Case Management
Key Concepts and Terminology in Case Management
This page outlines the core concepts and terminology used in the Case Management system. Understanding these terms will help you navigate, configure, and investigate security incidents effectively within the platform.
Alerts
Alerts are security-relevant events generated by third-party systems (e.g., Wiz, CrowdStrike) or through internal detection workflows. They typically represent suspicious or malicious activity and serve as the starting point for case creation.Alert Ingestion
The process of receiving alerts from external sources into the platform, either via webhooks (real-time push) or polling (periodic checks). Ingested alerts become available for processing, correlation, and investigation.Alert Processing
Once an alert is ingested, it is parsed to extract key fields such as name, severity, and observables. The system then decides whether to create a new case or append the alert to an existing one based on matching criteria.Extract Observables
A core step in alert processing that identifies and extracts data points of interest from the alert payload—such as IP addresses, file hashes, domains, or usernames. These observables form the foundation for correlation, enrichment, and response, and help analysts understand the scope and nature of the threat.Extract Observable Rules
Custom-defined rules used to identify and extract observables from incoming alert payloads. These rules allow teams to define specific field mappings, patterns (e.g., regex), and data types (e.g., IP, file hash, domain) to ensure accurate and consistent extraction across different alert formats and vendors.Case Deduplication Rules
Custom-defined rules that determine whether a new alert should trigger a new case or be appended to an existing one. These rules compare fields such as observables, alert title, vendor, and timestamps to avoid creating duplicate cases and ensure related alerts are grouped together for more efficient handling.Cases
Cases are containers that group related alerts for centralized investigation, enrichment, and response. They help analysts track the lifecycle of an incident, assign collaborators, log tasks, and automate workflows.Case level SLA
The Case level SLA measures the time from the case is created until the case is closed.Case Status
Indicates the current state of a case, such as:- Open – The case is active and requires investigation.
- In Progress – Investigation is ongoing.
- Resolved – An outcome has been reached, but the case remains open for review.
- Closed – The case has been finalized, either manually or via automation.
Case Status SLA
The Case Status SLA measures the duration from one status change to another. For example, it measures the time from when a case is initially opened until it is changed to the In progress status.Case Timeline
A chronological log of all actions, updates, and events related to a case. It provides an audit trail for investigation steps, automated actions, user comments, and task completion.Case Management Workflows
A predefined sequence of automated or semi-automated actions executed as part of case handling. Workflows can perform enrichment, notify analysts, trigger response actions, or close the case automatically based on logic.Case Manager
Specifies the individual analyst or group responsible for managing a case. Ownership can be manually assigned or set automatically during case creation or escalation.Collaborators
Users who are actively involved in a case. Collaborators may be assigned tasks, leave comments, or participate in the investigation and resolution process.Observables
Key data elements extracted from alerts that represent artifacts or behaviors of interest, such as:- IP addresses
- Domains
- File hashes
- Email addresses
- Usernames
Observable Relations
Structured links between observables that reveal known or inferred relationships—such as an IP resolving to a domain, or a user linked to a host. These relationships help analysts build context across alerts and cases.Reputation
An observable’s reputation is a rating that shows how safe or risky it is based on its actions or traits. This helps users decide if they can trust the observable or if they should be cautious. The reputation options range from Unknown (no information) to Malicious (potentially harmful), with levels like Very Safe, Safe, Exercise Caution, and Suspicious/Risky to indicate varying degrees of trustworthiness.Enrichment
The process of adding contextual data to observables by querying external sources. This can include:- Threat intelligence scoring (e.g., domain marked as malicious)
- Contextual details (e.g., a user’s department or reporting manager) Enrichment helps analysts evaluate the severity and relevance of a potential threat.
Deduplication
A mechanism that identifies and suppresses duplicate alerts to prevent redundant case creation. Deduplication ensures efficient case handling by grouping repeated alerts under a single case when appropriate.Response
The set of actions taken to investigate or remediate an incident. Responses can be:- Automated (e.g., isolating a device, notifying stakeholders, closing false positives)
- Manual (e.g., analyst-driven investigation, notes, or external coordination)
MITRE ATT&CK Classification
A globally recognized framework that categorizes and describes common adversary tactics, techniques, and procedures (TTPs) based on real-world observations. In Case Management, mapping alerts or cases to MITRE ATT&CK techniques helps standardize threat classification and improve response strategies.Default values include
Default values include
- Reconnaissance
- Resource Development
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
- Command and Control