Cases
A case is an aggregated set of alerts that together represent a meaningful security finding.
Cases are designed to improve fidelity and reduce noise by continuously grouping alerts together. For example, if an actor is being targeted by a brute force attack, this might generate multiple findings over a period of time, but from a case perspective you will see only a single case about this entity. This single case represents the aggregation of all relevant findings about this user so you don’t need to skim through a list of non-related findings, but can single out the item that your SOC team needs to take care of.
Case Management
A case rule is a set of security conditions. When the conditions are met, the rule triggers a case for the security team to examine. For example, the brute force case rule generates a case or appends items to an existing case based on the rule logic, every time a new alert about a single brute force attempt is found.
The rule engine runs autonomously, checking data whenever a new integration is enabled, when new activities appear in the system, and periodically thereafter.
To view the case management page, select Threat Center > Case management.
The Detection Rules Table
| Column | Description | Example values |
|---|---|---|
| Title | The title of the case rule | Account under brute force attack |
| Severity | Severity of the detection rule | Critical, High, Medium, or Low |
| Status | The case rule status | Enabled: Case are created. Disabled: Case rule is not active, and new case are not created. |
| MITRE | Related MITRE ATT&CK tactics | For example: Credential access, Initial access, Defense evasion |
| Apps | The applications that the detection rule tracks | AWS, Okta, GCP, GitHub and more |
| Categories (hidden until selected) | The categories to which the detection rule belongs | Threats, Privileged Access, Stale Access, Key Management, Security Baseline, Authentication |
| Compliance (hidden until selected) | Compliance frameworks that are relevant to the detection rule | List of relevant compliance frameworks |
Filtering, Searching, and Sorting Detection Rules
To change which rules are displayed in the table, you can filter and sort its displayed data usingthe filters above the table. When you filter, the selections you make are shown in the filter bar. To search for a case rule by name, type text into the search field.
By default, the table is sorted by the Title column in alphabetical order. To sort the table differently, click a column heading. If needed, click it again to reverse the sort order.
Case Rule Side Panel:
The Case Rule side panel provides detailed information about specific security incidents and automated response options. This documentation outlines the key components of the side panel and their functions.
General Tab
The General tab displays high-level details of the security case rule, including:
Case Definition Properties
-
Status: Indicates whether the rule is enabled or disabled.
-
Status of a rule can be switched from enabled to disabled and vice versa by using the toggle near the status
-
-
Severity: Defines the criticality of the case (e.g., High, Medium, Low).
-
Each rule has a default severity value, but this can be changed by simply selecting a different value from the severity drop-down
-
-
MITRE Mapping: Specifies the associated MITRE ATT&CK category (e.g., Credential Access).
-
Category: Defines the type of incident (e.g., Threats).
-
Compliance: (Not provided in the screenshot but may be used for regulatory alignment.)
-
Supported Apps: Displays the applications impacted by or supporting this case rule (e.g., Ping Identity, Okta, Azure AD).
Remediation Steps Tab
The Remediation Steps tab provides automated response actions that can be executed to mitigate the detected threat.
Automated Response Options
The available automated response workflows are grouped by application integrations such as Okta or Microsoft, an instance of a configuration will appear per each integrated source that is supported by the rule.
Each integration offers multiple response actions:
-
Disable user account – Disables the affected user account.
-
Enable user account – Re-enables a previously disabled user account.
-
Revoke user active sign-in sessions – Forces the user to re-authenticate by logging them out of all active sessions.
-
Add user to group – Adds the affected user to a specified group, when enabling this option you will be prompted to select the group to which a user will be added.
-
Remove user from group – Removes the affected user from a specified group, when enabling this option you will be prompted to select the group from which a user will be removed.
If permissions are not correctly configured for the integration, an error message appears: "You don’t have permissions to activate this Automated Response. Update the Permission of the Integration."
How to Review Cases
The Case Result is an interface within the security platform that presents detailed information about detected security cases. It provides insights into the nature of the attack, affected entities, timeline of events, and recommended actions.
Cases are generated by the case rule found on the case management page.
To view the case management page, select Threat Center > Cases.
The Cases table
| Column | Description | Example values |
|---|---|---|
| Case | The title of the case | Account under MFA bombing attack |
| Alert | Number of alert this case consist of | 2 – means two different alerts were aggrgated to this case |
| Severity | Severity of this case | Critical, High, Medium, or Low |
| Apps | The applications of the entities found by this case | AWS, Okta, GCP, GitHub and more |
| Created at | Timestamp indicating when the case was first generated. | |
| Updated at | Timestamp indicating when the case was last updated. | |
| Status | The status of this case | Open – active, investigation is in progress, new alerts might be attached. Closed – investigation is done, this case is no longer active, no alerts will be attached. |
| Compliance (hidden until selected) | Compliance frameworks that are relevant to the detection rule | List of relevant compliance frameworks |
Filtering, Searching, and Sorting
To change which cases are displayed in the table, you can filter and sort its displayed data using the filters above the table. When you filter, the selections you make are shown in the filter bar. To search for a case rule by name, type text into the search field.
By default, the table is sorted by the Created At column in descending order. To sort the table differently, click a column heading. If needed, click it again to reverse the sort order.
Case Side Panel
Case Summary
The top section of the side panel includes the following details:
-
Case Title: A descriptive name for the security event (e.g., "Brute Force Attempt on John Doe").
-
Close Case Button: Enables users to mark the case as resolved, once a case become closed no new alerts will be added to the same case even if they are related, a new finding will open a new case.
-
Navigation Tabs:
-
General: Overview of the attack, description, and recommendations.
-
Entities: Lists affected users, assets, or any other entity.
-
Timeline: Displays chronological logs of attack attempts.
-
General Tab
The General tab provides a high-level summary of the attack.
Description – What happened
Recommendations – What we recommend to do in order to expand investigation or resolve the issue
Case Properties:
-
Status: Indicates whether the case is Open or Closed.
-
Severity: Defined as Low, Medium, or High based on the threat impact.
-
Assignee: Displays the name of the security analyst assigned to the case.
-
Source Apps: Indicates the security tools or platforms detecting the event.
-
Case ID: A unique identifier for tracking the security case.
-
Compliance: Shows if the case relates to any regulatory requirements.
-
Created At: Timestamp indicating when the case was first generated.
-
Last Updated: Timestamp indicating the most recent update to the case.
Entities Tab
The Entities tab identifies the affected user, account, or system component.
Similar to alerts, the case entities can be either affected or actors
-
Affect – represent the entities that were affected by this finding, for example in a brute force case this will be the targeted user
-
Actors – represents the entities that initiated or took part in the case and caused the issue, for example in a brute force case those will be the IP addresses from which the user were targeted.
Timeline Tab
The Timeline tab provides a chronological sequence of security alerts related to the attack.
Example Timeline Entries
-
24/01/2025, 01:45 - Initial detection of a stealthy brute force attempt spanning multiple days.
-
25/01/2025, 03:15 - Additional failed login attempts detected.
-
25/01/2025, 03:20 - Continued unauthorized access attempts.
-
25/01/2025, 04:05 - New alert generated for another stealthy brute force attack.
-
25/01/2025, 19:40 - Latest detection of brute force activity.
