Actions Menu

The Actions menu contains the following options:

• Mark as Important
• Incident
• Stage
• Priority
• Report
• Close Case (next to the Action menu)
  

Mark as Important

When an analyst wants to highlight a case, they can mark it as important via   > Mark as Important in the top right corner of the screen. A yellow triangle icon is then displayed with the case. The analyst can also remove the Important tag if required from the same menu.

Incident

When a case is considered extremely crucial and needs immediate attention, the analyst can mark it as an incident. Raising an incident sets the case priority to critical, changes the case stage to Incident, assigns the case to the SOC Manager and a notification is sent to all analysts. 

To mark a case that is assigned to you as an Incident:

1. Select a case from the queue, then choose   > Incident in the top right corner of the screen.
2. Click Yes in the Confirmation dialog box.
   

Stage

You can change a case stage, if it’s assigned to you, based on your organizational case management methods. 

1. Select a case from the queue, then choose    > Stage in the top right corner of the screen.
2. Select a stage from the following:
   • Triage - Default and the initial phase of a case once it is created.
   • Assessment - The case is assigned to the next tier for assessment.
   • Investigation - The case is assigned for further investigation of the alerts and entities involved.  
   • Improvement - Can mark case as Improvement as a reminder to improve SOC rules or for further investigation after the analysts have finished handling it. 
   • Research - The case is further researched for factors such as how the external entities got into your organization and so on.
   • Incident - The last phase of the case where it becomes crucial. After marking a case as an incident, you cannot revert/change it to any other stage.
3. Click Save.

Priority

*Siemplify recommends changing the priority of an alert and not the priority of a case as best practice.
For more information, see here.
You can change the priority of a case based on the importance with which it must be handled.

1. Select a case from the queue, then click   > Priority in the top right corner of the screen.
2. Select a priority from the following. Note that each priority is represented by the following colors:
   • Informative (grey)
   • Low (blue)
   • Medium (yellow)
   • High (orange)
   • Critical (red)
3. Click Ok. The case priority is changed.
4. You can also click the color directly on the top bar and change it from there.
   

Report 

You can download a report as a Word document which contains the following information:

• Case details
• Alerts, entities and insights of the case
• User and system activities on the case
• Playbook action and Case Activity 
  

1. Select a case from the queue, then click  > Report in the top right corner of the screen. 
2. Open the downloaded Word document to see the results.
   

Close Case

You can close a case once it’s resolved.

1. Select a case from the queue, then click   in the top right corner of the screen. 
2. In the Close Case popup, select a valid reason and a root cause for closing the case and type any additional comments. These will be posted on the Case wall.
3. Click Close.

*You can also close a case from the queue itself, by clicking on the three vertical dates to the right of the case in the Case Queue and clicking on Close Case. The Close Case dialog box will appear as above.