Add observables to TISC Case

Release version: Washingtondc

Updated July 16, 2024

1 minute to read

Use this section to add security incidents or observables to a TISC case.

Before you begin

Role required: sn_si.analyst

Procedure

Navigate to Workspaces > Security Incident Response Workspace > Security Incidents > All.
Locate and open any specific security incident that you are investigating.
This can also be done by searching for the incident ID or filtering using Quick Filters section or browsing through an incident state.
Select TISC Context tab.
Click Add to TISC Case button.
Add to TISC Case dialog box displays and this only shows the TISC cases where the record is not already associated.
Select the observables.
Select case(s) and click Add to add the cases to the observables and associate them to the security incident.
Note:
You can also create a new case by clicking on Create new TISC Case, in case if you don't have any existing cases.
The following confirmation messages are displayed:
- The following observables are added as artifacts successfully.
- The following observables are sent to TISC and will be subsequently be added to the selected TISC case(s) records.
Note:
The processing and association of the observables activities are posted in the activity stream as and when the association is completed.
View the associated case records by logging into Threat Intelligence Security Center Workspace for further steps.
For more information see, TISC integration within SIR Workspace.
Note:

From the Security Incident Response workspace, you can also associate observables to case records from the Investigation and Related Records tabs.
Note:
To associate observables from Investigation, navigate to the Investigation tab, and navigate to the Entry Points Lists section displayed on the left side of the page and select Associated Observables to add observables to TISC case and to associate from Related Records explained here Add observables to TISC Case.