Parts of a Case

Minimum Role: Organization role of Read Only User (for viewing Cases); Organization role of Standard User (for configuring a Case’s visibility settings; configuring a Case’s assignees; and setting a Case’s resolution, status, and severity); Organization role of Organization Administrator (for deleting Cases)

Prerequisites: Workflow enabled by a System Administrator; a Workflow Case created in your Organization

Overview

A Workflow Case in ThreatConnect is a single instance of an investigation, inquiry, or other procedure. It contains all required elements of a notable event in a logical structure. Cases can be used to capture key evidence to enable security teams to decide if the Case should be escalated.

This article describes how to view and manage a Case, as well as the various components and elements included in a Case. When applicable, links to articles with more detailed information about these Case components and elements will be provided.

Viewing a Case

After a Case is created, a card for the Case will be displayed on the Cases tab of the Workflow screen (Figure 1).

Click on the card to view the Case (Figure 2).

Case Name and Number

The name of the Case and a unique identification number (270 in this example) are next to the Cases tab at the top left of the screen and just below that, at the top left of the Case itself (Figure 3).

Note

In addition to the Cases screen, you can search for a Case by name or ID number via the search drawer that is displayed when you click the Search icon on the top navigation bar. When using this feature to search for a Case by name, you must enter the entire, exact name of the Case.

Assignee and Users with Viewing Access

Assignee

The user or user group to which the Case is assigned is displayed under the Case number (Figure 3). A Case’s assignee is the user or user group responsible for tracking and monitoring the Case. Users other than the assignee may work in the Case as long as they have viewing access. The assignee receives notifications about the Case. Assignee information can also be used to filter metrics on TQL-based dashboard cards.

To change a Case's assignee, click on the user or user group name at the top left of the Case (Figure 3). A menu with suggested assignees (individual users followed by user groups) in the Organization will be displayed (Figure 4).

Select a new assignee for the Case from the menu, use the search bar to search for a particular user or user group, or close the menu by clicking anywhere outside of it.

Users with Viewing Access

The user(s) with viewing access to the Case are displayed next to the eye icon under the Case number (Figure 3). For multiple users, only the first two names will be listed, followed by the number of users that are not listed—e.g., AMARI JACKSON, DOUGLAS JONES (+ 7 MORE). Click on the username(s) next to the eye  icon to view a menu listing all users in the Organization and a radio button indicating their access (Figure 5).

If viewing access is available to all members of the Organization, then the All checkbox will be selected. If viewing access is restricted to a subset of Organization members, then the All checkbox will be cleared, and Organization members with viewing access will be listed under the Restrict to selected user(s): section, as in Figure 5.

To add or remove viewing access for a user, select or clear the checkbox next to their name, respectively. To give viewing access to all users in the Organization, select All (Figure 6).

Note

A gray checkmark  designates the Case’s assignee. It is not possible to remove an assignee’s viewing access for a Case. The only way to prevent an assignee from viewing a Case is to select a different assignee and then remove viewing access for the original assignee.

If a user who is not assigned to a Case attempts to toggle off their own viewing access for that Case, the Are you sure you want to revoke your own Permissions? window will be displayed (Figure 7).

Clicking the CONFIRM button will remove the user’s access to the Case and display the Cases tab of the Workflow screen.

Resolution, Status, and Severity

The resolution, status, and severity of the Case are displayed in a row at the top right of the Case (Figure 8).

Resolution

Resolution is used to communicate the justification for the current status of the Case. To set or change the resolution of a Case, click on the leftmost item in the row (NOT SPECIFIED in Figure 8) and select an option from the menu that is displayed. Available Case resolutions include the following:

• Containment Achieved
• Deferred / Delayed
• Escalated
• False Positive
• In Progress / Investigating
• Rejected
• Restoration Achieved

Status

To change the status of a Case, click the middle item in the row (OPEN in Figure 8) and select the corresponding option from the menu that is displayed:

• If a Case’s status is set to OPEN, the menu will display only an option of Close.
• If a Case’s status is set to CLOSED, the menu will display only an option of Re-Open.

Severity

To change the severity of a Case, click the rightmost item in the row (MEDIUM SEVERITY in Figure 8) and select an option from the CHANGE SEVERITY TO: menu. Available severity levels for a Case include the following:

• Critical
• High
• Medium
• Low

Explore In Graph

ThreatConnect’s Explore In Graph feature (also known as Threat Graph) allows you to discover, visualize, and explore Indicator, Group, and Case associations using a graph-based interface. Click the Explore In Graph button to open the Case’s graph in a new tab. See the “Pivot in ThreatConnect” section of Exploring Associations for further instruction on using this feature to pivot on Indicators, Groups, and Case associations in ThreatConnect for the selected Case.

Case Elements

Phases and Tasks

The Phases and Tasks section, located on the left side of the screen (Figure 2), is where the action of the Workflow feature takes place. This section shows all Tasks in the Case, grouped into Phases, as specified by the Workflow on which the Case is based.

By default, the Phases and Tasks section of the screen is displayed in detail view, but can be switched to list view. Detail view provides all details for each Task, including fields for providing inputs that are saved as Artifacts.

Case Details

The Case Details card, located at the top right of a Case (Figure 2), displays important details about the Case, including time-based information related to the Case, Tags that have been applied to the Case, and a description of the Case.

Attributes

The Attributes card, located below the Case Details card, displays all System-level and Organization-level Attributes added to the Case. Case Attributes are key/value data sets that you can add to a Workflow Case. These Attributes enrich a Case’s data and aid security teams as they investigate a threat and determine the appropriate escalation path for a Case.

Associations

The Associations card, located below the Attributes card, displays all Indicators, Groups, and Cases that are associated to the Case being viewed. For Indicators and Groups displayed on a Case’s Associations card that exist in your Organization, the Case you are viewing will be listed as an associated Case on the Associations card of their Details screen. Cases associated to one another will be displayed on each other’s Associations card when viewing the Case.

Potential Associations

The Potential Associations card, located below the Associations card, displays the following items:

• Indicators and Groups in your Organization, and in Communities and Sources to which you have access and for which an Organization Administrator has enabled potential Case associations, that are associated to objects associated to the Case you are viewing (i.e., the objects on the Case’s Associations card)
• Indicators that match the type and summary of a Case Artifact that is a ThreatConnect Indicator type and Groups associated to those Indicators
• Cases that share an Artifact, associated Indicator, or associated Group with the Case you are viewing

In other words, this card displays second-level associations to the Case’s associated objects, suggesting them as potential first-level associations to add to the Case. It also suggests adding Indicators that match an Artifact’s type and summary, Groups associated to those Indicators, and Cases that share an Artifact with the Case you are viewing as first-level associations to the Case.

Artifacts

The Artifacts card, located below the Potential Associations card, displays a table of all Artifacts that are part of the Case being viewed. When viewing an Artifact’s details, you may view and create associations between the Artifact and Indicators and Groups in your Organization. Artifacts that are associated to Indicators and Groups will be listed as associated Artifacts on the Associations card of their Details screen for the Indicator and Group.

Notes

The Notes card, located below the Artifacts card, displays all Notes added to the Case. A Note in Workflow is freeform information entered by a user (e.g., in a Workflow Case or attached to a Task or Artifact). Notes can be used to provide commentary, directives to another user, additional details, or any information that cannot be captured elsewhere. They enable security teams to journal key data findings in an unstructured format.

Timeline

The Timeline card, located below the Notes card, shows a timeline of all changes made to a Case. When an action is performed in a Case, a Timeline Event is added automatically to its timeline. Timeline Events may also be added manually to a Case’s timeline.

Managing a Case

Adding Case Elements

Click the New…button at the top right of a Case to display a menu with the following options:

• Associate Case: Select this option to associate a Case to the Case being viewed.
• Associate Group: Select this option to associate a Group to the Case.
• Associate Indicator: Select this option to associate an Indicator to the Case.
• Artifact: Select this option to create a new Artifact in the Case.
• Attribute: Select this option to create a new Attribute in the Case.
• Case: Select this option to create a new Case.
• Note: Select this option to add a Note to the Case.
• Run Playbook: Select this option to run a Playbook in the Case. Note that no Artifact will be highlighted in the Artifacts table of the Run Playbook drawer.
• Task: Select this option to add a Task to the Case.
• Timeline Event: Select this option to add a Timeline Event to the Case.

Removing a Case

To remove (delete) the Case, click the vertical ellipsis at the top right of the Case and select Remove.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.

20121-01 v.02.A