Concepts you need to know

IBM Security Case Management is a central hub for cybersecurity response and managing cybersecurity cases. Cases are created automatically based on correlation and enrichment of alerts from your data sources. You can also create cases manually.

Cases and objects

A case is a security incident or event in which data or a system might be compromised. Case Management creates cases automatically using correlation and enrichment data from QRadar platform. You can also create cases manually.

A case can contain the following objects:

  • Tasks are units of work for a user, device, or process. Some tasks can be processed automatically. You can be assigned tasks to do manually and mark them as complete when done. Case owners can track the progress of the various tasks.
  • Findings are supporting evidence of escalation, based on correlation and enrichment of alerts by QRadar platform. Findings are presented in the case to help build a complete picture of the case.
  • Evidence includes artifacts that relate to the case. Artifacts are organized by type, such as DNS name, file name, file path, MAC address, URL, MD5 and SHA1 file hashes. An artifact can also have an attachment, such as a log file, or malware sample.

Case creation and correlation

After it analyzes and correlates alerts from various data sources, QRadar platform sends case candidates to Case Management. A case candidate contains a case matching profile, case reference data, and a list of artifacts. This data provides Case Management with the ability to either match with an existing case or create a new case.

When Case Management receives a case candidate from QRadar platform, it deduplicates by adding to an existing case, or it creates a new case.
Correlation
A case matching event is known as correlation. Case Management searches all of the existing cases for matching case data. When it finds matching data, it merges the incoming case candidate into the oldest matching case.
Case creation
When the case candidate is unique and no matches are found in the list of existing cases, Case Management automatically creates a new case and adds a case creation event.

Playbook

The playbook is a set of conditions, business logic, and tasks that are used to respond to a case. QRadar platform includes a preconfigured playbook that enables Case Management to update the response to a case automatically, as the input changes or the case progresses. This playbook is automatically enabled when the system creates a case or when you create a case manually.

The playbook determines which information is available to you, which tasks are assigned to you, and which actions you can take on any particular case. As the case changes, so can the assigned tasks and actions.

Simulations

Simulations are hypothetical circumstances that can help your team to understand the impact of data loss situations and rehearse the response process. Simulations enable you to create cases for testing to see how each component of your playbook responds. You complete the same actions as you can on cases.

The simulation menu item is available from Create case > Create simulation.

Your permissions

Your administrator defines your access permissions to Case Management. This access determines how you interact with cases and the actions that you can take.

If you have User access to Case Management, you can view cases that have been assigned to you and you can create cases.

If you have Admin access to Case Management, you can take a wide range of actions on all cases:
  • View all cases and assign cases to users.
  • Create cases.
  • Check the status of the case and view and edit all cases.
  • Edit case information and monitor the tasks.
  • Perform tasks as assigned.
  • Close a case.
  • Delete a case.
  • Complete other actions if they are configured by your administrator. These actions are accessible through the Actions button in the case page, or a [] button near an object.

Accounts

An account comprises users and their permissions for specific applications in the QRadar platform deployment. When you are logged in, you are logged into a specific account, and you can view cases and tasks for the account. Cases, permissions, and members are specific to the account.

If you are a member of more than one account, you can switch between accounts. To switch to a different account, click the icon beside your user name and select a different account. This takes you to the Homepage of the account you selected.

The cases list, collaborators, and permissions change to reflect the content of the account. If you have permission, you can also view the account name and ID by going to Menu > General settings > Account management.

If you are using Data Explorer or other QRadar platform applications, cases created from those applications are created in the account where you run the Data Explorer scans.