- 12 Oct 2022
- 8 Minutes to read
Parts of a Case
- Updated on 12 Oct 2022
- 8 Minutes to read
Minimum Role: Organization role of Read Only User (for viewing Cases); Organization role of Standard User (for configuring a Case’s visibility settings; configuring a Case’s assignees; and setting a Case’s resolution, status, and severity); Organization role of Organization Administrator (for deleting Cases)
Prerequisites: Workflow enabled by a System Administrator; a Workflow Case created in your Organization
A Workflow Case in ThreatConnect is a single instance of an investigation, inquiry, or other procedure. It contains all required elements of a notable event in a logical structure. Cases can be used to capture key evidence to enable security teams to decide if the Case should be escalated.
This article describes how to view and manage a Case, as well as the various components and elements included in a Case. When applicable, links to articles with more detailed information about these Case components and elements will be provided.
Viewing a Case
After a Case is created, a card for the Case will be displayed on the Cases tab of the Workflow screen (Figure 1).
Click on the card to view the Case (Figure 2).
Case Name and Number
The name of the Case and a unique identification number (270 in this example) are next to the Cases tab at the top left of the screen and just below that, at the top left of the Case itself (Figure 3).
Assignee and Users with Viewing Access
The user or user group to which the Case is assigned is displayed under the Case number (Figure 3). A Case’s assignee is the user or user group responsible for tracking and monitoring the Case. Users other than the assignee may work in the Case as long as they have viewing access. The assignee receives notifications about the Case. Assignee information can also be used to filter metrics on TQL-based dashboard cards.
To change a Case's assignee, click on the user or user group name at the top left of the Case (Figure 3). A menu with suggested assignees (individual users followed by user groups) in the Organization will be displayed (Figure 4).
Select a new assignee for the Case from the menu, use the search bar to search for a particular user or user group, or close the menu by clicking anywhere outside of it.
Users with Viewing Access
The user(s) with viewing access to the Case are displayed next to the eye icon under the Case number (Figure 3). For multiple users, only the first two names will be listed, followed by the number of users that are not listed—e.g., AMARI JACKSON, DOUGLAS JONES (+ 7 MORE). Click on the username(s) next to the eye icon to view a menu listing all users in the Organization and a radio button indicating their access (Figure 5).
If viewing access is available to all members of the Organization, then the All checkbox will be selected. If viewing access is restricted to a subset of Organization members, then the All checkbox will be cleared, and Organization members with viewing access will be listed under the Restrict to selected user(s): section, as in Figure 5.
To add or remove viewing access for a user, select or clear the checkbox next to their name, respectively. To give viewing access to all users in the Organization, select All (Figure 6).
If a user who is not assigned to a Case attempts to toggle off their own viewing access for that Case, the Are you sure you want to revoke your own Permissions? window will be displayed (Figure 7).
Clicking the CONFIRM button will remove the user’s access to the Case and display the Cases tab of the Workflow screen.
Resolution, Status, and Severity
The resolution, status, and severity of the Case are displayed in a row at the top right of the Case (Figure 8).
Resolution is used to communicate the justification for the current status of the Case. To set or change the resolution of a Case, click on the leftmost item in the row (NOT SPECIFIED in Figure 8) and select an option from the menu that is displayed. Available Case resolutions include the following:
- Containment Achieved
- Deferred / Delayed
- False Positive
- In Progress / Investigating
- Restoration Achieved
To change the status of a Case, click the middle item in the row (OPEN in Figure 8) and select the corresponding option from the menu that is displayed:
- If a Case’s status is set to OPEN, the menu will display only an option of Close.
- If a Case’s status is set to CLOSED, the menu will display only an option of Re-Open.
To change the severity of a Case, click the rightmost item in the row (MEDIUM SEVERITY in Figure 8) and select an option from the CHANGE SEVERITY TO: menu. Available severity levels for a Case include the following:
Explore In Graph
ThreatConnect’s Explore In Graph feature (also known as Threat Graph) allows you to discover, visualize, and explore Indicator, Group, and Case associations using a graph-based interface. Click the Explore In Graph button to open the Case’s graph in a new tab. See the “Pivot in ThreatConnect” section of Exploring Associations for further instruction on using this feature to pivot on Indicators, Groups, and Case associations in ThreatConnect for the selected Case.
Phases and Tasks
The Phases and Tasks section, located on the left side of the screen (Figure 2), is where the action of the Workflow feature takes place. This section shows all Tasks in the Case, grouped into Phases, as specified by the Workflow on which the Case is based.
By default, the Phases and Tasks section of the screen is displayed in detail view, but can be switched to list view. Detail view provides all details for each Task, including fields for providing inputs that are saved as Artifacts.
The Case Details card, located at the top right of a Case (Figure 2), displays important details about the Case, including time-based information related to the Case, Tags that have been applied to the Case, and a description of the Case.
The Attributes card, located below the Case Details card, displays all System-level and Organization-level Attributes added to the Case. Case Attributes are key/value data sets that you can add to a Workflow Case. These Attributes enrich a Case’s data and aid security teams as they investigate a threat and determine the appropriate escalation path for a Case.
The Associations card, located below the Attributes card, displays all Indicators, Groups, and Cases that are associated to the Case being viewed. For Indicators and Groups displayed on a Case’s Associations card that exist in your Organization, the Case you are viewing will be listed as an associated Case on the Associations card of their Details screen. Cases associated to one another will be displayed on each other’s Associations card when viewing the Case.
The Potential Associations card, located below the Associations card, displays the following items:
- Indicators and Groups in your Organization, and in Communities and Sources to which you have access and for which an Organization Administrator has enabled potential Case associations, that are associated to objects associated to the Case you are viewing (i.e., the objects on the Case’s Associations card)
- Indicators that match the type and summary of a Case Artifact that is a ThreatConnect Indicator type and Groups associated to those Indicators
- Cases that share an Artifact, associated Indicator, or associated Group with the Case you are viewing
In other words, this card displays second-level associations to the Case’s associated objects, suggesting them as potential first-level associations to add to the Case. It also suggests adding Indicators that match an Artifact’s type and summary, Groups associated to those Indicators, and Cases that share an Artifact with the Case you are viewing as first-level associations to the Case.
The Artifacts card, located below the Potential Associations card, displays a table of all Artifacts that are part of the Case being viewed. When viewing an Artifact’s details, you may view and create associations between the Artifact and Indicators and Groups in your Organization. Artifacts that are associated to Indicators and Groups will be listed as associated Artifacts on the Associations card of their Details screen for the Indicator and Group.
The Notes card, located below the Artifacts card, displays all Notes added to the Case. A Note in Workflow is freeform information entered by a user (e.g., in a Workflow Case or attached to a Task or Artifact). Notes can be used to provide commentary, directives to another user, additional details, or any information that cannot be captured elsewhere. They enable security teams to journal key data findings in an unstructured format.
The Timeline card, located below the Notes card, shows a timeline of all changes made to a Case. When an action is performed in a Case, a Timeline Event is added automatically to its timeline. Timeline Events may also be added manually to a Case’s timeline.
Managing a Case
Adding Case Elements
Click the New…button at the top right of a Case to display a menu with the following options:
- Associate Case: Select this option to associate a Case to the Case being viewed.
- Associate Group: Select this option to associate a Group to the Case.
- Associate Indicator: Select this option to associate an Indicator to the Case.
- Artifact: Select this option to create a new Artifact in the Case.
- Attribute: Select this option to create a new Attribute in the Case.
- Case: Select this option to create a new Case.
- Note: Select this option to add a Note to the Case.
- Run Playbook: Select this option to run a Playbook in the Case. Note that no Artifact will be highlighted in the Artifacts table of the Run Playbook drawer.
- Task: Select this option to add a Task to the Case.
- Timeline Event: Select this option to add a Timeline Event to the Case.
Removing a Case
To remove (delete) the Case, click the vertical ellipsis at the top right of the Case and select Remove.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.