As a security analyst who works in Splunk SOAR, you know how to analyze events using the investigation page. You also know that you can promote events to a case. Now, you want to understand the basics of managing complex cases so you can work more efficiently and effectively.
- New workbooks can be added to events or cases at any time, and workbooks can be edited.
- Playbooks can automate the process of assigning an appropriate workbook to a case.
- A workbook consists of one or more phases, each containing one or more tasks.
- Phases and tasks can each have their own service level agreement (SLA) requirements. Owners of cases and tasks will receive notifications when SLAs are exceeded.
- Phases are assumed to be accomplished in order but tasks in a phase have no order.
- Notes can be added for each phase to allow a user to note additional information that they are responsible for.
- Each task is assigned to a user and identifies an action the user must take, has a status, and can have associated actions, files, and notes.
- Significant items in a case can be marked as evidence to indicate what data is most important. These appear in the Evidence tab.
- Files, artifacts, action results, other events, and notes can all be marked as evidence in their context menus.
- Playbooks can automate marking evidence.
If you found this article useful and want to advance your skills, Splunk Education offers a 3-hour, instructor-led course on investigating incidents with Splunk SOAR. The hands-on labs in the course will teach you how to:
- start investigations
- work on events
- deal with complex incidents and reporting
Click here for the course catalog where you can read the details about this and other Splunk SOAR courses, as well as register.