Add IoCs and observables to an existing case

You can add IoCs and observables to existing cases. After the security incidents have been added to cases, you can use Security Case Management to analyze the data.

Before you begin

The Threat Intelligence plugin must be activated to use Security Case Management.

Role required: sn_ti.case_user_write

Procedure

  1. Navigate to the artifacts (IoCs or observables) you want to add to existing cases.
    • To add IoCs to one or more cases, navigate to Threat Intelligence > IoC Repository > Indicators.
    • To add observables to one or more cases, navigate to Threat Intelligence > IoC Repository > Observables.
  2. In the list, select the artifact records you want added to existing cases.
    Note: If you select multiple cases, the selected IoCs or observables are added to each of the selected cases.
  3. From the Actions on selected items drop-down list, select Add to Security Case.
    The Add to Security Case dialog box opens. If you already have cases assigned to you, they display in the list.
  4. Select the cases into which you want to add the selected IoCs or observables.
    Add an observable to an existing case
  5. Click Add.
    A message indicates that the selected records have been added to the cases, along with a link to the cases in Security Case Management.