About Automated Case Management Process

v9.0

Blink’s Automated Case Management Process streamlines how security teams ingest, enrich, investigate, and respond to alerts from multiple monitoring tools and 3rd-party sources By automating these tasks end-to-end, it enables faster and more consistent triage of potential threats. The purpose of Blink’s Automated Case Management Process is to reduce manual overhead, maintain data consistency, and accelerate incident response by connecting alert data with contextual information, enrichment tools, and response actions. This documentation provides a breakdown of each phase in the automated case management pipeline, including data transformations, enrichment logic, response strategies and use case examples.

Key Stages

The process is composed of four key stages and is designed to streamline the entire incident handling from alert ingestion to case remediation

Stage	Description
Alert Ingestion	In the Alert Ingestion process, alerts are harvested from external systems, such as SIEMs (Security Information and Event Management) or other monitoring tools, in real time. This process collects raw alert data as soon as it is generated by the vendor. The primary action in this stage is to open an alert record, which stores the received payload for further processing. This is the starting point of the workflow where data enters the system.
Alert Processing	The Alert Processing phase extracts key observables from raw alert data using predefined templates in the Alert Templates Table. The system checks whether each alert has already been processed and flags unprocessed alerts for further attention, ensuring efficient and accurate data handling.
Enrichments	The Enrichment process is designed to enrich and maintain the enrichment of observables. This phase is fully customizable for each customer, allowing adjustments based on their specific toolset and preferred enrichment methods. It consists of vendor-specific subflows, which can be selected or tailored per client.
Response	The Response process is designed to automate the response process for cases. This phase can be fully customized to suit each customer’s specific tools and preferred workflows.

Flow Diagram Showing the Case Management Automated Processes

The following flow diagram provides an in-depth explanation of how Blink handles alert and case processing, offering insights into each stage of the workflow, associated subflows, data transformations, and examples for testing.

Detailed Guide of the Automated Case Management Process - Use Case Example

Blink’s Automated Case Management Process is fully customizable to support a wide range of client requirements, workflows, and tools.

Scenario: CrowdStrike detected a suspicious file /Users/wilder/whoami.rtf being executed as a command, despite its rtf extension suggesting a benign document. This behavior is characteristic of the Masquerading technique, where adversaries disguise executable files using misleading extensions.

Stage 1- Alert Ingestion

Description: This workflow is triggered by a CrowdStrike Webhook Event, initiating the ‘Alert Ingestion’ process automatically upon receiving an event from CrowdStrike. How It Works: Upon receiving a webhook event from CrowdStrike, the workflow performs the following steps:

Get Alert Details – Retrieves detailed information about the alert using the configured CrowdStrike connector.
Create Alert – Uses the retrieved data to create a new alert record in the Alert Table
From there, it proceeds to the next stage in the pipeline—Alert Processing, where additional alert analysis and case handling actions are performed.

Alert Payload Example

 {
  "agent_id": "88a37ca1562e4abc800f4e548e83f899",
  "aggregate_id": "aggind:bc44a7a3e758465f857867dcf4ac8c17:565469335392665337",
  "alleged_filetype": "rtf",
  "cid": "5686234480df4be090fbcf044a2708d4",
  "cloud_indicator": false,
  "cmdline": "./whoami.rtf",
  "composite_id": "5686234480df4be090fbcf044a2708d4:ind:bc44a7a3e758465f857867dcf4ac8c17:565469335361356727-145-335777",
  "confidence": 50,
  "context_timestamp": "2024-07-24T15:25:00.113Z",
  "control_graph_id": "ctg:bc44a7a3e758465f857867dcf4ac8c17:565469335392665337",
  "crawled_timestamp": "2024-07-24T19:24:30.660636531Z",
  "created_timestamp": "2024-07-24T15:26:04.807574447Z",
  "data_domains": [
    "Endpoint"
  ],
  "description": "An executable was run with a contradicting file extension",
  "device": {
    "agent_load_flags": "0",
    "agent_local_time": "2024-07-16T13:16:41.364Z",
    "agent_version": "7.17.18604.0",
    "cid": "5686234480df4be090fbcf044a2708d4",
    "config_id_base": "65994763",
    "config_id_build": "18604",
    "config_id_platform": "4",
    "device_id": "bc44a7a3e758465f857867dcf4ac8c17",
    "external_ip": "180.112.146.250",
    "first_seen": "2024-05-16T12:50:44Z",
    "hostname": "DESKTOP-HLLEERH",
    "last_seen": "2024-07-24T14:58:25Z",
    "local_ip": "10.200.200.4",
    "mac_address": "b0-de-28-07-15-64",
    "major_version": "21",
    "minor_version": "3",
    "modified_timestamp": "2024-07-24T15:22:09Z",
    "os_version": "Monterey (12)",
    "ou": null,
    "platform_id": "1",
    "platform_name": "Mac",
    "pod_labels": null,
    "product_type_desc": "Workstation",
    "status": "normal",
    "system_manufacturer": "Apple Inc.",
    "system_product_name": "MacBookPro18,1"
  },
  "display_name": "FalseExecutableExtension",
  "documents_accessed": [
    {
      "filename": "dtracehelper",
      "filepath": "/dev/",
      "timestamp": "1721834700"
    }
  ],
  "email_sent": true,
  "falcon_host_link": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/5686234480df4be090fbcf044a2708d4:ind:bc44a7a3e758465f857867dcf4ac8c17:565469335361356727-145-335777?_cid=g04000ul2m72oytvdbnm7n4e6bu5pkj4",
  "filename": "whoami.rtf",
  "filepath": "/Users/wilder/whoami.rtf",
  "files_accessed": [
    {
      "filename": "dtracehelper",
      "filepath": "/dev/",
      "timestamp": "1721834700"
    }
  ],
  "global_prevalence": "common",
  "grandparent_details": {
    "cmdline": "login -pf wilder",
    "filename": "login",
    "filepath": "/usr/bin/login",
    "local_process_id": "682",
    "md5": "0e4f66991f4bfd0e96e5d28b52460ebf",
    "process_graph_id": "pid:bc44a7a3e758465f857867dcf4ac8c17:565244152166793222",
    "process_id": "565244152166793222",
    "sha256": "178ba564b39bd07577e974a9b677dfd86ffa1f1d0299dfd958eb883c5ef6c3e1",
    "timestamp": "1601-01-01T00:00:00.000Z",
    "user_graph_id": "uid:bc44a7a3e758465f857867dcf4ac8c17:0",
    "user_id": "S-1-5-18",
    "user_name": "root"
  },
  "id": "ind:bc44a7a3e758465f857867dcf4ac8c17:565469335361356727-145-335777",
  "incident": {
    "created": "2024-07-24T15:24:36Z",
    "end": "2024-07-24T15:26:01Z",
    "id": "inc:bc44a7a3e758465f857867dcf4ac8c17:e6cb706ea495450fb779ad0a1e084bda",
    "score": "19.15170747011056",
    "start": "2024-07-24T15:24:36Z"
  },
  "indicator_id": "ind:bc44a7a3e758465f857867dcf4ac8c17:565469335361356727-145-335777",
  "ioc_context": [],
  "ioc_values": [],
  "local_prevalence": "common",
  "local_process_id": "44019",
  "md5": "32ff28d4fdb4b244c355d7f8378fa2b1",
  "name": "FalseExecutableExtension",
  "objective": "Keep Access",
  "parent_details": {
    "cmdline": "-zsh",
    "filename": "zsh",
    "filepath": "/bin/zsh",
    "local_process_id": "687",
    "md5": "ee37d643ed7bd33fac61ebe8b1d8e073",
    "process_graph_id": "pid:bc44a7a3e758465f857867dcf4ac8c17:565244152228659208",
    "process_id": "565244152228659208",
    "sha256": "298a078b749c97d3a4523e89969deb51b0b779adb7f65b4aec321202002577e5",
    "timestamp": "1601-01-01T00:00:00.000Z",
    "user_graph_id": "uid:bc44a7a3e758465f857867dcf4ac8c17:501",
    "user_id": "S-1-5-21-1181572197-2209085151-3031813589-2002",
    "user_name": "bart.s"
  },
  "parent_process_id": "565244152228659208",
  "pattern_disposition": 0,
  "pattern_disposition_description": "Detection, standard detection.",
  "pattern_disposition_details": {
    "blocking_unsupported_or_disabled": false,
    "bootup_safeguard_enabled": false,
    "containment_file_system": false,
    "critical_process_disabled": false,
    "detect": false,
    "fs_operation_blocked": false,
    "handle_operation_downgraded": false,
    "inddet_mask": false,
    "indicator": false,
    "kill_action_failed": false,
    "kill_parent": false,
    "kill_process": false,
    "kill_subprocess": false,
    "mfa_required": false,
    "operation_blocked": false,
    "policy_disabled": false,
    "prevention_provisioning_enabled": false,
    "process_blocked": false,
    "quarantine_file": false,
    "quarantine_machine": false,
    "registry_operation_blocked": false,
    "response_action_already_applied": false,
    "response_action_failed": false,
    "response_action_triggered": false,
    "rooting": false,
    "sensor_only": false,
    "suspend_parent": false,
    "suspend_process": false
  },
  "pattern_id": 145,
  "platform": "Mac",
  "poly_id": "AABWhiNEgN9L4JD7zwRKJwjUjue4OYRYzSSQIMIYFE0J6gAATiFO4j02EtTYtAeSSEqcF91NS8SYOJndbBi10afYl7tEbw==",
  "process_end_time": "1721834700",
  "process_id": "565469335361356727",
  "process_start_time": "1721834699",
  "product": "epp",
  "scenario": "suspicious_activity",
  "seconds_to_resolved": 0,
  "seconds_to_triaged": 0,
  "severity": 50,
  "severity_name": "Medium",
  "sha1": "0000000000000000000000000000000000000000",
  "sha256": "c8246b2408325fa8abedb4afa8fa9f93051834f6d38607ed5c58ba45b95294a0",
  "show_in_ui": true,
  "source_products": [
    "Falcon Insight"
  ],
  "source_vendors": [
    "CrowdStrike"
  ],
  "status": "new",
  "tactic": "Defense Evasion",
  "tactic_id": "TA0005",
  "technique": "Masquerading",
  "technique_id": "T1036",
  "timestamp": "2024-07-24T15:25:00.395Z",
  "tree_id": "565469335392665337",
  "tree_root": "565469335361356727",
  "triggering_process_graph_id": "pid:bc44a7a3e758465f857867dcf4ac8c17:565469335361356727",
  "type": "ldt",
  "updated_timestamp": "2024-07-24T19:24:30.660624427Z",
  "user_id": "S-1-5-21-1181572197-2209085151-3031813589-2002",
  "user_name": "bart.s",
  "user_principal": "bart.s@Springfield.us"
}

Stage 2- Alert Processing

Once the alert is recorded in the Alert Table, Blink continues the investigation by extracting meaningful data and observables.

Create Observable Extraction Rules

Description: Observable Extraction Rules are configured to define which data fields from the alert payload should be extracted and classified as observables and relations(if they exist).
How it Works: These rules look into the alert’s structured data (JSON format) and match specific fields, such as agent_id, user_name, sha256, etc. Each extracted observable is then assigned a type (e.g., IP address, file hash) and a relation to the alert (e.g., Target Host, Attacker IP). This mapping helps define the scope of the threat and gives investigators a clearer view of how entities are related.

In the following example, the following observables and it’s relations are defined in the Observable Extraction Rules:

Observable	Type	Explanation	Relation
`agent_id`	Device Agent Id	Unique identifier for the CrowdStrike agent installed on the device.	Target Device
`device.external_ip`	IP Address	The external/public IP address of the machine at the time of the alert.	Attacker IP Address
`device.hostname`	Hostname	The hostname of the device involved in the detection.	Target Host
`device.local_ip`	IP Address	The local/internal IP address of the endpoint.	Target IP Address
`parent_details.sha256`	File Hash	SHA256 hash of the parent process (zsh) that launched the suspicious file.	Parent Process Hash
`sha256`	File Hash	SHA256 hash of the child process that launched the suspicious file	No relation
`user_name`	Username	The username (bart.s) associated with the user who executed the process	Target User
`user_name`	Username	The username (root) associated with the grandparent process	Target User

Note: Not all extracted observables will have observable relations, and defining such relationships is not mandatory. However, when relations exist—such as a file being associated with a specific IP address or command execution—these will be automatically extracted and identified as part of the process. This helps build a clearer picture of the attack chain and supports better investigation and response.

Execute the Extract Observable action

Description: The Extract Observable action automatically identifies and stores key observables based on the configured rules.
How it works:This action runs the extraction logic and outputs matched observables along with their context and relationships. The observables are stored in the Observables Table and are available for further enrichment or case correlation.

Example of `JSON` Ouput

{
  "matched_rule": true,
  "rule": "False Executable",
  "processing_status": "Mid-processing",
  "extracted_observables": [
    {
      "id": "9785b8cf-555c-4969-b0b8-cbeae5791d3f",
      "name": "agent_id",
      "type": "Device Agent ID",
      "content": "cdd5be18804244df8b849069294563e4",
      "relation": "Target Device",
      "is_new": true
    },
    {
      "id": "7fbff996-e653-4f80-9efa-ab6b2a00a525",
      "name": "external_ip",
      "type": "IP Address",
      "content": "180.112.146.250",
      "relation": "Attacker IP Address",
      "is_new": false
    },
    {
      "id": "045cb3b7-68e8-43e2-9ebd-64d210b08615",
      "name": "hostname",
      "type": "Hostname",
      "content": "DT-BART-SIMPSON",
      "relation": "Target Host",
      "is_new": false
    },
    {
      "id": "a0a8f04c-8181-4f5b-acd5-1d43996251f7",
      "name": "local_ip",
      "type": "IP Address",
      "content": "192.168.0.81",
      "relation": "Target IP Address",
      "is_new": false
    },
    {
      "id": "e2016490-a6c5-43a5-8f6f-21e786d2bcaa",
      "name": "sha256",
      "type": "File Hash",
      "content": "298a078b749c97d3a4523e89969deb51b0b779adb7f65b4aec32120200257790",
      "relation": "Parent Process Hash",
      "is_new": false
    },
    {
      "id": "8aee406f-d970-4839-ba99-49daf34199b2",
      "name": "sha256",
      "type": "File Hash",
      "content": "8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b",
      "relation": "",
      "is_new": false
    },
    {
      "id": "386e5762-340a-4629-b49a-8018a34299c2",
      "name": "user_name",
      "type": "Username",
      "content": "sam.gamgee",
      "relation": "Target User",
      "is_new": false
    },
    {
      "id": "bca048c7-eeef-4125-ad5e-f2b4a620eeff",
      "name": "user_principal",
      "type": "Username",
      "content": "sam.gamgee@gardens.nz",
      "relation": "Target User",
      "is_new": false
    }
  ],
  "case_type": "Malware",
  "new_observables": [
      {
      "id": "9785b8cf-555c-4969-b0b8-cbeae5791d3f",
      "name": "agent_id",
      "type": "Device Agent ID",
      "content": "cdd5be18804244df8b849069294563e4",
      "relation": "Target Device",
      "is_new": true
    }
  ]
}

Create Deduplication Rules

Description: Deduplication Rules define how Blink identifies alerts that are likely part of the same incident. These rules help avoid duplicate case creation and ensure incident responders have full context.
How It Works: For every alert, Blink applies pre-defined or custom deduplication logic using key fields (such as filename, hash, host, tactic/technique). These rules match patterns across similar alerts to decide whether to group them into a single case.

Execute the Case Deduplication action

Description: Blink checks whether the current alert matches an existing case using deduplication logic. It then decides to either create a new case or append the alert to an existing one.
How It Works:
- A deduplication rule (like False Executable) is applied to the incoming alert.
- If the alert matches an existing case, it is added to that case, updating the case’s observable and alert lists.
- If no match is found, a new case is created and populated with observables, alerts, and other metadata like severity, case type, and ID.

Example of `JSON` Ouput

{
  "is_unique": false,
  "matched_rule": true,
  "rule": "False Executable",
  "case": {
    "updated_by": "8681d697-b686-48b7-8cb1-915452a19593",
    "task_ids": null,
    "auto_id": 4,
    "case_ids": null,
    "summary": null,
    "closed_by_automation": false,
    "case_tags": null,
    "name": "FalseExecutableExtension",
    "closed_at": null,
    "sla": null,
    "type": "Malware",
    "created_at": 1744805810293,
    "severity": 2,
    "overview": null,
    "mitre_attack": null,
    "updated_at": 1744805810293,
    "observable_ids": [
      "045cb3b7-68e8-43e2-9ebd-64d210b08615",
      "8aee406f-d970-4839-ba99-49daf34199b2",
      "7fbff996-e653-4f80-9efa-ab6b2a00a525",
      "a0a8f04c-8181-4f5b-acd5-1d43996251f7",
      "bca048c7-eeef-4125-ad5e-f2b4a620eeff",
      "9785b8cf-555c-4969-b0b8-cbeae5791d3f",
      "e2016490-a6c5-43a5-8f6f-21e786d2bcaa",
      "386e5762-340a-4629-b49a-8018a34299c2"
    ],
    "case_manager": null,
    "created_by": "8681d697-b686-48b7-8cb1-915452a19593",
    "closed_by": null,
    "close_reason": null,
    "collaborators": null,
    "sla_expiry": null,
    "case_id": "INC-00004",
    "status": "NEW",
    "alert_ids": [
      "a7a702ff-cdf0-4493-a125-9252316bfa85"
    ],
    "attachment_ids": null,
    "vendors": null,
    "id": "dd52de81-815f-4d4f-984c-0b7f0dfd7a79"
  }
}

Stage 3-Enrich Observables

Description: This stage enriches any newly extracted observables to provide analysts with additional context during investigation.How It Works:

This stage takes newly discovered observables listed in the new_observables field (as seen in the output from the Extract Observables step).
Each observable’s type is automatically detected. In this example, the Agent Device observable type is detected.
Observables are passed to the Enrich Observables- Main Router subflow, which dynamically routes them to the appropriate enrichment logic based on their type.ֿ
The corresponding enrichment actions are then executed—each tailored to the specific observable type.
the results are appended to the observable metadata and made available in the case for analyst review.

In the provided example, the Enrich Observables- Main Router is configured to handle various observable types through conditional logic:

The observable with type Device Agent ID (e.g., cdd5be18804244df8b849069294563e4) triggers the first case in the switch logic.
This routes the observable to the CrowdStrike enrichment step (Enrich - Agent ID - CrowdStrike) to retrieve relevant device data.

Additional cases (not shown here) can be configured for usernames, file hashes, domains, and more. This approach ensures observables are enriched consistently and automatically, without requiring hardcoded paths for each case.

Example of `JSON` Ouput

{
  "matched_rule": true,
  "rule": "False Executable",
  "processing_status": "Mid-processing",
  "extracted_observables": [
    {
      "id": "9785b8cf-555c-4969-b0b8-cbeae5791d3f",
      "name": "agent_id",
      "type": "Device Agent ID",
      "content": "cdd5be18804244df8b849069294563e4",
      "relation": "Target Device",
      "is_new": true
    },
    {
      "id": "7fbff996-e653-4f80-9efa-ab6b2a00a525",
      "name": "external_ip",
      "type": "IP Address",
      "content": "180.112.146.250",
      "relation": "Attacker IP Address",
      "is_new": false
    },
    {
      "id": "045cb3b7-68e8-43e2-9ebd-64d210b08615",
      "name": "hostname",
      "type": "Hostname",
      "content": "DT-BART-SIMPSON",
      "relation": "Target Host",
      "is_new": false
    },
    {
      "id": "a0a8f04c-8181-4f5b-acd5-1d43996251f7",
      "name": "local_ip",
      "type": "IP Address",
      "content": "192.168.0.81",
      "relation": "Target IP Address",
      "is_new": false
    },
    {
      "id": "e2016490-a6c5-43a5-8f6f-21e786d2bcaa",
      "name": "sha256",
      "type": "File Hash",
      "content": "298a078b749c97d3a4523e89969deb51b0b779adb7f65b4aec32120200257790",
      "relation": "Parent Process Hash",
      "is_new": false
    },
    {
      "id": "8aee406f-d970-4839-ba99-49daf34199b2",
      "name": "sha256",
      "type": "File Hash",
      "content": "8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b",
      "relation": "",
      "is_new": false
    },
    {
      "id": "386e5762-340a-4629-b49a-8018a34299c2",
      "name": "user_name",
      "type": "Username",
      "content": "sam.gamgee",
      "relation": "Target User",
      "is_new": false
    },
    {
      "id": "bca048c7-eeef-4125-ad5e-f2b4a620eeff",
      "name": "user_principal",
      "type": "Username",
      "content": "sam.gamgee@gardens.nz",
      "relation": "Target User",
      "is_new": false
    }
  ],
  "case_type": "Malware",
  "new_observables": [
      {
      "id": "9785b8cf-555c-4969-b0b8-cbeae5791d3f",
      "name": "agent_id",
      "type": "Device Agent ID",
      "content": "cdd5be18804244df8b849069294563e4",
      "relation": "Target Device",
      "is_new": true
    }
  ]
}

Stage 4- Response

Description: Blink triggers automated workflows to respond to the alert.
How It Works:
- Workflows include actions such as blocking an IP, disabling a user account, or notifying a security team.
- Response steps are configured based on the severity and type of the alert.

Response Example:

Triggered Action: Block IP address “192.168.1.1” via firewall.

Workflow Execution Log:

{
  "action": "block_ip",
  "target": "192.168.1.1",
  "status": "Success"
}

Case Management

Automated Case Management

Case Management Interface

Triggers & Actions

Case Management Settings

About Automated Case Management Process

Key Stages

Flow Diagram Showing the Case Management Automated Processes

Detailed Guide of the Automated Case Management Process - Use Case Example

Create Observable Extraction Rules

Execute the Extract Observable action

Create Deduplication Rules

Execute the Case Deduplication action

Case Management

Automated Case Management

Case Management Interface

Triggers & Actions

Case Management Settings

​Key Stages

​Flow Diagram Showing the Case Management Automated Processes

​Detailed Guide of the Automated Case Management Process - Use Case Example

Key Stages

Flow Diagram Showing the Case Management Automated Processes

Detailed Guide of the Automated Case Management Process - Use Case Example