf",
"filepath": "/Users/wilder/whoami.rtf",
"files_accessed": [
{
"filename": "dtracehelper",
"filepath": "/dev/",
"timestamp": "1721834700"
}
],
"global_prevalence": "common",
"grandparent_details": {
"cmdline": "login -pf wilder",
"filename": "login",
"filepath": "/usr/bin/login",
"local_process_id": "682",
"md5": "0e4f66991f4bfd0e96e5d28b52460ebf",
"process_graph_id": "pid:bc44a7a3e758465f857867dcf4ac8c17:565244152166793222",
"process_id": "565244152166793222",
"sha256": "178ba564b39bd07577e974a9b677dfd86ffa1f1d0299dfd958eb883c5ef6c3e1",
"timestamp": "1601-01-01T00:00:00.000Z",
"user_graph_id": "uid:bc44a7a3e758465f857867dcf4ac8c17:0",
"user_id": "S-1-5-18",
"user_name": "root"
},
"id": "ind:bc44a7a3e758465f857867dcf4ac8c17:565469335361356727-145-335777",
"incident": {
"created": "2024-07-24T15:24:36Z",
"end": "2024-07-24T15:26:01Z",
"id": "inc:bc44a7a3e758465f857867dcf4ac8c17:e6cb706ea495450fb779ad0a1e084bda",
"score": "19.15170747011056",
"start": "2024-07-24T15:24:36Z"
},
"indicator_id": "ind:bc44a7a3e758465f857867dcf4ac8c17:565469335361356727-145-335777",
"ioc_context": [],
"ioc_values": [],
"local_prevalence": "common",
"local_process_id": "44019",
"md5": "32ff28d4fdb4b244c355d7f8378fa2b1",
"name": "FalseExecutableExtension",
"objective": "Keep Access",
"parent_details": {
"cmdline": "-zsh",
"filename": "zsh",
"filepath": "/bin/zsh",
"local_process_id": "687",
"md5": "ee37d643ed7bd33fac61ebe8b1d8e073",
"process_graph_id": "pid:bc44a7a3e758465f857867dcf4ac8c17:565244152228659208",
"process_id": "565244152228659208",
"sha256": "298a078b749c97d3a4523e89969deb51b0b779adb7f65b4aec321202002577e5",
"timestamp": "1601-01-01T00:00:00.000Z",
"user_graph_id": "uid:bc44a7a3e758465f857867dcf4ac8c17:501",
"user_id": "S-1-5-21-1181572197-2209085151-3031813589-2002",
"user_name": "bart.s"
},
"parent_process_id": "565244152228659208",
"pattern_disposition": 0,
"pattern_disposition_description": "Detection, standard detection.",
"pattern_disposition_details": {
"blocking_unsupported_or_disabled": false,
"bootup_safeguard_enabled": false,
"containment_file_system": false,
"critical_process_disabled": false,
"detect": false,
"fs_operation_blocked": false,
"handle_operation_downgraded": false,
"inddet_mask": false,
"indicator": false,
"kill_action_failed": false,
"kill_parent": false,
"kill_process": false,
"kill_subprocess": false,
"mfa_required": false,
"operation_blocked": false,
"policy_disabled": false,
"prevention_provisioning_enabled": false,
"process_blocked": false,
"quarantine_file": false,
"quarantine_machine": false,
"registry_operation_blocked": false,
"response_action_already_applied": false,
"response_action_failed": false,
"response_action_triggered": false,
"rooting": false,
"sensor_only": false,
"suspend_parent": false,
"suspend_process": false
},
"pattern_id": 145,
"platform": "Mac",
"poly_id": "AABWhiNEgN9L4JD7zwRKJwjUjue4OYRYzSSQIMIYFE0J6gAATiFO4j02EtTYtAeSSEqcF91NS8SYOJndbBi10afYl7tEbw==",
"process_end_time": "1721834700",
"process_id": "565469335361356727",
"process_start_time": "1721834699",
"product": "epp",
"scenario": "suspicious_activity",
"seconds_to_resolved": 0,
"seconds_to_triaged": 0,
"severity": 50,
"severity_name": "Medium",
"sha1": "0000000000000000000000000000000000000000",
"sha256": "c8246b2408325fa8abedb4afa8fa9f93051834f6d38607ed5c58ba45b95294a0",
"show_in_ui": true,
"source_products": [
"Falcon Insight"
],
"source_vendors": [
"CrowdStrike"
],
"status": "new",
"tactic": "Defense Evasion",
"tactic_id": "TA0005",
"technique": "Masquerading",
"technique_id": "T1036",
"timestamp": "2024-07-24T15:25:00.395Z",
"tree_id": "565469335392665337",
"tree_root": "565469335361356727",
"triggering_process_graph_id": "pid:bc44a7a3e758465f857867dcf4ac8c17:565469335361356727",
"type": "ldt",
"updated_timestamp": "2024-07-24T19:24:30.660624427Z",
"user_id": "S-1-5-21-1181572197-2209085151-3031813589-2002",
"user_name": "bart.s",
"user_principal": "bart.s@Springfield.us"
}
```
Once the alert is recorded in the [Alert Table](/docs/case-management/alerts/alerts), Blink continues the investigation by extracting meaningful data and observables.
## Create [Observable Extraction Rules](/docs/case-management/blinks-automated-case-management/observable-extraction-rules)
* **Description**: [Observable Extraction Rules](/docs/case-management/blinks-automated-case-management/observable-extraction-rules) are configured to define which data fields from the alert payload should be extracted and classified as observables and relations(if they exist).
* **How it Works**: These rules look into the alert’s structured data (JSON format) and match specific fields, such as agent\_id, user\_name, sha256, etc. Each extracted observable is then assigned a type (e.g., IP address, file hash) and a relation to the alert (e.g., Target Host, Attacker IP). This mapping helps define the scope of the threat and gives investigators a clearer view of how entities are related.
In the following example, the following observables and its relations are defined in the [Observable Extraction Rules](/docs/case-management/blinks-automated-case-management/observable-extraction-rules):
| Observable | Type | Explanation | Relation |
| ----------------------- | --------------- | -------------------------------------------------------------------------- | ------------------- |
| `agent_id` | Device Agent Id | Unique identifier for the CrowdStrike agent installed on the device. | Target Device |
| `device.external_ip` | IP Address | The external/public IP address of the machine at the time of the alert. | Attacker IP Address |
| `device.hostname` | Hostname | The hostname of the device involved in the detection. | Target Host |
| `device.local_ip` | IP Address | The local/internal IP address of the endpoint. | Target IP Address |
| `parent_details.sha256` | File Hash | SHA256 hash of the parent process (zsh) that launched the suspicious file. | Parent Process Hash |
| `sha256` | File Hash | SHA256 hash of the child process that launched the suspicious file | No relation |
| `user_name` | Username | The username (bart.s) associated with the user who executed the process | Target User |
| `user_name` | Username | The username (root) associated with the grandparent process | Target User |
***
**Note:** Not all extracted observables will have observable relations, and defining such relationships is not mandatory. However, when relations exist—such as a file being associated with a specific IP address or command execution—these will be automatically extracted and identified as part of the process. This helps build a clearer picture of the attack chain and supports better investigation and response.
## Execute the [Extract Observable](/docs/case-management/blinks-automated-case-management/alert-processing/extract-observables-action) action
* **Description**: The [Extract Observable](/docs/case-management/blinks-automated-case-management/alert-processing/extract-observables-action) action automatically identifies and stores key observables based on the configured rules.
* **How it works**:This action runs the extraction logic and outputs matched observables along with their context and relationships. The observables are stored in the Observables Table and are available for further enrichment or case correlation.
```json theme={"dark"}
{
"matched_rule": true,
"rule": "False Executable",
"processing_status": "Mid-processing",
"extracted_observables": [
{
"id": "9785b8cf-555c-4969-b0b8-cbeae5791d3f",
"name": "agent_id",
"type": "Device Agent ID",
"content": "cdd5be18804244df8b849069294563e4",
"relation": "Target Device",
"is_new": true
},
{
"id": "7fbff996-e653-4f80-9efa-ab6b2a00a525",
"name": "external_ip",
"type": "IP Address",
"content": "180.112.146.250",
"relation": "Attacker IP Address",
"is_new": false
},
{
"id": "045cb3b7-68e8-43e2-9ebd-64d210b08615",
"name": "hostname",
"type": "Hostname",
"content": "DT-BART-SIMPSON",
"relation": "Target Host",
"is_new": false
},
{
"id": "a0a8f04c-8181-4f5b-acd5-1d43996251f7",
"name": "local_ip",
"type": "IP Address",
"content": "192.168.0.81",
"relation": "Target IP Address",
"is_new": false
},
{
"id": "e2016490-a6c5-43a5-8f6f-21e786d2bcaa",
"name": "sha256",
"type": "File Hash",
"content": "298a078b749c97d3a4523e89969deb51b0b779adb7f65b4aec32120200257790",
"relation": "Parent Process Hash",
"is_new": false
},
{
"id": "8aee406f-d970-4839-ba99-49daf34199b2",
"name": "sha256",
"type": "File Hash",
"content": "8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b",
"relation": "",
"is_new": false
},
{
"id": "386e5762-340a-4629-b49a-8018a34299c2",
"name": "user_name",
"type": "Username",
"content": "sam.gamgee",
"relation": "Target User",
"is_new": false
},
{
"id": "bca048c7-eeef-4125-ad5e-f2b4a620eeff",
"name": "user_principal",
"type": "Username",
"content": "sam.gamgee@gardens.nz",
"relation": "Target User",
"is_new": false
}
],
"case_type": "Malware",
"new_observables": [
{
"id": "9785b8cf-555c-4969-b0b8-cbeae5791d3f",
"name": "agent_id",
"type": "Device Agent ID",
"content": "cdd5be18804244df8b849069294563e4",
"relation": "Target Device",
"is_new": true
}
]
}
```
***
## Create [Deduplication Rules](/docs/case-management/blinks-automated-case-management/deduplication-rule)
* **Description**: Deduplication Rules define how Blink identifies alerts that are likely part of the same incident. These rules help avoid duplicate case creation and ensure incident responders have full context.
* **How It Works**: For every alert, Blink applies pre-defined or custom deduplication logic using key fields (such as filename, hash, host, tactic/technique). These rules match patterns across similar alerts to decide whether to group them into a single case.
## Execute the [Case Deduplication](/docs/case-management/blinks-automated-case-management/alert-processing/case-deduplication-action) action
* **Description**: Blink checks whether the current alert matches an existing case using deduplication logic. It then decides to either create a new case or append the alert to an existing one.
* **How It Works**:
* A deduplication rule (like False Executable) is applied to the incoming alert.
* If the alert matches an existing case, it is added to that case, updating the case's observable and alert lists.
* If no match is found, a new case is created and populated with observables, alerts, and other metadata like severity, case type, and ID.
```json theme={"dark"}
{
"is_unique": false,
"matched_rule": true,
"rule": "False Executable",
"case": {
"updated_by": "8681d697-b686-48b7-8cb1-915452a19593",
"task_ids": null,
"auto_id": 4,
"case_ids": null,
"summary": null,
"closed_by_automation": false,
"case_tags": null,
"name": "FalseExecutableExtension",
"closed_at": null,
"sla": null,
"type": "Malware",
"created_at": 1744805810293,
"severity": 2,
"overview": null,
"mitre_attack": null,
"updated_at": 1744805810293,
"observable_ids": [
"045cb3b7-68e8-43e2-9ebd-64d210b08615",
"8aee406f-d970-4839-ba99-49daf34199b2",
"7fbff996-e653-4f80-9efa-ab6b2a00a525",
"a0a8f04c-8181-4f5b-acd5-1d43996251f7",
"bca048c7-eeef-4125-ad5e-f2b4a620eeff",
"9785b8cf-555c-4969-b0b8-cbeae5791d3f",
"e2016490-a6c5-43a5-8f6f-21e786d2bcaa",
"386e5762-340a-4629-b49a-8018a34299c2"
],
"case_manager": null,
"created_by": "8681d697-b686-48b7-8cb1-915452a19593",
"closed_by": null,
"close_reason": null,
"collaborators": null,
"sla_expiry": null,
"case_id": "INC-00004",
"status": "NEW",
"alert_ids": [
"a7a702ff-cdf0-4493-a125-9252316bfa85"
],
"attachment_ids": null,
"vendors": null,
"id": "dd52de81-815f-4d4f-984c-0b7f0dfd7a79"
}
}
```
**Description:** This stage enriches any newly extracted observables to provide analysts with additional context during investigation.
**How It Works:**
* This stage takes newly discovered observables listed in the new\_observables field (as seen in the [output](/docs/case-management/blinks-automated-case-management/blinks-automated-case-management#stage-2-alert-processing:example-of-json-ouput) from the Extract Observables step).
* Each observable’s type is automatically detected. In this example, the Agent Device observable type is detected.
* Observables are passed to the [Enrich Observables- Main Router](/docs/case-management/blinks-automated-case-management/alert-processing/enrich-observables-main), which dynamically routes them to the appropriate enrichment logic based on their type.ֿ
* The corresponding enrichment actions are then executed—each tailored to the specific observable type.
* the results are appended to the observable metadata and made available in the case for analyst review.
In the provided example, the [Enrich Observables- Main Router](/docs/case-management/blinks-automated-case-management/alert-processing/enrich-observables-main) is configured to handle various observable types through conditional logic:
* The observable with type Device Agent ID (e.g., cdd5be18804244df8b849069294563e4) triggers the first case in the switch logic.
* This routes the observable to the CrowdStrike enrichment step (Enrich - Agent ID - CrowdStrike) to retrieve relevant device data.
Additional cases (not shown here) can be configured for usernames, file hashes, domains, and more. This approach ensures observables are enriched consistently and automatically, without requiring hardcoded paths for each case.
```json theme={"dark"}
{
"matched_rule": true,
"rule": "False Executable",
"processing_status": "Mid-processing",
"extracted_observables": [
{
"id": "9785b8cf-555c-4969-b0b8-cbeae5791d3f",
"name": "agent_id",
"type": "Device Agent ID",
"content": "cdd5be18804244df8b849069294563e4",
"relation": "Target Device",
"is_new": true
},
{
"id": "7fbff996-e653-4f80-9efa-ab6b2a00a525",
"name": "external_ip",
"type": "IP Address",
"content": "180.112.146.250",
"relation": "Attacker IP Address",
"is_new": false
},
{
"id": "045cb3b7-68e8-43e2-9ebd-64d210b08615",
"name": "hostname",
"type": "Hostname",
"content": "DT-BART-SIMPSON",
"relation": "Target Host",
"is_new": false
},
{
"id": "a0a8f04c-8181-4f5b-acd5-1d43996251f7",
"name": "local_ip",
"type": "IP Address",
"content": "192.168.0.81",
"relation": "Target IP Address",
"is_new": false
},
{
"id": "e2016490-a6c5-43a5-8f6f-21e786d2bcaa",
"name": "sha256",
"type": "File Hash",
"content": "298a078b749c97d3a4523e89969deb51b0b779adb7f65b4aec32120200257790",
"relation": "Parent Process Hash",
"is_new": false
},
{
"id": "8aee406f-d970-4839-ba99-49daf34199b2",
"name": "sha256",
"type": "File Hash",
"content": "8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b",
"relation": "",
"is_new": false
},
{
"id": "386e5762-340a-4629-b49a-8018a34299c2",
"name": "user_name",
"type": "Username",
"content": "sam.gamgee",
"relation": "Target User",
"is_new": false
},
{
"id": "bca048c7-eeef-4125-ad5e-f2b4a620eeff",
"name": "user_principal",
"type": "Username",
"content": "sam.gamgee@gardens.nz",
"relation": "Target User",
"is_new": false
}
],
"case_type": "Malware",
"new_observables": [
{
"id": "9785b8cf-555c-4969-b0b8-cbeae5791d3f",
"name": "agent_id",
"type": "Device Agent ID",
"content": "cdd5be18804244df8b849069294563e4",
"relation": "Target Device",
"is_new": true
}
]
}
```
***
* **Description**: Blink triggers automated workflows to respond to the alert.
* **How It Works**:
* Workflows include actions such as blocking an IP, disabling a user account, or notifying a security team.
* Response steps are configured based on the severity and type of the alert.
**Response Example**:
* **Triggered Action**: Block IP address "192.168.1.1" via firewall.
* **Workflow Execution Log**:
```json theme={"dark"}
{
"action": "block_ip",
"target": "192.168.1.1",
"status": "Success"
}
```
***