The Actions menu contains the following options:
Mark as Important
When an analyst wants to highlight a case, they can mark it as important via > Mark as Important in the top right corner of the screen. A yellow triangle icon is then displayed with the case. The analyst can also remove the Important tag if required from the same menu.
When a case is considered extremely crucial and needs immediate attention, the analyst can mark it as an incident. Raising an incident sets the case priority to critical, changes the case stage to Incident, assigns the case to the SOC Manager and a notification is sent to all analysts.
To mark a case that is assigned to you as an Incident:
- Select a case from the queue, then choose > Incident in the top right corner of the screen.
- Click Yes in the Confirmation dialog box.
You can change a case stage, if it’s assigned to you, based on your organizational case management methods.
- Select a case from the queue, then choose > Stage in the top right corner of the screen.
- Select a stage from the following:
- Triage - Default and the initial phase of a case once it is created.
- Assessment - The case is assigned to the next tier for assessment.
- Investigation - The case is assigned for further investigation of the alerts and entities involved.
- Improvement - Can mark case as Improvement as a reminder to improve SOC rules or for further investigation after the analysts have finished handling it.
- Research - The case is further researched for factors such as how the external entities got into your organization and so on.
- Incident - The last phase of the case where it becomes crucial. After marking a case as an incident, you cannot revert/change it to any other stage.
- Click Save.
- Select a case from the queue, then click > Priority in the top right corner of the screen.
- Select a priority from the following. Note that each priority is represented by the following colors:
- Informative (grey)
- Low (blue)
- Medium (yellow)
- High (orange)
- Critical (red)
- Click Ok. The case priority is changed.
- You can also click the color directly on the top bar and change it from there.
You can download a report as a Word document which contains the following information:
- Case details
- Alerts, entities and insights of the case
- User and system activities on the case
- Playbook action and Case Activity
- Select a case from the queue, then click > Report in the top right corner of the screen.
- Open the downloaded Word document to see the results.
You can close a case once it’s resolved.
- Select a case from the queue, then click in the top right corner of the screen.
- In the Close Case popup, select a valid reason and a root cause for closing the case and type any additional comments. These will be posted on the Case wall.
- Click Close.
Need more help with this?
Click here to open a Support ticket