Add observables to TISC case records.
시작하기 전에
Role required: sn_si.analyst, sn_sec_tisc.case_write
프로시저
-
Navigate to .
-
Locate and open any specific security incident that you are investigating.
This can also be done by searching for the incident ID or browsing from Quick Filters section or filtering through incident state.
-
Click on the Related Records tab on the workspace.
You can perform the action of adding observables to TISC case(s) using various tabs from the Security Incident Response Workspace.
주: You can navigate to the
- Observables details page from the Related Records tab.
- Investigation tab, and navigate to the Entry Points Lists section displayed on the left side of the page and select Associated Observables
to add observables to TISC case.
-
For example, select .
-
Select one or multiple observable(s) to add the selected observables to case records.
주: You can also click on any of the Observable record and it opens Observables details page in a different tab and you can add case records from here by clicking on Add to TISC Case.
-
Click the Capability actions split button.
-
Select Add to TISC Case.
-
Select the case(s) from the Add to Case dialog box.
-
Click Add.
-
Click the Case record to view the case in TISC from the information message displayed or from the Activity stream.
주: If the observable does not have a corresponding TISC Observable, then the selected observable in SIR workspace will be sent to TISC automatically and will subsequently gets added to the selected TISC case
record(s). To view the linked observables, click on the particular case record from the Activity stream. By clicking on this will take you to the case record in TISC workspace and the
observables will get added under Artifacts tab of the Case Management module.
결과
You have successfully send the observables data to Threat Intelligence Security Center case management.