Working with Case Details
The Case Detail view provides an interactive, dynamically updated workspace for assessing, investigating, and responding to cases generated by Stellar Cyber. You can drill to the Case Detail view using any of the following techniques:
-
Clicking a case's name in the Case table.
-
Clicking a case listed in the Top Cases panel in the XDR Kill Chain Page .
-
Clicking an Associated Case in the Event Details display for an alert.
In response, the Case Detail view for the selected case appears.
The Case Detail view has the following main components:
-
Case Identification – The Case Identification panel is at the top of the page and stays visible throughout all Case Detail views. It gives you the who, what, when and where for a case, including the the system-generated Case ID, the case name, the associated tenant and tenant group, and the case's score, color-coded to indicate its severity. Names for system-generated cases start out with a summary of the underlying alerts and date. You can click in the name cell to edit the system-generated name.
If the case is synchronized with a third-party application such as ServiceNow using an InSync, a status indicator for the InSync appears at the top of the panel with the InSync's name, status, time of last synchronization in browser time, and a ticket number link to the synchronized case in the third-party application.
InSyncs are not available for all customers yet. See Early Access Program Features and Topics Under Development.
From here, you can also associate tags, edit the status and priority of cases, as well as assign resources, share the case via email, or export the case to share it with others outside the Stellar Cyber platform. The Case Identification panel is described in detail later on in this topic.
-
Case Workspace – The Case Workspace is where you identify, assess, triage, and respond to cases. The Case Workspace provides the tabs summarized below. Click on any of the tabs listed below to see a detailed description of the corresponding tab.
-
Detection Tab – The Detection tab provides a high-level summary of the case, including a breakdown of what Stellar Cyber has seen and why it is scoring the case the way it is. You can also see a summary of the XDR Kill Chain stages involved, and a table of Associated Alerts.
-
Analysis Tab – The Analysis tab is where you investigate the case. You can rearrange the associated entities, click them to drill to further details, and hover your mouse over links to see contextual pop-ups. Separate Observables and Timeline panels at the right of the tab let you view either a summary of the entities associated with the case or a sortable timeline showing the elapsed time between each of the case's events. Both views let you drill to further details on the underlying evidence for the case.
-
Response Tab – The Response tab is where you take action on the case. Stellar Cyber automatically suggests appropriate actions based on the alerts involved and the response actions available for the associated connectors, from blocking an IP address to disabling a user or disconnecting a host.
The figure below shows the Case Workspace with its default Detection tab, including the Associated Alerts table.
-
-
Case Activity – The Case Activity panel provides an audit trail for the case, chronicling any changes made to the case's associated alerts, Score, Severity, Status, Resolution, Assignee, Tags, or Description, in addition to any synchronization events with third-party applications such as ServiceNow via a Stellar Cyber InSync. You can also add your own comments to the Case Activity panel, helping you annotate changes made during a case's investigation. Comments are viewable by all users, but can only be edited or deleted by the user who created them. Changes to comments also correspondingly update the Last Modified date for the case.
Open the Case Activity panel by clicking its button at the far right of the Case Detail view. The Case Activity panel is available in all Case Detail views, regardless of the currently displayed tab.
When you export a case, all relevant data from the Case Activity panel is included, including changes to its severity, status, assignee, and alerts. Timestamps are provided showing when each change occurred.
-
Evidence Locker – The Evidence Locker (described in detail below) provides a handy spot for you to store and share items that help your team bolster its case, including emails, PDF files, CSV files, and links to other locations in the Stellar Cyber platform.
Open the Evidence Locker by clicking its button at the far right of the Case Detail view. Similar to the Case Activity panel, the Evidence Locker is available in all Case Detail views, regardless of the currently displayed tab.
Using the Case Identification Panel
The Case Identification panel is available at the top of all Case Detail views. The Case Identification panel provides the following information on the case:
-
Case Name – Stellar Cyber automatically assigns a name to each case it reports. You can either accept the default name or supply your own.
-
Score – Stellar Cyber assigns scores to cases based on how critical they are. A case's score updates in real time as events and entities are added to or removed from the case. Scores are color-coded to indicate the seriousness of the case.
-
Who – The user(s) and/or host(s) associated with the case. You can find details on the observables for the case in the Analysis tab.
-
What – The Tactic or Technique for the alert with the highest severity associated with this case.
-
Tags – Use this field to assign custom tags to a Case that are meaningful to you (for example, AWS or Internal). You can use Tags as filters in the Case table, giving you a way to group cases based on criteria that are meaningful to your network.
-
-
When – The time at which the case was first created.
-
Where – The geographic locations associated with the case, if known. You can drill down on the observables listed in the Analysis tab to see which entities were seen where.
-
Severity– The severity of the case (Critical, High, Medium, or Low). Severity automatically changes with a case's score until it is changed manually here. Once you manually edit a case's severity, it no longer updates automatically based on the case's score. Severity indicators are color-coded to direct your attention to more serious cases.
-
Status – All cases start out with a Status of New. You can use this field to measure your progress as you address the case, changing the Status to In Progress, Resolved, or Cancelled. Filters in the Case table let you view just those cases of a particular status, giving you a handy way to maintain visibility on case status across the enterprise.
All changes to the Status field are logged to the Case Activity panel.
Once a case's status has been changed to either Resolved or Cancelled, Stellar Cyber no longer associates new alerts with the resolved or cancelled case. Instead, new alerts are either used to create a new case or associated with a different open case. In addition, a dialog box appears providing the following options for resolved or cancelled Cases:
Status Action Available Options Case Resolved -
Select a tag describing the case's resolution (None, False Positive, Benign, or True Positive).
-
Set a comment for the case's resolution.
-
Update the case's associated alerts to Closed.
Case Cancelled -
Set a comment for the case's cancellation.
-
Update the case's associated alerts to Ignored .
Note that cancelling a case does not delete the case but it does remove it from the Current Cases table under the default display filters. If you want to see cancelled cases in the Current Cases table, you can set the display filters to include Cancelled cases.
When you set a case's Status to Resolved, a dialog box appears that lets you select a tag describing the case's resolution. Once applied, the tag appears as a special graphic indicator in the Case Identification panel. The figure below summarizes this:
You can change a case's resolution tag as often as you like. All changes are logged to the Case Activity Panel.
Suggested Usage for the Case Resolution Tags
In general, the Case Resolution tags are arranged in a hierarchy according to how you perceive the accuracy and threat level of a given case, ascending from None (the least accurate and the lowest threat) to True Positive (the most accurate and a real threat).
Broadly speaking, you can use the Benign and True Positive tags for cases whose underlying correlation you are satisfied with while reserving the None and False Positive tags for those with which you are not. Reserve the Benign tag for cases that are accurate but result from pen testing or other artificial events.
The table below provides some suggested usages for the available Case Resolution tags.
Case Resolution Tag Perceived Case Accuracy/Threat Level Suggested Usage None Somewhat accurate but not a threat. This is the default Case Resolution tag. Leave resolved cases assigned to the None tag if you have judged them to be somewhat accurate but non-threatening. False Positive Not accurate and not a threat. Assign the False Positive tag to cases you have evaluated and judged to be inaccurate and not a threat. Benign Accurate, but not a threat. Assign the Benign tag to cases that are generated in response to artificial alerts (for example, those generated as the result of a pen test). True Positive Accurate and a threat. Assign the True Positive tag to cases that are both accurate and a real threat.. -
-
Assigned To – All cases start out as Unassigned. You can use this field to assign a case to any user currently defined in the Stellar Cyber system, providing a degree of traceability. You can sort the Case table by assignee, as well as use the Assignee filters to see different filtered views of cases by assignee.
The users available for assignment depend on the scope of the account you are logged in with. For example, If you are logged in as a user with Tenant scope, you can only assign a case to users associated with the same tenant. Similarly, a user with Partner scope can assign cases to any user associated with a tenant belonging to that partner. In addition, if you don't see assignee options at all, it's possible that a root user has hidden the options.
All changes to the Assignee field are logged to the Case Activity panel.
InSync Indicators in the Case Identification Panel
Cases synchronized with a third-party application such as ServiceNow using a Stellar Cyber InSync include a status indicator for the InSync at the top of the Case Identification panel, as illustrated below.
The InSync indicator includes the following information:
-
Name – The name of the InSync, as configured in the InSyncs page. You can click the InSync name to navigate to the InSyncs page.
-
InSync Status – The status of the InSync is indicated both with text and the color of the circle around the NOW icon:
-
A green circle indicates a Synced status.
-
A gray circle indicates a Paused status.
-
A red circle indicates an Error status.
-
-
Ticket Number Link to ServiceNow – The ticket number of the synchronized case in ServiceNow. You can click the ticket number to drill to the synchronized case in ServiceNow.
-
Timestamp – Each indicator displays a timestamp of the last synchronization, expressed in the browser's time zone.
See Using InSyncs for more information on working with InSyncs.
InSyncs are not available for all customers yet. See Early Access Program Features and Topics Under Development.
Sharing or Exporting Cases
Case Detail views provide both Share and Export buttons in the Case Identification panel, as illustrated below:
-
Click the Share button to open a dialog box where you can share the case via email:
Supply the destination address, an optional reply-to address, and any message you'd like to include. The recipient will see the name of the case and your message, along with a link to the case itself.
All shares are saved to the Case Activity log.
-
Click the Export button to export the case to PDF.
Troubleshooting Shared Cases
If you are having trouble finding shared cases in the recipient's email, try checking the Spam folder. If you do find the shared case there, you may need to enable DKIM for the sending account configured in the System | Mail Server page. Certain mail systems (Gmail, for example) automatically mark emails sent without DKIM enabled as spam.
About Case IDs in the Case Views
The Case IDs you see in the Case views are unique for a given tenant – a given tenant will never have multiple cases with the same visible Case ID. Behind the scenes, however, Case IDs are composed of a Tenant ID and a Case ID. Because of this, if you have privileges that let you see cases from multiple tenants, you may notice that the visible Case IDs can repeat for different tenants. That happens because the Case ID portion of the total Case ID is not visible in the Case pages – only the Case ID portion is.
Using the Evidence Locker
The Evidence Locker lets you store items that help your team bolster its case. You can store any of the following:
-
Text – No limit on quantity. If you find yourself adding long text messages, use the maximize button for easier reading later on.
-
Emails – Must be in .eml format. Maximum file size is 1 MB.
-
PDF files – Maximum file size is 1 MB.
-
CSV files – For use in spreadsheets. Maximum file size is 1 MB.
-
Links – Links can be to other locations in the Stellar Cyber platform or external links as well. Clicking a link stored in the Evidence Locker opens a new browser tab for the link.
Open the Evidence Locker by clicking its button at the far right of the Case Detail view. Then, use the panel controls to add your evidence as illustrated below:
Keep in mind the following guidance when using the Evidence Locker:
-
URLs added as text to the Evidence Locker can be clicked to new browser tabs.
-
Use the pin button to pin a particular piece of evidence to the top of the Evidence Locker's list. Once evidence has been pinned, its pin icon changes color. Click the pin button again to unpin the piece of evidence. Pinned evidence is sorted by the time at which it was pinned, with the most recently pinned evidence at the top.
-
Unpinned evidence is sorted by modification date.
-
There is no limit on the number of entries that can be added to the Evidence Locker.
-
Evidence can be opened and downloaded, making it easy to share evidence across multiple team members.
-
Changes to the Evidence Locker are logged to the Case Activity panel.
-
Changes to the Evidence Locker also update the Last Modified date for the case.
-
The Evidence Locker does not support drag and drop.