Creating Cases

Creating a Case From a Workflow

1. On the top navigation bar, click Workflow to display the Cases screen.
2. Click the New Casebutton at the upper-right corner of the Cases screen. The New Case drawer will be displayed (Figure 1).

   

    

   • Name: Enter a name for the Case.
   • Workflow Template: Select a Workflow that will determine the structure of the Case (i.e., the Phases and Tasks that define the Case, the Artifacts that are to be collected within the Case, etc.). It is recommended that Cases be created from Workflows. For information on creating Cases without a Workflow, see the “Creating a Case Without a Workflow” section.
   • Description: Enter a description for the Case. If you selected a Workflow to apply to the Case, the Workflow’s description will be populated in this field automatically and can be modified as desired.
   • Tags: Enter one or more Tags to apply to the Case. These are the same standard Tag and ATT&CK^® Tag objects used throughout ThreatConnect^®.
   • Severity: Select a severity level for the Case (Critical, High, Medium, or Low).
   • Status: Select a status for the Case (Open or Closed).
   • Assignee: Select a user or user group to which the Case will be assigned. The user creating the Case is always the first available user in the list, followed by all other users in the Organization (in alphabetical order by first name), followed by user groups.
   • Viewable By: Select the users that will be able to view the Case. The default selection is Everyone (i.e., all users in the Organization). If only one user is selected, the Viewable By field will display that user’s name. If more than one user is selected, the field will display the number of users selected (e.g., 4 users). If no users are selected, the field will revert back to a selection of Everyone, because it does not make sense for a Case to be viewable by no one.
     
     Note

     User groups are not included in the Viewable By menu.
     Note

     Assignee(s) are selected automatically in the Viewable By menu.
   • Artifacts: Click the ADD ARTIFACT button to add one or more Artifacts to the Case. See the “Adding Artifacts to a Case” section for further instruction.
   • Notes: Enter a Note, either in plain text or in Markdown, to add to the Case. If using Markdown, click the Preview Markdown link to preview the text with the rendered Markdown formatting.
     
     Note

     The Note text box supports the Marked library (https://marked.js.org/).
   • Click the SAVE button.

After a Case is created, you can view it by clicking its Case card or selecting its entry in the table on the Cases screen.

Adding Artifacts to a Case

When creating a Case, click the ADD ARTIFACT button on the New Case drawer (Figure 1) to add one or more Artifacts to the Case. The New Case drawer will display fields for entering an Artifact (Figure 2).

• Type: Select the Artifact’s type. To filter Artifact types, enter text in the search bar displayed at the top of the dropdown menu.
• Summary: Provide the Artifact's summary. Note that this field dynamically adjusts based on the data type and UI element the Artifact type supports. Possible UI elements for this field include a text box, a date selector, a date and time selector, a dropdown, or an area to upload a file.
• Source: If desired, change the default name of the source of the Artifact (i.e., the user who entered the Artifact).
• Use to potentially associate cases.: Selecting this checkbox will cause Cases that include the Artifact to populate in the Cases section of the Potential Associations card. In other words, any Case that contains this Artifact will be considered to be potentially related to this Case because both Cases contain the same Artifact.
  Important

  The default setting for this checkbox may vary across Artifact types. Also, if a System Administrator has disallowed the Artifact from being used to potentially associate Cases, then selection of this checkbox will not have any effect.
• Click the CREATE button.

The newly created Artifact will be displayed in a table in the Artifacts section of the New Case drawer (Figure 3).

To edit or delete an Artifact listed in the table, click the vertical ellipsis to the right of the Artifact and select Edit or Remove, respectively.

Creating a Case Without a Workflow

To create a Case without a Workflow applied to it, follow the instructions in the “Creating a Case From a Workflow” section. When configuring the Case on the New Case drawer (Figure 1), select None from the Workflow Template dropdown.

Cases created without Workflows applied to them do not contain predetermined Tasks or Phases. When adding Tasks to a Case without a Workflow applied to it, the Tasks will be compiled in one section, without any Phases (Figure 4).

Adding a Workflow After Creating a Case

You can apply a Workflow to a Case after creating the Case, but only before any Tasks have been added to the Case.

1. On the top navigation bar, click Workflow to display the Cases screen.
2. Select a Case to view. If a Workflow has not been applied to the Case and no Tasks have been added to it, the Phases and Tasks section will display a message stating that not Workflow has been applied to the Case (Figure 5).
   
3. Click the No Workflow area. The Assign Workflow window will be displayed (Figure 6).

   

    

   • Select a Workflow from the dropdown menu.
   • Click the ASSIGN button.
4. If no user is assigned to the Case but the selected Workflow has a default assignee, the Keep Unassigned? window will be displayed (Figure 7).

   

    

   • KEEP UNASSIGNED: Click this button to keep the Case unassigned.
   • CHANGE TO <name of default assignee>: Click this button to assign the Workflow’s default assignee to the Case.
5. If a user is assigned to the Case and that user is different from the selected Workflow’s default assignee, the Keep Current Assignee? window will be displayed (Figure 8).

   

    

   • KEEP <name of assignee>: Click this button to keep the current assignee of the Case.
   • CHANGE TO <name of default assignee>: Click this button to change the Case’s assignee to the Workflow’s default assignee.

After applying a Workflow to a Case, the Phases and Tasks section will be populated with Phases and Tasks based on the selected Workflow’s configuration, and the selected Workflow’s name (Email Investigation in this example) will be displayed to the right of the Workflow text, below the name of the Case’s assignee (Figure 9).

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.

20122-03 v.04.D