Security Case Management

Security Case Management provides a means for security analysts who are engaged in threat hunting to gather information on suspicious activity in their environment. Case-related records, such as security incidents, observables, CIs, and affected users can be added to cases to accommodate broad and specific analysis.

With the ability to easily pivot through the records and related information, analysts can assess whether they are facing a targeted campaign, advanced persistent threat, and so forth.

Security cases can be created from various sources on your instance, including:

  • Security Case Management
  • Security Incident Response
  • Threat Intelligence

You can also create cases from configuration items and affected users in the Configuration Items [cmdb.ci] and Users [sys.user] tables, respectively. After cases have been created, each of these sources can be also used to add valuable analysis resources to existing cases.

Each security case consists of three main sections:
  • A header section
  • A section with additional case details
  • A section containing a collection of artifacts or records that aid in building an argument for identifying and dealing with particular threats

Case header

Figure 1. Case header section

The case header provides basic information used to identify and classify the security case. The case number uses the SCA prefix.

Additional case details

Figure 2. Additional Case Details section

Additional Case Details section provides information specific to the analysis that has already been performed on the case, including its current state, and work notes and activities recorded for the case.

Case artifacts

Figure 3. Case Artifacts section

The Case Artifacts section provides a series of tabs of information contained in the security case.

You can perform searches within the contents of each tab. You can also exclude specific records you have already evaluated as being safe or which are of no value in your investigation. The excluded records are not deleted, but are hidden from view. If needed, you can view excluded records and add them back.

Within each tab, you can click the Additional Details (Additional Details) icon to show related information for the selected record. For example, if you click the Users tab to view the Case Users Explorer, and click the Additional Details icon for a specific user, you can view the incidents and configuration items associated with that user.
Figure 4. Case Artifacts—related detail
Related data on users
You can also select a record and click the Annotate button for a case-related artifact to add annotations to the record. Annotations are simply notes that each analyst can make on a particular artifact.
Figure 5. Security Annotations
Annotations
Other tools the analyst can use for examining cases include: