Case

Provides incident responders with a centralized view for managing and tracking the handling process of security incidents.
Users can assign and update security tickets, ensuring that each incident is handled promptly and effectively.

View

Supports various filtering and sorting functions.

Detail

Case Operations Panel

Status

Ticket status, divided into New, In Progress, Closed three states. Initially New. When the analyst manually updates the status to In Progress, it means the ticket is being processed. At this time, Acknowledged Date, Assignee, Attachments, Note are editable. When the analyst manually updates the status to Closed, it means the ticket has been processed. At this time, Close Date, Close Reason, Summary are editable.

Title

Ticket title, briefly describing the ticket content.

Severity

Ticket severity level, divided into four levels: Low, Medium, High, Critical.

Type

Ticket type, categorized as NDR, EDR, DLP, etc.

Alert Date

The earliest time among the alerts associated with the Case. Can be used to calculate MTTD.

Created Date

Case creation time. Can be used to calculate MTTD.

Tags

Case tags, used for classifying and marking tickets. Can be used for searching and filtering.

Case ID

Automatically generated unique ticket number. Used only for readability display, not as a unique identifier.

Description

Detailed description of the Case, including incident background, scope of impact, and other information. Supports Markdown format.

Acknowledged Date

Time when the Case was acknowledged by the analyst. Can be used to calculate MTTA.

Assignee

Current handler. Can be used to assign and track ticket processing progress.

Attachments

Attachments related to the Case, such as log files, screenshots, etc. Supports various file formats. Analysts can upload relevant evidence here.

Note

Remarks during the Case processing. Analysts can record the investigation process, discovered clues, and other content. Supports Markdown format.

Close Date

Case closure time. Can be used to calculate MTTR.

Close Reason

Case closure reason. Analysts can select predefined closure reasons, such as True Positive, False Positive, Ignore, Duplicate.

Summary

Case processing summary. Analysts can record the final investigation results, response actions taken, and other content. Supports Markdown format.

Alert

All alerts associated with the Case. Supports clicking on an Alert record to view alert details.

AI

Displays the analysis results from the AI Agent.

Confidence

AI's confidence score for the analysis result, Low, Medium, High three levels.

Attack Stage

Attack stages in the MITRE ATT&CK framework, such as Initial Access, Execution, Persistence, etc.

Analysis Rationale

Analysis basis output by the AI Agent.

Recommended Actions

Recommended response actions by the AI Agent.

Workbook

Case handling manual, guiding analysts to complete investigation and response work. Supports Markdown format.
Workbook can use options like [] to facilitate analysts in completing tasks step by step.