Contents x
Case Details
  • 17 Aug 2023
  • 5 Minutes to read
  • Print
  • Dark
    Light
Contents

Case Details

  • Updated on 17 Aug 2023
  • 5 Minutes to read
  • Print
  • Dark
    Light
Article summary

Overview

The Case Details card, located at the top right of a Workflow Case, displays important details about the Case, including time-based information related to the Case, Tags that have been applied to the Case, and a description of the Case. This article describes the elements included in the Case Details card, as well as how to update each element.

Before You Start

Minimum Role(s)
  • Organization role of Read Only User (for viewing the Case Details card and its contents)
  • Organization role of Standard User (for updating a Case's Time of Occurrence, Time of Detection, Case Open Time, and Case Close Time; applying and removing Tags; and updating a Case's description)
Prerequisites

Case Details Card

Figure 1 shows an example of a Case Details card for a Workflow Case.

Note
To collapse or expand the Case Details card, hover the cursor anywhere in the card and click the arrow displayed at the upper-right corner of the card.

Figure 1_Case Details_7.2.0

 

  • Time of Occurrence: The date and time when a security incident or threat occurred.
  • Time of Detection: The date and time when a security incident or threat was detected (e.g., by a security team).
  • Case Open Time: The date and time when the Case was opened.
  • Case Close Time: The date and time when the Case was closed.
  • Tags: A list of standard Tags and ATT&CK® Tags applied to the Case. These are the same Tag objects used throughout ThreatConnect®.
  • Description: A description of the Case.

The four time-based elements (Time of Occurrence, Time of Detection, Case Open Time, and Case Close Time) are used to calculate the Mean Time to Detection (MTTD), MTTD Average, Mean Time to Resolution (MTTR), and MTTR Average Cases metrics dashboard cards.

Time of Occurrence

To set or update a Case's Time of Occurrence, hover over the Time of Occurrence label and then click EditA close up of a device Description automatically generated. A date and time selector will be displayed (Figure 2).

Calendar Description automatically generated

 

  • Select the desired date and time.
  • Click SaveA picture containing table Description automatically generatedto save your changes.

Time of Detection

To set or update a Case's Time of Detection, hover over the Time of Detection label, click EditA close up of a device Description automatically generated to display a date and time selector similar to the one in Figure 2, select the desired date and time, and then click SaveA picture containing table Description automatically generated.

Case Open Time

A Case's Case Open Time is set whenever the Case is created. If a Case is closed and re-opened at a later time, its Case Open Time will reflect the date and time that it was first opened, not the date and time that it was re-opened. You can update a Case's Case Open Time, which is helpful in situations such as when a Case is opened on a Friday evening, but is not worked on until the following Monday.

To update a Case's Case Open Time, hover over the Case Open Time label, click EditA close up of a device Description automatically generatedto display a date and time selector similar to the one in Figure 2, select the desired date and time, and then click SaveA picture containing table Description automatically generated.

Note
A Timeline Event titled “Case Open Time Was Manually Changed” will be logged when you edit a Case's Case Open Time.

Case Close Time

A Case's Case Close Time is set whenever the Case is closed. If a Case is closed and re-opened at a later time, its Case Close Time will no longer have a value assigned to it. If the Case is closed again, its Case Close Time will reflect the new date and time that it was closed. While a Case is open, you cannot set or update its Case Close Time; however, you can do so once the Case is closed.

To update a closed Case's Case Close Time, hover over the Case Close Time label, click EditA close up of a device Description automatically generatedto display a date and time selector similar to the one in Figure 2, select the desired date and time, and then click SaveA picture containing table Description automatically generated.

Note
A Timeline Event titled “Case Close Time Was Manually Changed” will be logged when you edit a Case's Case Close Time.

Tags

To apply Tags to a Case, click EditEdit button_Details card_Details screenin the Tags section of the Case Details card, or click on the Tags section. The Case's Tags will now be editable (Figure 3).

 

Note
Tags without an icon to the left of their name are standard Tags that have not been normalized to a main Tag through a Tag normalization rule. Tags with anMain Tag icon_Details Screenicon are main Tags–that is, standard Tags for which a normalization rule has been enabled so that Tags defined as synonymous to the main Tag are converted to the main Tag when applied to an object. Tags with anATT&CK Tag iconicon are ATT&CK Tags.
  • Begin entering text into the text box. As you type, one of the following menus will be displayed:
    • If there are existing standard Tags or ATT&CK Tags that match part or all of the entered text, a menu containing those Tags listed under Standard Tags and ATT&CK Tags headings, respectively, will be displayed. Select a Tag from the menu to add it to the text box.
    • If there are no existing Tags that match the entered text, a menu with the + Add “<entered text>” as a new tag option will be displayed. Select this option to create a new Tag that matches the entered text and add it to the text box.
  • Click the ConfirmConfirm icon_Details screenbutton to the right of the text box to apply the Tag(s) to the Case.

If you created a new Tag that matches a synonymous Tag listed in a Tag normalization rule, it will be converted to the main Tag listed in the rule. Similarly, if you created a new Tag that matches an ATT&CK Tag, it will be converted to that ATT&CK Tag.

Note
By default, any new Tag that exactly matches an ATT&CK Tag will be converted to that ATT&CK Tag. If a Tag’s owner is added to the Approximate Match ATT&CK Tag conversion rule, any new Tag created in that owner that exactly or approximately matches an ATT&CK Tag will be converted to that ATT&CK Tag.

Description

To edit a Case's description, hover over the Description section and click Editat the upper-left corner of the text box. The Case’s description will now be editable (Figure 4).

Graphical user interface, text, application, email Description automatically generated

 

  • Make any desired changes to the Case's description.
  • Click Saveto save your changes.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.

20126-01 v.02.A

Was this article helpful?
Related articles
What's Next
Company
Sales and Support
Follow Us
© 2012–2024 ThreatConnect, Inc. All Rights Reserved.