Creating Cases

A Workflow Case in ThreatConnect^® is a single instance of an investigation, inquiry, or other procedure. Cases contain all required elements of a notable event in a logical structure and allow you to capture key evidence that your security team can use to decide an appropriate course of action.

This article provides steps for creating Cases using a Workflow and without using a Workflow. It also describes how to add Artifacts to a Case during the Case creation process and apply a Workflow to an existing Case.

Creating a Case From a Workflow

1. On the top navigation bar, click Workflow to display the Cases screen.
2. Click the New Casebutton at the upper-right corner of the Cases screen. The New Case drawer will be displayed (Figure 1).

   

    

   • Name: Enter a name for the Case.
   • Workflow Template: Select a Workflow that will determine the structure of the Case (i.e., the Phases and Tasks that define the Case, the Artifacts that are to be collected within the Case, etc.). It is recommended that Cases be created from Workflows. For information on creating Cases without a Workflow, see the “Creating a Case Without a Workflow” section.
   • Description: Enter a description for the Case. If you selected a Workflow to apply to the Case, the Workflow’s description will be populated in this field automatically and can be modified as desired.
   • Tags: Enter one or more Tags to apply to the Case. These are the same standard Tag and ATT&CK^® Tag objects used throughout ThreatConnect.
   • Severity: Select a severity level for the Case (Critical, High, Medium, or Low).
   • Status: Select a status for the Case (Open or Closed).
   • Assignee: Select a user or user group to which the Case will be assigned. The user creating the Case is always the first available user in the list, followed by all other users in the Organization (in alphabetical order by first name), followed by user groups.
   • Viewable By: Select the users that will be able to view the Case. The default selection is Everyone (i.e., all users in the Organization). If only one user is selected, the Viewable By field will display that user’s name. If more than one user is selected, the field will display the number of users selected (e.g., 4 users). If no users are selected, the field will revert back to a selection of Everyone, because it does not make sense for a Case to be viewable by no one.
     Note

     User groups are not included in the Viewable By menu.
     Note

     Assignee(s) are selected automatically in the Viewable By menu.
   • Artifacts: Click the ADD ARTIFACT button to add one or more Artifacts to the Case. See the “Adding Artifacts to a Case” section for further instruction.
   • Notes: Enter a Note, either in plain text or in Markdown, to add to the Case. If using Markdown, click the Preview Markdown link to preview the text with the rendered Markdown formatting.
     Note

     The Note text box supports the Marked library (https://marked.js.org/).
   • Click the SAVE button.

After a Case is created, you can view it by clicking its Case card or selecting its entry in the table on the Cases screen.

Adding Artifacts to a Case

When creating a Case, click the ADD ARTIFACT button on the New Case drawer (Figure 1) to add one or more Artifacts to the Case. The New Case drawer will display fields for entering an Artifact (Figure 2).

• Type: Select the Artifact’s type. Available Artifact types include all ThreatConnect Indicator types and other data types determined by ThreatConnect and your System Administrator. To filter Artifact types, enter text in the search bar displayed at the top of the dropdown menu.
• Summary: Enter the Artifact's summary. This field dynamically adjusts based on the data type and UI element the Artifact type supports. Possible UI elements for this field include a text box, a date selector, a date and time selector, a dropdown, and an area to upload a file.
• Source: The default value of the Artifact’s source is the username of the user creating the Artifact. If desired, edit this value.
• Use to potentially associate cases.: Select this checkbox to allow ThreatConnect to use the Artifact to generate potential associations for Cases, Groups, and Indicators.
  
  Note

  If multiple Cases contain an Artifact with the same summary and type, and the Use to potentially associate cases. checkbox is selected for each copy of the Artifact, those Cases will be displayed in the Cases section of the Potential Associations card for each Case. Those Cases will also be listed in the CASES dropdown in the Links column of the Artifacts card for the Artifact.
  Important

  The default setting for this checkbox may vary across Artifact types. Also, if a System Administrator has disallowed the Artifact from being used to potentially associate Cases, then selection of this checkbox will not have any effect.
• Click the CREATE button.

The newly created Artifact will be displayed in a table in the Artifacts section of the New Case drawer (Figure 3).

To edit or delete an Artifact listed in the table, click the vertical ellipsis to the right of the Artifact and select Edit or Remove, respectively.

Creating a Case Without a Workflow

To create a Case without a Workflow applied to it, follow the instructions in the “Creating a Case From a Workflow” section. When configuring the Case on the New Case drawer (Figure 1), select None from the Workflow Template dropdown.

Cases created without Workflows applied to them do not contain predetermined Tasks or Phases. When adding Tasks to a Case without a Workflow applied to it, the Tasks will be compiled in one section, without any Phases (Figure 4).

Applying a Workflow After Creating a Case

You can apply a Workflow to a Case after creating the Case, but only before any Tasks have been added to the Case.

1. On the top navigation bar, click Workflow to display the Cases screen.
2. Select a Case to view. If a Workflow has not been applied to the Case and no Tasks have been added to it, the Phases and Tasks section will display a message stating that no Workflow has been applied to the Case (Figure 5).
   

    

3. Click the No Workflow area. The Assign Workflow window will be displayed (Figure 6).

   

    

   • Select a Workflow from the dropdown menu.
   • Click the ASSIGN button.
4. If no user is assigned to the Case but the selected Workflow has a default assignee, the Keep Unassigned? window will be displayed (Figure 7).

   

    

   • KEEP UNASSIGNED: Click this button to keep the Case unassigned.
   • CHANGE TO <name of default assignee>: Click this button to assign the Workflow’s default assignee to the Case.
5. If a user is assigned to the Case and that user is different from the selected Workflow’s default assignee, the Keep Current Assignee? window will be displayed (Figure 8).

   

    

   • KEEP <name of assignee>: Click this button to keep the current assignee of the Case.
   • CHANGE TO <name of default assignee>: Click this button to change the Case’s assignee to the Workflow’s default assignee.

After applying a Workflow to a Case, the Phases and Tasks section will be populated with Phases and Tasks based on the selected Workflow’s configuration, and the selected Workflow’s name (Email Investigation in this example) will be displayed to the right of the Workflow text, below the name of the Case’s assignee (Figure 9).

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.

20122-03 v.04.F