Create a case from IoCs or observables

In Threat Intelligence, you can create a case from artifacts (IoCs or observables). After the IoCs or observables have been used to create a case, you can use Security Case Management to analyze the data.

Before you begin

The Threat Intelligence plugin must be activated to use Security Case Management.

Role required: sn_ti.case_user_write

Procedure

  1. Navigate to the artifacts (IoCs or observables) you want to use to create a case.
    • To create a case from IoCs, navigate to Threat Intelligence > IoC Repository > Indicators.
    • To create a case from observables, navigate to Threat Intelligence > IoC Repository > Observables.
  2. In the list, select the artifacts you want added to a new case.
    Note: If you select multiple IoCs or observables, they are all added to the case.
  3. From the Actions on selected items drop-down list, select Add to Security Case.
    Add indicators to a new case
    The Add to Security Case dialog box opens. If you already have cases assigned to you, they display in the list.
    Add an indicator to the case
  4. Click Create New Case.
  5. Fill in the fields.
    Field Description
    Case Name Enter a name for this case.
    Description Enter a description that would be of value to the case analyst.
  6. Click Submit.
    A message at the top of the list indicates that a new case has been created, along with a link to the case in Security Case Management.
  7. Click the link to view the new case.