Create a security incident from a TISC case

  • Release version: Xanadu
  • Updated April 14, 2025
  • 2 minutes to read

    • Create security incidents and associate observables to the security incidents from a TISC case.

    Before you begin

    Role required: sn_si_basic

    Procedure

    1. Navigate to All > Workspaces > Threat Intelligence Security Center.
    2. Click Threat Analyst Workbench icon.
    3. Go to Case Management > All Cases.
      All the cases are displayed.
    4. Open any case.
    5. Click Create Security Incident button.
      Note:
      On the Case Management Workbench the Create Security Incident button is enabled only for the open case records and disabled for the closed case records.
      The Create Security Incident dialog box is displayed.
    6. Fill the form with appropriate incident details:
      Table 1. Add details
      Field Description
      Short description Enter a short description of the security incident.
      Description Enter a description of the security incident.
      Category Defines the classification of the security incident.
      Priority Defines the priority of the security incident.
      Subcategory Defines the sub classification of the security incident based on its category.
      Assignment group Specifies the assignment group to which the security incident should be assigned.
      Parent Indicates the parent security incident, which is a TISC case from which this action is triggered.
    7. Click Next to continue.
      Note:
      You must enter all the mandatory fields, the Next button will remain disabled until you enter all the required fields.
    8. Select the observables associated with the TISC case to link them to a security incident, and then click Next to proceed
    9. Review the security incident details and observable that will be associated with the newly created security incident then click Create to continue and create the security incident.
      Note:
      A confirmation message is displayed indicating that the security incident is created, with a link to the security incident, clicking the link will direct you to the security incident in the Security Incident Response Workspace.
      After the security incident is created, you will be redirected to the TISC Artifacts tab of the case.
    10. Go to Security Incidents section under the TISC Artifacts tab to view the incidents.
      Note:
      A work notes is also posted on the TISC case activity stream indicating that the security incident (security incident number) is created with the associated with TISC observables. This work notes includes the details such as the observable type and observable value.

      On the Security Incident Response Workspace, security incident form:

      • A work notes is posted on the activity stream indicating that the security incident was successfully created from TISC case. This work notes also includes a link to the TISC case confirming that the selected observables have been associated with the security incident.
      • In addition, you can also verify this by accessing the Related Records tab of the Security Incident Response Workspace and reviewing the observables entries under Threat Intel > Associated Observables. From there, you can also view the associated observables under the TISC Context section. You may notice that the these observables have been directly associated from TISC.