When alerts are sent to the alerts pane in incident response, the alerts can be reviewed again to determine if it’s beneficial to create a case. Cases are created if events have to be investigated further or more in depth.
To view the alert in incident response, click the three dot menu on the right and Click “Open Preview”
This will provide you with additional details such as observables, if they have been extracted by the alert rule.
Creating a case from an alert
Depending on the policies and procedures for incident response in your organization, a decision can be made to take further action or not. If the choice is to perform a full investigation, the next step is to create a case from the alert. To do so, click the three dot menu item on the right side of the event.
Then click “Import to case”
This will create a new case. Now navigate to Cases at the top.
The case will now be listed at the top.
To view the case details, click on the three dot menu in the top right corner and click open details.
This will display all the event data that is available and was transferred from the event alert.
Information can be modified and added at this point to further advance the investigation such as additional observations, observables etc. Tasks can also be created and observables enriched.
In many organizations, individual teams or team members perform specific functions. With cases, there are in many cases a need for such functions and actions to be allocated to a specific person, not necessarily the person performing the incident response. These tasks can be added on the tasks tab of th e case.
To add a new task, navigate to the Tasks tab, then click “Add Task” in the top right corner.
This will prompt you to name the tasks and specify a group. The title can be anything but should be descriptive enough for understanding by the individual it will be assigned to. The group is optional and not compulsory.
Once the task has been created it will be listed in the Tasks tab
You can click on the task to expand it’s details. Here the details can be edited by clicking the pencil at the end of each line. The first step is to assign it to the party that will be doing the tasks.
When the individual it is assigned to wants to start processing the task, they have to click the three dot menu in the right corner and click Start
This will update the status of the ticket to active.
Once the action items are completed they can close the tasks by clicking the three dot menu and clicking close.
Which will change the status to complete.
Observables can be enrich with intelligence sources available to the incident response module. These sources/analyzers were covered in the analyzers section. Additional observables can be added as needed manually or automatically extracted by the alert rules. Please see the alerting and rules section for further details.
To add an observable, go to the observable pane after opening the relevant case. Some observables that were extracted from the event automatically may already be present. To manually add more, click the “Add Observable” button in the top right corner.
From the first dropdown select the observable type. There are quite a few types to choose from, please note it is extremely important to click the correct type for enrichment to function correctly.
In the value field, type or paste the observable that needs to be investigated.
🔖 NOTE: you can specify multiple of the same type of observable, please ensure to select the appropriate radio button for the formatting of the observable.
Specify the TLP, more information on the specifications for this can be found here
In the select tags section, add tags as needed and press enter after each. Tags are useful for filtering and reporting. In the next section add a description for the observable. Finally Click confirm. Your observable has now been added.
Enriching an observable.
To enrich an observable is a simple process. Simply click on the desired observable and select the Analyzer you wish to run against it, click the three dot menu on the right and click run
You will see a waiting indicator while the analyzer waits for a response from the intelligence source.
Once the enrichment completes, a success tick mark will be present under status
You can click the down arrow on the far left to see the enrichment result.
Now proceed to click on the little eye to see the output received.
Additional formatting is being developed to present this in a more user friendly manner in future releases. Your event is now enriched and you can decide if the information provided warrants further action such as blocking on the firewall or running an Antivirus scan on the source host (if internal) of the alert. In this case the result was inconclusive