LogicHub provides an integrated case management capability for you to track activity related to investigations of threats and other security issues. You can add comments and attachments to a case and create tasks to assign to selected users or groups. The case history is automatically created for each case action.
LogicHub also supports creating commands to help analyze cases. For example, you can assign commands created by a LogicHub user in your organization to a case so that the command output is part of the case record.
- Click Case Management > Cases from the left navigation.
- Click Create Case at the top of the screen to open the Create Case form.
- Select the Case Type. The case type depends on the type of business you are in. By default, the following fields are included for all case types.
- Title: Enter a title to identify the case and a summary description.
- Summary: Add a summary of the case. The summary area provides rich text controls for formatting and supports Markdown for basic syntax.
- Assignee: Select a LogicHub user or group to assign the case to. When you assign a case to a group, any of the users in the group can work the case, and all of the group members receive case-related notifications.
- Priority: Select the priority of the case.
- Click Submit.
A typical case details page contains the following fields.
Allows you to add a detailed information about a case.
See Add Tasks to a Case.
Allows you to add attachments that provide context to a case.
Helps to identify similar cases. You can link a case either by clicking on Search for Similar Cases or Suggested Cases.
Allows you to view all the comments related to a case.
Allows you to add commands for deeper analysis of a case.
Allows you to view a complete record of changes made to a case.
Connect Slack Channel
If Slack integration is set up for your LogicHub instance, you can connect the case comments to a Slack channel. To know more, see Connect Cases with Slack.
Allows you to store the URLs, IP addresses and file hashes automatically from the case title and description.
All the default fields will be available. To add a new field, see Manage Case Fields.
Allows you to change the status of the case as you progress: New, In Progress, Pending, Resolved, or Closed. You can also create customized status or modify the current status. To know more, see Manage Case Workflow.
Allows you to set the importance of the case: Critical, Blocker, High, Medium, Low, or Informational. You can create a custom priority based on your requirement. To know more, see Manage Priority.
Allows you to view or change the user the case is assigned to.
Shows the time of the case that it was created.
Shows the name of the user who opened a case.
View: Provides a complete detail of the case report at a glance.
Allows you to be notified of every change in the case.
LogicHub allows you to create a case from the playbook. To know more, see Add a Step to Create Cases and Alerts.
A command is a type of playbook that can ingest arguments rather than data from a source and give you the output based on the command’s logic. Commands are useful to execute as part of your case investigation for deeper analysis and associate command results directly with a case that you’re working on. LogicHub allows you to create commands for cases and run them directly from cases. For example, if an attack has occurred from a particular IP address, you can add a command that does an IP lookup and includes the results of the lookup in the LogicHub case.
Similarly, you can directly connect to an external application from the case. You can access or perform actions without leaving the case page. By adding integration in the case, you can send information to another application or pull information from that application into the case.
The results remain in LogicHub and you don’t have to access an external system or copy and paste results into the case management record.
To run an integration/command from the case, follow these steps:
- Go to Commands section in any case of your choice.
- For Commands use, forward slash / to enter or select from the drop-down.
- For Integrations use, exclamation ! to enter or select from the drop-down.
- A selection list appears. Scroll to find and select the command or integration.
- Add characters to filter the list to the matching selections. The command or integration you select is added to the entry area, and you will be prompted to enter parameters.
- After completing the command or integration as prompted, press Return to execute and display the results. Use the controls in the upper right corner of the section to Prefill or Copy the command or integration and use the arrow to expand/minimize the results.
If you run multiple commands or integrations, the command and integration history is retained in the section and preserved.
To know more, see Create Commands and Cases.
Updated about 1 month ago