Case and Incident Management Application

the case and incident management (cim) application serves as a central point of interaction for a security operations team you can use this application independently or with a solution such as phishing triage or alert triage from the soc solutions bundle in the following example, the cim application works as part of the soc solutions bundle for assistance with soc solutions bundle installation and setup, contact your swimlane professional services point of contact let's see how the case and incident management application works how it works the case and incident management (cim) application, as a part of the soc solutions bundle, serves as the central point of interaction for a security operations team the application provides the following best practice capabilities unified signal triage from alert triage, phishing triage, and manual creation playbooks with record creation automations threat intelligence (ti) enrichment interface various orchestration launch points signal triage, case management, incident management, investigation details, knowledge base articles, remediation, correlation, and after actions reports dedicated spaces for customizations automatic metric collection advanced mode for troubleshooting and fine tuning correlation configuration turbine can correlation docid\ jmv925nya1cwddng6kffr , which allows turbine to compare a new record to a previous record that has correlation keys in the case and incident management (cim) application, there is correlation information on the cim record in a designated section and on the support tab by default, correlation of cim records happens when records match at least three observables with other records this correlation happens at record creation time or when the correlate cim records button is pressed in a cim record correlated records are shown as tabs in the cim record so you can compare similar records users can configure correlation in two ways you can change the number of matches required for a correlation and you can change the fields available to match on to change the number of matches necessary for a correlation, you will edit the refine search results action in the cim get cim correlations component from the left navigation pane, click components under orchestration select the cim get cim correlations component edit the refine search results script action change matches required to your desired value the default value is 3 apply your changes to add new fields to the values that correlation works on, you need to edit the cim extract raw alert fields to cim playbook from the left navigation pane, click playbooks under orchestration select the cim extract raw alert fields to cim playbook edit the extract fields transform data action add the values you would like to include in correlations in the screenshot below, we're adding the hostname field from the raw event apply your changes then, edit the write to cim record action check the append array or multiselect box and then choose correlation array choose the field you added in the extract fields action correlation configuration is complete now continue to the next section where an example walks you through how to configure other sections in the cim application to give you the best practice set up for your cim records cim record configuration after logging into swimlane turbine, follow these steps to get to the case and incident management (cim) records from the left navigation pane, click application records select case and incident management select a cim record from the list of cim records in the default report you can see a cim application record the left pane contains record details, including signal type, intelligence verdict, signal source, etc additionally, there are expand and collapse sections that provide further record information let's review the cim record and the additional sections record creation actions when a new record is created in the cim application, two automation actions execute to enrich the signal with observable verdicts and an automated brief record lifecycle the record lifecycle in the case and incident management application is described below orchestration launch points offer a conceptual understanding of the record lifecycle orchestration launch points these represent natural points in the record lifecycle within the case and incident management application in which configurable automation/orchestration may ideally take place type signal records arrive in the application as signals signals represent an incoming event from a security information and event management (siem) or endpoint detection and response (edr) alerting system, a reported phishing email, or a manually created ad hoc indication of suspicious activity an incoming signal must have one of the following signal source values alert phishing e mail manual claim the record to take further action to claim the record, click claim once you claim the record, you are the current owner and the record status updates to in progress after triaging the activity, you can escalate the record to a case in the event that the case is a true positive or other thresholds are met (thresholds are determined by your organization's policies) to escalate the record to a case, click escalate to case action type case escalating to a case simply changes the type value to case it’s important to mention again that this is a prime orchestration launch point when working a case, it may be a good opportunity to identify additional signals or cases that can be correlated type incident in certain circumstances when working through a case, a practitioner may choose to declare an incident generally, this is done when a specified impact threshold is met that requires additional steps, reporting, stakeholder communications, etc to declare an incident, click declare incident this changes the type value to incident additionally, a red banner displays at the top of the record to accentuate the criticality of the record as the incident is mitigated, the incident can be deescalated deescalating an incident is an indication that the incident has been mitigated and firefighting teams can stand down to deescalate an incident, click deescalate incident customization while you can customize through the application, the new cim provides a dedicated space where you can add custom fields without impacting the look and feel of the core application space metrics turbine has the ability to capture hyper granular metrics throughout the lifecycle of a record, strategic points exist in which a data point or timestamp is captured the expected flow and data capture points are viewable in this diagram metrics fields in the record, you can view the metrics click the metrics tab these metrics feed various dashboard reports, such as mttd, mttr, dwell time, etc advanced mode the audit tab of the cim application has an advanced checkbox that, when selected, shows the application’s functionality, widgets, and managed references there are six additional expand/collapse sections on a cim record the following documentation provides specifics about each section and how it engages in the cim record case summary and recommend actions one of the most powerful features of case and incident management is that hero ai can generate case summaries and recommend actions that a security practitioner should take to mitigate or re mediate a case to generate these summaries, click the generate case summary & recommended actions button hero ai will then look at all of the attributes of a case, including correlated cases and knowledge base articles to create a clear text summary of the case hero ai will also generate 5 recommendations for how to mitigate or remediate a case and possibly keep it from happening again this feature uses the swimlane llm, so you can be confident that your security data is not being shared with a third party, stored in logs, or used to train a model investigation notes & evidence locker the investigation notes & evidence locker section contains a summary field for the incident that you manually enter for the current record and that would be included in an automatically generated after actions report (aar) (see post incident activity section) additionally, this could be used for other use cases like the collaboration extension docid\ idzp2ews0ggvlzen4ezsv the investigation comments section shows the comments that are not included in the aar but are housed within turbine the mitre att\&ck techniques section provides a place to enter or review mitre att\&ck technique / tactic pairs usefd to drive the mitre dashboard in the soc solutions bundle you can also manually populate the evidence locker drag and drop section with miscellaneous files related to the investigation knowledge base articles the knowledge base section houses previous user crafted remediation steps taken for this record by using this section, you can access lessons learned and other tips about that record or something that has related record information (e g , a similar signal type) existing knowledge base articles (kbas) contain the tracking id for the corresponding kba, alert title, context summary, guidance, and the last date it was updated to add a new kba to the current record, in the knowledge base articles table, click the plus icon click the magnifying glass icon to search for a kba if needed, click the trash icon to delete a kba from the record to ensure you have the latest and greatest set of kbas for that record after making edits to your investigation such as mitre att\&ck mappings, click refresh knowledge base links threat intelligence intelligence verdict if any observables are discovered in the incoming signal through an alert or phishing email, those observables are automatically parsed and enriched by the configured ti providers through the ti application (scroll to the threat intelligence application for additional details) based on the results from the chosen primary intelligence provider, the most critical verdict is passed into the intelligence verdict value the verdict criticality is ordered from most to least critical malicious suspicious benign unknown the threat intelligence section displays the primary intelligence provider enrichment results for each parsed observable (widget) and allows the user to perform ad hoc observable enrichment (observable, observable type, add observable) as the investigation progresses this is the easiest option to view ti associated with a particular cim record this section exports ti data as well in the drop downs, select the desired provider, verdict, observable, and type once you have the desired information, click export to download the data into a csv file the csv file provides the following ti details about the selected data tracking id indicator permalink (a resource such as an observable enrichment on virustotal/recorded future) tool (e g , virustotal) tag (e g , malicious, suspicious) score last updated phishing attachments are saved to the ti application as file observables you can download the phishing attachment file from the ti widget remediation the case and incident management (cim) application has a remediation section with multiple tabs, which execute eight different remediation actions for a cim record as an orchestrator, this provides a way to engage various remediation actions based on cim record information see below for more details about each tab block/unblock observables as an orchestrator, you need to complete configurations to the remediation actions playbook before updating the cim record in the playbook, you'll see many different block/unblock observable remediation action components you can replace any of these with another component with the same interface to block or unblock the observable note that different components handle different types of observables from orchestration, click playbooks search and open the remediation actions playbook find the block observables record action see the block/unblock observable remediation action components below you can replace any block/unblock observable remediation action component with your own component with the same interface this can be a nested playbook or an action that you've already configured for example, a playbook that blocks ip addresses in a firewall or isolates hosts on edr now find the unblock observables record action see the block/unblock observables remediation action components below you can replace any block/unblock observable remediation action component with the same interface important! while orchestrators must create the nested componentsand/or actions within the remediate actions playbook, practitioners can modify the contents of the remediation tab in the cim record modifying cim record observables does not require orchestrator level access the same applies for all of the playbooks that execute in the remediation tab disable/enable users this tab functions like the block/unblock observables tab orchestrators first need to access the remediate actions playbook to replace the components with components that execute your desired outcome navigate to the desired cim record and remediation section in the disable/enable users tab, enter the users that you want to disable and/or enable click disable users and/or enable users this runs the appropriate playbook and returns results in the disable users response and/or enable users response fields with a response that shows you what the playbooks did and acted upon with a date/time stamp isolate/rejoin hosts this tab also functions like the block/unblock observables tab orchestrators first need to access the remediate actions playbook to replace the appropriate components with components that execute your desired outcome navigate to the desired cim record and remediation section in the isolate/rejoin hosts tab, enter the hosts that you want to isolate or rejoin this is common with edr use cases click isolate hosts and/or rejoin hosts this runs the appropriate playbook and returns results in the isolate hosts response and/or rejoin hosts response fields with a response that shows you what the playbooks did and acted upon with a date/time stamp correlation a correlation action occurs every time a record is created from the support tab on a cim record, the correlation support fields section takes in 15 correlation key fields (observables) from the process alerts or process emails playbooks after the correlation occurs, turbine runs a playbook that extracts the tracking ids for correlating records in the example record, cim 241 shows the correlation section with correlating tracking ids in records cim 244, cim 243, cim 245, and cim 242 each record's title, status, intel verdict, manual verdict, and automated brief information displays in the correlations table to see a specific record in detail, click the corresponding tracking id the selected record opens in a pop up window click outside of the window to return to your current record the signal display widget provides a more visual representation of the current and correlating records with record details that highlight important data and the option to export that record's data to a csv file post incident activity the post incident activity section of case and incident management records gives you the ability to generate an after actions report summarizing the case this report can include a hero ai generated executive summary of the case expand the post incident activity section and click on the generate executive summary button this will prompt hero ai to create a short summary of the case, including a description of the incident, what steps were taken, and what the outcome was to generate the after actions report, click the generate after actions report button click the download icon to download the pdf or click directly on the file name to preview the file the pdf opens after downloading or previewing it the file has an easy to read layout that includes the following information for that record case number automated brief investigation summary remediation actions taken timeline summary incident handler information if you have a local copy of an aar and want to add it to the record, simply drag and drop the file into the after actions report section tip if an orchestrator wants to adjust the information that is returned in the aar pdf file, then you can navigate and open the cim generate after actions report playbook, click the generate html report action, and click configure from the script pane, using html, you can modify the data that is returned threat intelligence application the ti application enriches observables coming from cim all unique observables from an incoming signal in the cim application generate a new ti record primary intelligence provider based on the observable type value, the appropriate primary intelligence provider (pip) is selected the resulting enrichment is at the top of the application the values of the pip enrichment determine the intelligence verdict, as mentioned in automated brief summary additional providers again, based on the observable type value, additional intelligence providers enrich the observable the results from these providers, while not contributing to the primary ti verdict, are visible directly in the ti record in a dedicated expandable widget the enrichment key details are displayed with the ability to click the widget card to expand and view the raw json