Create a security incident from case

  • Release version: Washingtondc
  • Updated April 14, 2025
  • 1 minute to read

    • Create security incidents and associate observables to the security incidents from a TISC case.

    Before you begin

    Role required: sn_sec_tisc.analyst, sn_sec_tisc.admin

    Procedure

    1. Navigate to Workspaces > Threat Intelligence Security Center.
    2. Click Threat Analyst Workbench icon.
    3. Go to Case Management > All Cases.
      All the cases are displayed.
    4. Open any case.
    5. Click Create Security Incident button.
      The Create Security Incident dialog box is displayed.
    6. Fill the form with appropriate incident details:
      Table 1. Add details
      Field Description
      Short description Provide a description to the security incident.
      Description Enter a description of the incident.
      Category Defines the classification of the incident based on its category.
      Priority Defines the priority of the incident.
      Subcategory Defines the sub classification of the incident based on its category.
      Assignment group Specifies the assignment group to which the security incident is assigned.
      Parent Indicates the parent case ID from where the security incident originated.
    7. Click Next to continue.
    8. Select the observables associated with the TISC case to link them to a security incident, and then click Next to proceed
    9. Review the security incident details, then click Create to continue and create the incident.
      Note:
      • A confirmation message is displayed indicating that the security incident is created, with a link to the incident. From there you can directly view the incident in the Security Incident Response Workspace.
      • A work notes is also posted on the activity stream indicating that the security incident was successfully created from TISC case. The work notes also includes a link to the TISC case confirming that the selected observables have been associated with the security incident.
      • In addition, you can also verify this by accessing the Related Records tab of the Security Incident Response Workspace and reviewing the observables entries under Threat Intel > Associated Observables. From there, you can also view the associated observables under the TISC Context section. You may notice that the these observables have been directly associated from TISC.
      After the incident is created, you will be redirected to the Artifacts tab of the case.
    10. Go to Security Incidents section under the Artifacts tab to view the incidents.
      Note:
      A work notes is also posted on the TISC case activity stream indicating that the security incident (security incident number) is created with the associated with TISC observables. This work notes includes the details such as the observable type and observable value.