SIEM Foundations: Create and Manage Cases

Version 2

    ESM cases provide a lightweight embedded workflow system you can use to track incidents, and the events associated with them, through your incident response process.  ESM’s case management system allows you to define various case statuses that you can use to implement a custom workflow.  Below we’ll outline a basic workflow for managing incidents through cases, which you can use as a starting point and modify as needed to meet your needs.


    As a first step, we’ll need to identify an incident that merits tracking through a case.  For our purposes, it’s most convenient to start with an incident that is identified through manual inspection of your ESM dashboards. However, as you mature your processes, you should look for opportunities to automate case management through use of alarms and other techniques.


    Once you have an incident identified, we’ll start with a basic workflow that tracks three states for a case.  The case states we will use include the following:




    • Open: Cases that have been created, but not yet assigned to an individual.  To manually create a case, select the events related to the incident (individually or in bulk via shift-click and control-click selection) and then click Create a new case through the case management icon at the bottom of the Event Details panel.




    You will be presented with a window to add some details on your case.  Enter a summary, assignee, severity, and status as shown.




    Note the links for Organization and Status on this window.  You can use these to modify the existing states, and create new ones, if needed.


    • In process: Cases that are being investigated by an individual.  Incident responders will manually move cases from “Open” to “In process” as they are picked up for analysis during the work day.  In order to review cases that are open, you can open the view “Event Workflow Views/Case Management” and filter for Status of “Open” as shown in  the screenshot below.




    While working the case, the analyst may:


      • Add additional events to the case to create a more complete view of the incident (click “Add events to a case” through the case management icon at the bottom of the Event Details panel)


      • Add notes to the case to provide details about the involved hosts or users, or other important contextual details.


      • Re-assign or change the status of the case as appropriate.


    • Closed: Cases that have been fully investigated and considered resolved.  Responders will manually set cases to “Closed” state when analysis of the related incident is complete.

    This workflow shows a simple manual process that works for small groups managing incidents via cases.  Through proper use of alarms, creation and assignment of cases can be automated to support larger enterprises and workgroups.



    « previousoutlinenext »