Cases are the management unit for security threats in Siemplify. Cases have all the required ticketing capabilities and much more to support management use cases in the SOC.
Cases can be viewed and managed from the Cases Queue. It is also possible to search for Cases in the Search screen.
When data is ingested into Siemplify (usually in a form of security alerts or events) it is wrapped inside a Case for management purposes (tracking activity, incident response etc).
A Case will always include at least one alert (or more if Siemplify applies grouping). Each alert contains both the original raw data coming from the data source and the objects Siemplify extracted based on it (Entities, enrichment etc).
The grouping of alerts is performed automatically by Siemplify regardless of the source of each alert to allow better contextual understanding of a threat.
Security analysts then can:
- Understand the threat presented by the case
- Review the case graph for more context (via the Explore button)
- Review enrichment collected manually or with automation
- Review the tasks performed on the case (with Case Wall)
- Manage the case as a ticket (close, re-open, merge, tag, track history, report and more)
- Run actions and playbooks on the alerts in the case
Let’s read a case and close it.
- Navigate to Cases, click the + sign above the cases queue and select Simulate Cases.
- Select the Zero to Hero case and click Create.
- Click on the Email case in your queue.
- To assign the case – select a team or a user from the dropdown on the top bar (in this case, assign it to yourself).
- The Case Wall tab has now a new entry that shows that the case was reassigned.
- Go back to the Overview and check out the:
- Name and time of the alert
- Any Insights collected on the case
- The Entities extracted are on the right side (if an entity is red, it is malicious)
- We found malicious activity in the case – let’s mark it as an incident from the hamburger menu on the right (this will also adjust the priority of the case).
- Playbooks are attached to alerts. To view a playbook, click on one of the alert cards in the case (remember, you might have several alerts).
- Click on the steps of the playbook to see more info about the actions.
- Assuming you handled the threat with success, close the case by clicking Close Case button on top and then filling out the reasons in the dialog box.
Need more help with this?
Click here to open a Support ticket