Security Case Management
Summarize
Summary of Security Case Management
Security Case Management enables security analysts to effectively gather and analyze information on suspicious activities within their environment. This system allows for the creation and management of cases that can incorporate various records such as security incidents, observables, configuration items (CIs), and affected users. Analysts can easily navigate through these records to determine the nature of threats, including targeted campaigns and advanced persistent threats.
Show less
Key Features
- Case Creation: Cases can be initiated from multiple sources, including Security Case Management, Security Incident Response, and Threat Intelligence, as well as directly from configuration items and user tables.
- Case Structure: Each security case includes a header section for identification, an additional details section for ongoing analysis, and a case artifacts section that compiles relevant records.
- Search and Exclusion: Analysts can search within the case artifacts and exclude records deemed safe or irrelevant, which are hidden but can be reviewed later if necessary.
- Annotations: Analysts have the option to annotate records with notes for further context and collaboration.
- Integration Tools: Analysts can run sightings searches on observables and search for security artifacts to enhance their investigative efforts.
Key Outcomes
By utilizing Security Case Management, analysts can streamline their threat-hunting processes, effectively document their findings, and enhance collaboration through annotations. This structured approach helps in efficiently identifying and addressing security threats, ultimately improving the organization's security posture.
Security Case Management provides a means for security analysts who are engaged in threat hunting to gather information on suspicious activity in their environment. Case-related records, such as security incidents, observables, CIs, and affected users can be added to cases to accommodate broad and specific analysis.
With the ability to easily pivot through the records and related information, analysts can assess whether they are facing a targeted campaign, advanced persistent threat, and so forth.
Security cases can be created from various sources on your instance, including Security Case Management, Security Incident Response, and Threat Intelligence. You can also create cases from configuration items and affected users in the Configuration Items [cmdb.ci] and Users [sys.user] tables, respectively. After cases have been created, each of these sources can be also used to add valuable analysis resources to existing cases.
Each security case consists of three main sections, a header section, a section with additional case details, and a case artifacts section containing a collection of records that aid in building an argument for identifying and dealing with particular threats.
Case header
The case header provides basic information used to identify and classify the security case. The case number uses the SECC prefix.
Additional case details
The Additional Case Details section provides information specific to the analysis that has already been performed on the case, including its current state, and work notes and activities recorded for the case.
Case artifacts
The Case Artifacts section provides a series of tabs of information contained in the security case.
You can perform searches within the contents of each tab. You can also exclude specific records you have already evaluated as being safe or which are of no value in your investigation. The excluded records are not deleted, but are hidden from view. If needed, you can view excluded records and add them back.