Create Case to Track Security Issues

LogicHub provides an integrated case management capability for you to track activity related to investigations of threats and other security issues. You can add comments and attachments to a case and create tasks to assign to selected users or groups. The case history is automatically created for each case action.

LogicHub also supports creating commands to help analyze cases. For example, you can assign commands created by a LogicHub user in your organization to a case so that the command output is part of the case record.

How to Create a Case

  1. Click Case Management > Cases from the left navigation.
  2. Click Create Case at the top of the screen to open the Create Case form.
  3. Select the Case Type. The case type depends on the type of business you are in. By default, the following fields are included for all case types.
    • Title: Enter a title to identify the case and a summary description.
    • Summary: Add a summary of the case. The summary area provides rich text controls for formatting and supports Markdown for basic syntax.
    • Assignee: Select a LogicHub user or group to assign the case to. When you assign a case to a group, any of the users in the group can work the case, and all of the group members receive case-related notifications.
    • Priority: Select the priority of the case.
  4. Click Submit.

A typical case details page contains the following fields.

Field

Description

Summary

Allows you to add a detailed information about a case.

Tasks

See Add Tasks to a Case.

Attachments

Allows you to add attachments that provide context to a case.

Linked Cases

Helps to identify similar cases. You can link a case either by clicking on Search for Similar Cases or Suggested Cases.

Comments

Allows you to view all the comments related to a case.

Commands

Allows you to add commands for deeper analysis of a case.

History

Allows you to view a complete record of changes made to a case.

Connect Slack Channel

If Slack integration is set up for your LogicHub instance, you can connect the case comments to a Slack channel. To know more, see Connect Cases with Slack.

Extracted Fields

Allows you to store the URLs, IP addresses and file hashes automatically from the case title and description.

Additional Fields

All the default fields will be available. To add a new field, see Manage Case Fields.

Status

Allows you to change the status of the case as you progress: New, In Progress, Pending, Resolved, or Closed. You can also create customized status or modify the current status. To know more, see Manage Case Workflow.

Priority

Allows you to set the importance of the case: Critical, Blocker, High, Medium, Low, or Informational. You can create a custom priority based on your requirement. To know more, see Manage Priority.

Assigned To

Allows you to view or change the user the case is assigned to.

Created At

Shows the time of the case that it was created.

Created By

Shows the name of the user who opened a case.

Case Report

View: Provides a complete detail of the case report at a glance.
Send as email: Allows you to send the case report as an email to recipients.

Watch Options

Allows you to be notified of every change in the case.

Create Case from Playbook

LogicHub allows you to create a case from the playbook. To know more, see Add a Step to Create Cases and Alerts.

Add Commands and Integration

A command is a type of playbook that can ingest arguments rather than data from a source and give you the output based on the command’s logic. Commands are useful to execute as part of your case investigation for deeper analysis and associate command results directly with a case that you’re working on. LogicHub allows you to create commands for cases and run them directly from cases. For example, if an attack has occurred from a particular IP address, you can add a command that does an IP lookup and includes the results of the lookup in the LogicHub case.

Similarly, you can directly connect to an external application from the case. You can access or perform actions without leaving the case page. By adding integration in the case, you can send information to another application or pull information from that application into the case.

The results remain in LogicHub and you don’t have to access an external system or copy and paste results into the case management record.

To run an integration/command from the case, follow these steps:

  1. Go to Commands section in any case of your choice.
    • For Commands use, forward slash / to enter or select from the drop-down.
    • For Integrations use, exclamation ! to enter or select from the drop-down.
  2. A selection list appears. Scroll to find and select the command or integration.
  3. Add characters to filter the list to the matching selections. The command or integration you select is added to the entry area, and you will be prompted to enter parameters.
  4. After completing the command or integration as prompted, press Return to execute and display the results. Use the controls in the upper right corner of the section to Prefill or Copy the command or integration and use the arrow to expand/minimize the results.

📘

If you run multiple commands or integrations, the command and integration history is retained in the section and preserved.

To know more, see Create Commands and Cases.

What's Next

🔗   Create Task


Did this page help you?