Robust case management is an integral aspect of any SOAR platform, which helps verify an event and promote it to a case. This facilitates assigning certain tasks to an analyst, coordinating with external teams or even automatically executing a particular playbook for data enrichment and actions.
The main benefits proffered by the case module include the following:
Supports case tasks according to the defined Standard Operating Procedures (SOPs).
Speeds up investigations and improves response time with enriched data.
Allows for inter-departmental communication and response.
Fields
SIRP helps in managing the complete incident management lifecycle from enriching and analyzing security alert data to triggering response and remediation. SIRP enriches alerts with external and internal context and prioritizes according to the security score by categorizing incidents into three types of dispositions: Alert, Investigation, and Incident.
Any ingestion from the SIEM is treated as an alert. When this alert is assigned to an analyst, it is referred to as an investigation. In the third phase, the analyst either promotes an investigation of an Incident (Case) or declares it as a false positive.
SIRP provides an extensive list of fields, which can be used to define different types of data about an incident, alert or investigation. SIRP also provides you the flexibility to either use all the given fields or disable the irrelevant or non-required ones.
To enable or disable the fields, navigate to the Cases page, open the Main Menu, and select Administration. Once the Administration section is displayed, select the Cases tab at the top of the page, and then Fields under that.
Main Menu > Administration > Cases > Fields
You can toggle the buttons adjacent to each field to Enable or Disable them. Once you have selected the fields that you want to use, click on the Save button at the bottom of the page to save the changes.
Category
SIRP provides you with a pre-defined list of categories. An administrator can add additional categories and subcategories, and use them in task assignment rules, notifications, and playbooks.
To manage the list of categories, navigate to the case page, open the Main Menu, and select Administration. Once the Administration section is displayed, select the Cases tab at the top of the page, and then click on Category under that.
Main Menu> Administration> Cases> Category
This page displays the list of all available categories. You cannot remove the existing categories, but you can add your own list on top of the existing ones.
To add a new category, click on the Create Category button at the top. Clicking on the button will display a popup. Enter the name and select the Incident Type (for which this category is being created) then click Create.
The newly added category will appear in the main list and will be usable in the Incidents and Automation modules.
Once added, you can either edit or delete any of the newly created records.
Subcategories
SIRP allows you to divide the categories into subcategories. Defining the subcategories enables the analyst to execute issue-specific tasks in the form of workflows. If tasks are not available,
the granular level of categorization provides the structure to gather necessary information and categorize new tasks. Categorizing the incident at multiple levels speeds up the process and creates greater efficiency within the incident management life cycle.
To manage the list of sub-categories, navigate to the Cases page, open the Main Menu, and select Administration. Once the Administration section is displayed, select the Cases tab at the top of the page, and then Subcategories under that.
Main Menu > Administration > Cases > Subcategories
This page displays the list of all available sub-categories. The administrator cannot remove the existing subcategories but can add their own list on the top of the existing one.
To add a new subcategory, click on the Create Subcategory button at the top. Clicking on the button will display a popup. Select the Primary Category (to which this subcategory belongs), enter the Name, Description (optional), and then click Create
The newly added Sub-category will appear in the main list and will be usable on the main Incidents and Automation modules.
Once added, you can edit or delete any of the newly added records.
Disposition
A Disposition explains the current status or the final outcome of any data created or ingested in SIRP. SIRP provides you with a pre-defined list of four Dispositions:
Incident
Not an incident
Investigation
Vulnerability
Each disposition is defined for a particular type of Container (i.e. Incident, Vulnerability, or Risk). The administrator can also add additional dispositions.
To manage the list of dispositions, navigate to the cases page, open the Main Menu, and select Administration. Once the Administration section is displayed, select the Cases tab at the top of the page, and then Dispositions under that.
Main Menu > Administration > Cases > Disposition
This page displays the list of all available dispositions. You can edit and delete existing dispositions, and also add your own.
To add a new disposition, click on the Create Disposition button at the top. Clicking on the button will display a popup. Enter the Name, select the Type from the dropdown then click Create.
The newly added disposition will appear in the main list and will be usable in all the selected containers.
Sub-Dispositions
SIRP allows you to divide incident dispositions into sub-levels through Sub-Dispositions.
SIRP provides you with a pre-defined list of a few Sub-Dispositions. Each sub-disposition belongs to a particular Disposition.
To manage the list of sub-dispositions, navigate to the cases page, open the Main Menu, and select Administration. Once the Administration section is displayed, select the Cases tab at the top of the page, and then Sub-Dispositions under that.
Main Menu > Administration > Cases > Sub-dispositions
This page displays the list of all available sub-dispositions. You can edit and delete the existing records, and also add your own.
To add a new Sub-Disposition, click on the Create Sub-disposition button at the top. Clicking on the button will display a popup. Enter the Name and Select the parent Disposition then click Create.
The newly added sub-disposition will appear in the main list and will be usable on the relevant container.
Escalation and SLAs
One of the important aspects of case management is the mechanism to timely escalate Incidents so that you are always on top of your SLAs. The "Escalation and SLAs" feature within SIRP allows you to define conditions when an Incident should be Escalated, who it should be escalated to, and when will the SLA be breached.
To manage the list of Escalations, go to the Cases section in the Administration area. Once on the Cases section, click on "Escalation and SLAs" from the sub-menu on the left.
Main Menu > Administration > Cases > Escalation and SLAs
The page lists all the Escalation conditions defined. To configure a new Escalation and SLA rule, click on the Configure SLA button at the top. Clicking on the button will display a popup.
Name: Enter the name of the Rule.
Container: Select the Container against which this rule will get triggered.
Disposition: Select the Disposition against which this rule will get triggered.
Category: Select the Category against which this rule will get triggered.
Check any (or all) of the following checkboxes to add value-based conditions within your Rule:
Priority: if you want the Escalation to happen against Alerts of a particular Priority
Severity: if you want the Escalation to happen against Alerts of particular Severities
Classification: if you want the Escalation to happen against Alerts containing Assets with certain Classifications
Asset Value: if you want the Escalation to happen against Alerts containing Assets with certain Asset Value
As you select any of the above options, you will get a separate section for each to define conditions. For example, if you enable "Priority", you can define that Rule will trigger for Alerts with Priority "High" and "Medium". Use the + icon to add conditions within each section.
Before defining the Users who will receive notifications, you also need to select the Trigger Event i.e.
Has no response since: This means if there has been no activity
Has not be closed since: This means if the container has not been closed
You can define multiple escalations within the same Rule. For example,
Send first Escalation notification if a High Severity Alert has no response for 2 hours.
Send a second Escalation notification if a High Severity Alert has no response for 4 hours.
Once all escalation thresholds of a certain rule have passed, an SLA Breach notification can be configured to notify stakeholders about an SLA Breach. For example,
Mark High Severity Alert/Incident as SLA-Breached and send an SLA-Breach notification if it has not been closed for 2 days.
Each escalation notification can be sent to either Individual Users, User Groups (defined under Administration > Access Control > Users or Groups) who have SIRP access, or to people who don't have access to SIRP, External Users (by adding their email addresses).
Once a certain Escalation and SLA rule apply to a certain Alert, Investigation, or Incident, there is a clock that appears on the detail view of that container. This clock shows when the next Escalation (or SLA breach) will happen. This makes it easier for analysts to keep an eye on the applicable SLAs and handle the Alerts within defined time limits.
Locations
Locations are used at the time of opening a case to identify the location of an asset i.e. where the subjected asset physically (or logically) exists.
To manage the list of Locations, navigate to the cases page, open the Main Menu, and select Administration. Once the Administration section is displayed, select the Cases tab at the top of the page, and then Locations under that.
Main Menu > Administration > Cases > Locations
This page displays the list of all available Locations. You can Edit and Delete the existing records, and also create your own.
To add a new location, click on the Create Location button at the top. Clicking on the button will display a popup. Enter the Name and Description of the location then click Create.
The newly added location will appear in the main list.