Case Management Workflows
Important Terminology
Observables - Data points or artifacts extracted from alerts that represent a specific entity, such as an IP address, file hash, domain, or user. Observables are used to identify and track potential security threats.
IOCs (Indicators of Compromise) - Pieces of forensic data, such as file hashes, IP addresses, or domain names, that indicate the presence of malicious activity or compromise within a system or network.
Cases - A collection of related alerts and observables that are grouped together for investigation and response. Cases help analysts track and manage security incidents more efficiently.
Alerts - Notifications generated by security systems when suspicious or potentially harmful activity is detected. Alerts are typically the starting point for further investigation.
Ingested Alerts - Alerts that have been received and processed by the system. Ingested alerts are ready for further analysis, deduplication, or escalation into cases.
Dedups (Deduplications) - The process of identifying and merging duplicate alerts to prevent redundant cases or alert noise. Deduplication ensures that multiple alerts related to the same incident are aggregated into a single case.
Payload - The data included in an alert that provides context about the suspicious activity, such as the origin, type of attack, and affected assets. It contains the raw information that needs to be processed and analyzed.
Raw Payload - The unprocessed data within an alert before it has been parsed or analyzed. This is the original data received from the source system.
Case Management Automated Processes
Alert Ingestion
In the Alert Ingestion process, alerts are harvested from external systems, such as SIEMs (Security Information and Event Management) or other monitoring tools, in real time. This step collects raw alert data as soon as it is generated by the vendor. The primary action in this stage is to open an alert record, which stores the received payload for further processing. This is the starting point of the workflow where data enters the system.
Alert Processing
The Alert Processing phase is a prebuilt system workflow that runs every minute by default. It extracts key observables from raw alert data using predefined templates in the Alert Templates Table. The system checks whether each alert has already been processed and flags unprocessed alerts for further attention, ensuring efficient and accurate data handling
Case Processing
The Case Processing phase is a prebuilt system workflow designed to handle alert deduplication into cases The deduplication process aggregates alerts into cases based on rules defined in the Deduplication Rules Table.
IOC Enrichment
The Response process is designed to automate the response and triage process for cases. This phase can be fully customized to suit each customer's specific tools and preferred workflows. Additionally, the Process phase automatically closes stale cases, which are cases that have been open for more than 30 days.
Case Triage
The Case Triage process is designed to automate the response and triage process for cases. This phase can be fully customized to suit each customer's specific tools and preferred workflows. Additionally, the Triage phase automatically closes stale cases, which are cases that have been open for more than 30 days.