Viewing, Managing, and Filtering Cases

Viewing Cases

On the top navigation bar, hover the cursor over Workflow and select Cases. The Cases screen will be displayed (Figure 1).

Case Cards

Each Case card provides a summary of a Workflow Case (Figure 2). Click on a Case card to view the Case.

• Case ID: The ID number of the Case (234 in this example) is displayed at the upper-left corner of the card.
• Name: The name of the Case (Hacker Investigation in this example) is displayed at the top of the card.
• Severity: The severity of the Case is displayed under the name in a corresponding color (red for Critical, orange for High, yellow for Medium, and dark gray for Low). The severity of a Case is set by the user who created the Case and can be changed at any time by a user with access to edit the Case.
• Status: This section displays whether the Case is open or closed.
• Tags: This section, denoted by the icon, displays the Tags that have been applied to the Case. These Tags do not apply only to Workflow, as they are the same Tag object used throughout ThreatConnect.
• Assignee: This section displays the user () or user group () to which the Case is assigned.
• ThreatAssess Score: This section displays the highest ThreatAssess score among the Case’s Artifacts with a ThreatAssess score. A value is displayed only when there is at least one Artifact in a Case with a ThreatAssess score.
• CAL Score: This section displays the highest Collective Analytics Layer (CAL™) score among the Case’s Artifacts with a CAL score and an active Indicator status set by CAL. A value is displayed only when there is at least one Artifact in a Case with a CAL score and an active Indicator status set by CAL.
• Description: The text in the middle of the card displays a description of the Case.
• Percentage Complete: The bar at the bottom of the card shows the percentage of Tasks in the Case that have been completed.
• # Missing Required Artifacts: This section displays the number of required Artifacts that have not been collected for the Case.

List View

By default, the Cases screen is displayed in grid view (Figure 1). Click the  icon at the top right of the screen to toggle to list view (Figure 3). To toggle back to grid view, click on the  icon at the top right of the screen.

List view displays one Case per row, with the following columns:

• ID: The ID number of the Case.
• Name: The name of the Case and Tags applied to the Case. These Tags do not apply only to Workflow, as they are the same Tag object used throughout ThreatConnect.
• ThreatAssess Score: The highest ThreatAssess score among the Case’s Artifacts with a ThreatAssess score. A value is displayed only when there is at least one Artifact in a Case with a ThreatAssess score.
• CAL Score: This section displays the highest CAL score among the Case’s Artifacts with a CAL score and an active Indicator status set by CAL. A value is displayed only when there is at least one Artifact in a Case with a CAL score and an active Indicator status set by CAL.
• Severity: The severity of the Case, which is displayed in a corresponding color (red for Critical, orange for High, yellow for Medium, and gray for Low). The severity of a Case is set by the user who created the Case and can be changed at any time by a user with access to edit the Case.
• Missing Required Artifacts: The number of required Artifacts that have not been collected for the Case.
• Remaining Tasks: The number of Tasks remaining and the total number of Tasks in the Case. If all Tasks in a Case have been completed, or if no Tasks have been added to a Case, no value will be displayed in this column for the Case.
• Assignee: The user or user group to which the Case is assigned.
• Status: The status of the Case (Open or Closed).
• Created By: The name of the user who created the Case.
• Created Date: The date and time when the Case was created.
• Closed Date: The date and time when the Case was closed.
• Administrative options menu: Click the vertical ellipsis in this column to access a menu with administrative options for assigning and deleting the Case. See the “Case Administrative Options” section for more information.

By default, Cases are arranged in decreasing order of severity, denoted by the down arrow next to the Severity column heading. Click on this column heading to reorder Cases in increasing order of severity.

You can also sort Cases by the ID, Name, ThreatAssess, CAL Score, Missing Required Artifacts, Status, Created Date, and Closed Date column headings. Sorting preferences will persist when you navigate away from the Cases screen or log out of ThreatConnect.

Case Administrative Options

To view administrative options for the Workflow Case, click the vertical ellipsis at the upper-right corner of a Case card (Figure 1) or in the rightmost column of a Case when in list view (Figure 3).

Assign

To assign a Workflow Case to a user or user group, select Assign from the administrative options menu. The Assign Case window will be displayed (Figure 4).

• Select the user or user group to which to assign the Case. User groups are listed at the bottom of the dropdown menu, after all the user names.
• Click the CONFIRM button.

Remove

To remove (delete) a Case, select Remove from the administrative options menu. The Remove Case? window will be displayed. Click the Remove button to delete the Case.

Filtering Cases

On the Cases screen, you can filter Cases by severity, status, resolution, assignee, date added, date closed, name, and whether a Case contains Artifacts with a ThreatAssess score, Artifacts with a CAL score and an active Indicator status set by CAL, or missing required Artifacts. These filters can be combined to further customize the display. You can also select the default display for the Cases screen from several preset filters. Filter settings will persist when you navigate away from the Cases screen or log out of ThreatConnect.

FILTERS Selector

The FILTERS selector provides options for filtering displayed Cases by severity, status, resolution, assignee, date added, date closed, and combinations of these selections (Figure 5).

• Severity: Select one or more severity levels. Only Cases with the selected severity level(s) will be displayed.
• Status: Select Open or Closed to display only open or closed Cases, respectively.
• Resolution: Resolution is used to communicate the justification for the current status of the Case. (See the Status item later in this list.) Select one or more resolutions. Only Cases with the selected resolution(s) will be displayed.
• Assignee: Select one or more assignees. Only Cases with the selected assignee(s) will be displayed. Assignees can be users or user groups.
• Date Added: Click on the from and to fields to display calendars from which you can select the beginning and end of a date range. Only Cases that were created within that range will be displayed.
• Date Closed: Click on the from and to fields to display calendars from which you can select the beginning and end of a date range. Only Cases that were closed within that range will be displayed.
• View cases that have: Select one or more of the following filter options:
  • ThreatAssess Score: Select this checkbox to only display Cases that contain at least one Artifact with a ThreatAssess score.
  • Active CAL Score: Select this checkbox to only display Cases that contain at least one Artifact with a CAL score and an active Indicator status in CAL.
  • Missing Required Artifacts: Select this checkbox to only display Cases where at least one required Artifact needs to be collected.
• Click the APPLY button to apply the selected filters. To reset the filters, click the CLEAR button.

When filters have been applied, an orange circle will be displayed at the upper-left corner of the FILTERS selector. This element alerts you to the fact that you might be viewing an “incomplete” set of data.

Default Display Menu

The menu to the right of the FILTERS selector provides options for selecting the set of Cases displayed by default on the Cases screen (Figure 6). The selected option will persist when you navigate away from the Cases screen or log out of ThreatConnect.

• All Cases: Select this option to display all Cases in your Organization.
• All Open Cases: Select this option to display only Cases with a status of Open.
• My Open Cases: Select this option to display only Cases with a status of Open that are assigned to you or a user group to which you belong.
• My Closed Cases: Select this option to display only Cases with a status of Closed that are assigned to you or a user group to which you belong.
• My Cases: Select this option to display only Cases, regardless of status, that are assigned to you or a user group to which you belong.
• My High Severity Open Cases: Select this option to display only Cases with a severity level of High and a status of Open that are assigned to you or a user group to which you belong.
• My Regular Open Cases: Select this option to display only Cases with a severity level of Medium or Low and a status of Open that are assigned to you or a user group to which you belong.

If the FILTERS selector is used to select the displayed Cases and the selection matches one of the options in the default display menu (e.g., My Open Cases), then that option will be displayed in the menu. If the selection does not have an equivalent option in the default display menu (e.g., only medium-severity Cases assigned to a particular user), the default display menu will show a selection of Custom (Figure 7).

Filtering Cases by Name, ID, or Tag

To filter Cases by name, ID number, or applied Tags, enter the desired Case name, ID number, or Tag name in the search bar to the right of the default display menu. The displayed Cases will be filtered as text is entered into the search bar. Click the Clear icon on the right side of the search bar to clear the entered text.

ThreatConnect^® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.

20122-02 v.04.A