Document toolboxDocument toolbox

Create Case to Track Security Issues

About case creation

Devo SOAR provides an integrated case management capability for you to track activity related to investigations of threats and other security issues. You can add comments and attachments to a case and create tasks to assign to selected users or groups. The case history is automatically created for each case action.

Devo SOAR also supports creating commands to help analyze cases. For example, you can assign commands created by a Devo SOAR user in your organization to a case so that the command output is part of the case record.

How to Create a Case

  1. Click Case Management > Cases from the left navigation.

  2. Click Create Case at the top of the screen to open the Create Case form.

  3. Select the Case Type. The case type depends on the type of business you are in. By default, the following fields are included for all case types.

  4. Title: Enter a title to identify the case and a summary description.

  5. Summary: Add a summary of the case. The summary area provides rich text controls for formatting and supports Markdown for basic syntax.

  6. Assignee: Select a Devo SOAR user or group to assign the case to. When you assign a case to a group, any of the users in the group can work the case, and all of the group members receive case-related notifications.

  7. Priority: Select the priority of the case.

  8. After you've entered the details, click Submit.

A typical case details page contains the following fields.

Field

Description

Field

Description

Summary

Allows you to add a detailed information about a case.

Tasks

See Add Tasks to a Case.

Attachments

Allows you to add attachments that provide context to a case.

Linked Cases

Helps to identify similar cases. You can link a case either by clicking on Search for Similar Cases or Suggested Cases.

Linked Alerts

Allows you to add alerts to cases based on their IDs and view the details on the case details page. To know more, see Linked Alerts to Case below.

Comments

Allows you to view the comments related to a case.

Commands

Allows you to add commands for deeper analysis of a case.

History

Allows you to view a complete record of changes made to a case.

Connect Slack Channel

If Slack integration is set up for your Devo SOAR instance, you can connect the case comments to a Slack channel. To know more, see Connect Cases with Slack.

Extracted Fields

Allows you to store the URLs, IP addresses and file hashes automatically from the case title and description.

Additional Fields

All the default fields will be available. To add a new field, see Manage Case Fields.

Status

Allows you to change the status of the case as you progress: New, In Progress, Pending, Resolved, or Closed. You can also create customized status or modify the current status. To know more, see Manage Case Workflow.

Priority

Allows you to set the importance of the case: Critical, Blocker, High, Medium, Low, or Informational. You can create a custom priority based on your requirement. To know more, see Manage Priority.

Assigned To

Allows you to view or change the user the case is assigned to.

Created At

Shows the time of the case that it was created.

Created By

Shows the name of the user who opened a case.

Case Report

View: Provides a complete detail of the case report at a glance.

Send as email

Allows you to send the case report as an email to recipients.

Watch Options

Allows you to be notified of every change in the case.

Create Case from Playbook

Devo SOAR allows you to create a case from the playbook. To know more, see Add a Step to Create Cases and Alerts.

Add Commands and Integration

A command is a type of playbook that can ingest arguments rather than data from a source and give you the output based on the command’s logic. Commands are useful to execute as part of your case investigation for deeper analysis and associate command results directly with a case that you’re working on. Devo SOAR allows you to create commands for cases and run them directly from cases. For example, if an attack has occurred from a particular IP address, you can add a command that does an IP lookup and includes the results of the lookup in the Devo SOAR case.

Similarly, you can directly connect to an external application from the case. You can access or perform actions without leaving the case page. By adding integration in the case, you can send information to another application or pull information from that application into the case.

The results remain in Devo SOAR and you don’t have to access an external system or copy and paste results into the case management record.

To run an integration/command from the case, follow these steps:

  1. Go to Commands section in any case of your choice.

  2. For Commands use, forward slash / to enter or select from the drop-down.

  3. For Integrations use, exclamation ! to enter or select from the drop-down.

  4. A selection list appears. Scroll to find and select the command or integration.

  5. Add characters to filter the list to the matching selections. The command or integration you select is added to the entry area, and you will be prompted to enter parameters.

  6. After completing the command or integration as prompted, press Return to execute and display the results. Use the controls in the upper right corner of the section to Prefill or Copy the command or integration and use the arrow to expand/minimize the results.

10_Create case to track security issues.png

If you run multiple commands or integrations, the command and integration history is retained in the section and preserved.

To know more, see Create Commands and Cases.

Linked Alerts to Case

The case details page enables you to view a list of alerts within the case with a single click. The cases now include a new field type Linked Alerts with a multi-select value, which allows you to add alerts and search for alerts by their IDs.

In the Linked Alerts tab, you can:

  • Use the alert ID to link a single alert or multiple alerts

  • Perform a basic search when multiple alerts are added

  • Click on the arrow beside the linked alerts to see the details of the alert

20_Create case to track security issues.png

Link Alerts and Cases from Playbook

You can now link alerts to a case from a playbook. To know more, see Add a Step to Create Cases and Alerts.

 

Related articles