LogicHub provides an integrated case management capability for you to track activity related to investigations of threats and other security issues. You can add comments and attachments to a case and create tasks to assign to selected users or groups. Case history is automatically created for each case action.
LogicHub also supports the creation of commands to assist in case analysis. You can assign commands that have been created by a LogicHub user in your organization to a case so that the command output becomes part of the case record.
To view and manage the current list of cases, select Case Management > Cases on the side menu. Use the search field to find cases. To sort the case list by a column, click the column header. Click again to reverse the sort order.
To create a case:
- Select Case Management > Cases on the side menu.
- Click Create Case.
- Select the case type.
The specific fields to complete depend on the case type. The following are included for all case types.
- Enter a title to identify the case and a summary description.
- Add a summary of the case. The summary area provides rich text controls for formatting and supports markdown for hyperlinks.
- Select a LogicHub user or group to assign the case to. When you assign a case to a group, any of the users in the group can work the case, and all of the group members receive case-related notifications.
- Select the case priority.
- Click Submit.
The case is added to the top of the list on the Cases page. To add content to the case and track associated work activities, click the case name on the Cases page.
The case details page includes sections for summary, tasks, attachments, and activities.
- To show or hide the contents of a section, click the arrow to the right of the section header.
- To edit a field, hover over the field contents and click the Edit icon.
- To change the Priority, Status, or Assigned To, select from the dropdown list.
You can add any of the following to the case:
- Comments (see below in this topic)
- Tasks (see Add tasks to a case).
- Attachments (see below in this topic)
To add comments to a case, expand the Comments/Command/History area and select the Comments tab. Enter the comment in the area at the bottom of the area. The comments area provides rich text controls for formatting and supports markdown for hyperlinks.
To save the comment, click the checkbox in the lower right corner of the comment area.
After a comment is added you can edit it by clicking Edit, making changes, and clicking Update. You cannot delete a comment that has been added.
If Slack integration is set up for your LogicHub instance, you can connect the case comments to a Slack channel. For instructions on setting up Slack integration, see Set Up Slack Integration.
To add attachments to a case, expand the Activities area and click +. Select the file and click Open. Or, drag the file to the Case details page and drop it. The file name, file size, and thumbnail preview are shown. To view a larger image, click the thumbnail image.
To download or remove the file, hover over the file name and make your selection. You can add additional files as needed.
As an analyst, you may need to run commands as part of your case investigation. LogicHub allows LogicHub users to create commands from the Automations > Commands page. All commands then become available to add to a case.
To add commands to a case, expand the Comments/Commands/History area. Click the text entry area at the bottom and enter /.
A selection list appears. Scroll to find and select the command or continue to type to filter the list to the matching selections. After selecting the command, press Return to execute the command and display the output. Add additional commands as needed.
You can add an integration or action to a case. to perform a task, obtain data, or obtain results from another system.
To add an integration or action to a case, expand the Comments/Commands/History area. Click the text entry area at the bottom and enter !.
A list of matching integrations and actions is shown. Scroll through either of the lists to find the integration or action you want to use. To filter the list, start entering a text string and make your selection.
When you select an integration or action, the query that represents the item is displayed. If the integration or action has associated parameters, you are prompted to enter values for them.
Add values and press Return to execute the integration or action and add the results to the Command tab.
A history of all the actions associated with a case is available on the History tab in the expanded Comments/Commands/History area.
To edit or delete a case or task, click the More icon (...) for the entry on the Case Management > Cases page and select Edit or Delete. If your browser window is narrow, you might have to scroll to the right to see the icon.
Updated 9 months ago