Cases

Case Screen

The default landing page in DEFEND is the Case Screen. It consists of

• Filters - visual and textual search tools—to aid when searching Cases
• Quick Filters - Some helpful generic filter options.
• Sort By - Various quick sort options.
• Stats - Toggle visual filter options based on Case and Resolution Status
• and the Top 5 Tag terms and the resulting list of Cases based on the currently applied filters.

Case Information

Each Case has a more detailed Case Information page made up of the following sub-sections

• Details - Title, Severity, Assignee, TLP (Traffic Light Protocol), PAP (Permissible Actions Protocol), Date, Time, Tags, and the Imported Alert(s). A Summary of the Case once closed and a list of Related Cases that share similar Observables.
• Tasks - A list of Tasks for a Case and the Person, Group assigned to that Task. Including a Task Description and Task logs to show the progress of a Task.
• Observables - Artifacts, Indicators of Compromise, IP Addresses, etc that can aid with the analysis of a Security event.
• TTPs (Tactics, Techniques and Procedures) - Tagging of events based on the Mitre Att@ck framework.
• Description - The description includes the Alert title and an AI-augmented description of the alert to aid with analysis.

Cases can be Closed, Flagged, Deleted, Merged with other cases, or Shared with another organisation using the top right-hand menu.