Cases are used to track information about a campaign or threat actor threatening your organization. After a case is created, you can add artifacts that allow you to review and analyze all related information from a single case or case task.

Before you begin

Role required: sn_sec_tisc.analyst, sn_sec_tisc.admin

Procedure

  1. Navigate to Workspaces > Threat Intelligence Security Center.
  2. Click Threat Analyst Workbench icon.
  3. Go to Case Management > All Cases.
    All the cases are displayed.
  4. Click New.
  5. Fill in the fields as appropriate.
    Table 1. Create New Case
    Field Description
    Case ID A unique identifier for the case. This is system generated ID.
    Short Description Summary of the request or issue that is being investigated or a short description.
    Description A detailed description including any relevant information about the case such as background, what analysis is required, outcomes expected.
    Case Type Select the type of case being investigated. The possible options for the investigation are:
    • Threat Hunting
    • Request for Information
    • Vulnerability Management Case
    • Compliance Case
    • Incident Response Case
    • Collaboration Case
    • Others
    Priority An assessment of the severity of the request or issue.
    Assignment group The assigned group responsible for working on the case.
    Status The current status of the case.
    Assigned to The Analyst who is responsible for working on a case.
    Due Date The date and time that the task is due to be completed or closed.
    Contributors The list of assignees rolled up from tasks and should be possible to add on top of it.
    TLP Unique value that indicates the Data sensitivity setting per TLP.
    Watch list When a user is added to the watchlist, the person will receive email notifications on changes to status and priority.
    Enforce Restriction Select this check box to modify members of allowed group and allowed members. For more information, see Enforced Restrictions for case(s).
  6. Fill in the fields on the Insights section, as appropriate.
    Table 2. Insights
    Field Description
    Notes Any additional notes related to the threat investigation.
    Recommendations or Actions Any recommendations or actions related to the threat investigation.
    Analysis and Findings Enter the analysis and findings related to the threat investigation.
    Closure Summary Add the closure summary of the findings.
  7. Click Save.
    After the record has been saved, you can click the Import Intelligence tab to import the threat intel data using the Import Intelligence feature.
    Note: If you are importing and processing data from Case Management, then a unique is associated to the import record.Import intelligence-Case Management