LogicHub provides an integrated case management capability for you to track activity related to investigations of threats and other security issues. You can add comments and attachments to a case and create tasks to assign to selected users or groups. The case history is automatically created for each case action.
LogicHub also supports creating commands to help analyze cases. For example, you can assign commands created by a LogicHub user in your organization to a case so that the command output is part of the case record.
- Click Case Management > Cases from the left navigation.
- Click Create Case at the top of the screen to open the Create Case form.
- Select the Case Type. The case type depends on the type of business you are in. By default, the following fields are included for all case types.
- Title: Enter a title to identify the case and a summary description.
- Summary: Add a summary of the case. The summary area provides rich text controls for formatting and supports Markdown for basic syntax.
- Assignee: Select a LogicHub user or group to assign the case to. When you assign a case to a group, any of the users in the group can work the case, and all of the group members receive case-related notifications.
- Priority: Select the priority of the case.
- After you've entered the details, click Submit.
A typical case details page contains the following fields.
|Summary||Allows you to add a detailed information about a case.|
|Tasks||See Add Tasks to a Case.|
|Attachments||Allows you to add attachments that provide context to a case.|
|Linked Cases||Helps to identify similar cases. You can link a case either by clicking on Search for Similar Cases or Suggested Cases.|
|Linked Alerts||Allows you to add alerts to cases based on their IDs and view the details on the case details page. To know more, see Linked Alerts to Case.|
|Comments||Allows you to view the comments related to a case.|
|Commands||Allows you to add commands for deeper analysis of a case.|
|History||Allows you to view a complete record of changes made to a case.|
|Connect Slack Channel||If Slack integration is set up for your LogicHub instance, you can connect the case comments to a Slack channel. To know more, see Connect Cases with Slack.|
|Extracted Fields||Allows you to store the URLs, IP addresses and file hashes automatically from the case title and description.|
|Additional Fields||All the default fields will be available. To add a new field, see Manage Case Fields.|
|Status||Allows you to change the status of the case as you progress: New, In Progress, Pending, Resolved, or Closed. You can also create customized status or modify the current status. To know more, see Manage Case Workflow.|
|Priority||Allows you to set the importance of the case: Critical, Blocker, High, Medium, Low, or Informational. You can create a custom priority based on your requirement. To know more, see Manage Priority.|
|Assigned To||Allows you to view or change the user the case is assigned to.|
|Created At||Shows the time of the case that it was created.|
|Created By||Shows the name of the user who opened a case.|
|Case Report||View: Provides a complete detail of the case report at a glance.|
Send as email: Allows you to send the case report as an email to recipients.
|Watch Options||Allows you to be notified of every change in the case.|
LogicHub allows you to create a case from the playbook. To know more, see Add a Step to Create Cases and Alerts.
A command is a type of playbook that can ingest arguments rather than data from a source and give you the output based on the command’s logic. Commands are useful to execute as part of your case investigation for deeper analysis and associate command results directly with a case that you’re working on. LogicHub allows you to create commands for cases and run them directly from cases. For example, if an attack has occurred from a particular IP address, you can add a command that does an IP lookup and includes the results of the lookup in the LogicHub case.
Similarly, you can directly connect to an external application from the case. You can access or perform actions without leaving the case page. By adding integration in the case, you can send information to another application or pull information from that application into the case.
The results remain in LogicHub and you don’t have to access an external system or copy and paste results into the case management record.
To run an integration/command from the case, follow these steps:
- Go to Commands section in any case of your choice.
- For Commands use, forward slash / to enter or select from the drop-down.
- For Integrations use, exclamation ! to enter or select from the drop-down.
- A selection list appears. Scroll to find and select the command or integration.
- Add characters to filter the list to the matching selections. The command or integration you select is added to the entry area, and you will be prompted to enter parameters.
- After completing the command or integration as prompted, press Return to execute and display the results. Use the controls in the upper right corner of the section to Prefill or Copy the command or integration and use the arrow to expand/minimize the results.
If you run multiple commands or integrations, the command and integration history is retained in the section and preserved.
To know more, see Create Commands and Cases.
The case details page enables you to view a list of alerts within the case with a single click. The cases now include a new field type Linked Alerts with a multi-select value, which allows you to add alerts and search for alerts by their IDs.
In the Linked Alerts tab, you can:
- Use the alert ID to link a single alert or multiple alerts
- Perform a basic search when multiple alerts are added
- Click on the arrow beside the linked alerts to see the details of the alert
You can now link alerts to a case from a playbook. To know more, see Add a Step to Create Cases and Alerts.
Updated about 1 month ago