Skip to main content
Splunk Lantern

Managing cases in SOAR


During investigations, an analyst may perform multiple tasks to understand the nature, intent, and scope of suspicious activity to determine if the incident represents true risk to the business. If tasks are not well-organized, they can be overlooked, resulting in incidents slipping through the cracks. Additionally, the data accumulated throughout the investigation may be difficult to comprehend or lead to incorrect conclusions.

This article is part of Splunk's Use Case Explorer for Security, which is designed to help you identify and implement prescriptive use cases that drive incremental business value. In the Security maturity journey described in the Use Case Explorer, this article is part of Incident management.

Benefits of Splunk SOAR case management

Splunk SOAR case management provides an effective method of centralizing, collecting, distributing, and analyzing investigation data tied to specific security events and incidents. Case management enables security incident response collaboration and efficient completion of critical tasks both through manual and automated means.

Splunk SOAR optimizes the investigation workflow, ensuring tasks are managed and threats are not overlooked. With the ability to easily pivot through events and artifacts, analysts can assess whether they are facing a targeted campaign, advanced persistent threat (APT), or false alarm, while receiving effective end-to-end threat detection and response.

Speed your discovery and evaluation of cyber threats

  • Fully integrated case management throughout the analyst workflow, allowing for rapid case creation and access from any screen.
  • Expedite mean-time-to-detection (MTTD) with one-click case creation and incident escalation.
  • Incidents investigation and workload management through granular case priority with discretionary access and assigned due dates.

Reduce investigation effort, increase collaboration, and threat recognition

  • Reduce mean-time-to-respond (MTTR) through real-time status tracking.
  • Access case details from any screen.
  • Manage alarms and approve actions within the case.
  • Ensure an audit trail through complete activity and audit history.
  • Strengthen security and segregate duties through discretionary access controls.
  • Increase visibility and awareness into ongoing investigations with executive dashboards.

How to create cases in Splunk SOAR (Cloud)

Cases are easily created within Splunk SOAR and can act as a central repository of evidence for ongoing investigations.

  • Any event in Splunk SOAR can be promoted to a case and a case can consolidate multiple events together into one logical management unit.
  • Cases can include artifacts, as well as external evidence such as screen captures, analysts notes, and event data from third-party products.
  • Cases use workbooks as step-by-step checklists to ensure conformity with required incident response plans.
  • Cases can be worked by individuals or teams of analysts.

Promote an event to a case

Create a case first by promoting an event.

  1. From the Home menu, click Sources, and then select a container label.
  2. Click the suitcase image (3).png icon.
  3. In the Promote to Case window, select the new workbook you want to use on this case. If you already added a workbook to the container, you do not have the option to select a workbook. The menu is inactive with the text "Keep current workbook".
  4. Click Save.

A case looks like its event container and has all of the same functions. In the screenshot below, the colored block with the word "Case" in the upper-left corner of the screen indicates that the event is now a case.

unnamed - 2024-05-06T091022.143.png

Select the Workbook tab to see the tasks defined in the case workbook.

unnamed - 2024-05-06T090924.331.png

A Splunk SOAR case can be shared with other collaborators, who can also add forensic evidence and annotations to expedite threat detection and response. All activity is tracked as part of the case activity history, providing a real-time status and a tamper-proof audit trail. Access can be restricted to those users who require permissions to ensure confidentiality of all case details. Splunk SOAR Case Management enables organizations to drastically improve the maturity and efficiency of their security operations and incident response capabilities.

Next steps

Effective case management can be a real game-changer for your security operations center (SOC). By connecting the tools your teams are already using, you’ll ensure that everyone is working from the same data set regarding any incident or threat that arises. After your security ecosystem is set up to deliver alerts, investigation findings, and other data to the right team members with automation, you can accelerate your mean time to response and maximize the strengths of your team.

For a comprehensive Splunk SOAR demo or to engage Professional Services for setting up Splunk SOAR in your environment or on Splunk Cloud Platform, reach out to your Splunk account team or representative. In addition, these Splunk resources might help you understand and implement this use case: