Working with Case Details 
                                            The Case Detail view provides an interactive, dynamically updated workspace for assessing, investigating, and responding to cases generated by Stellar Cyber. You can drill to the Case Detail view using any of the following techniques:
- 
                                                    Selecting the name of a case in the Case table. 
- 
                                                    Selecting a case listed in the Top Cases panel in the XDR Kill Chain Page . 
- 
                                                    Selecting an Associated Case in the Event Details display for an alert. 
In response, the Case Detail view for the selected case appears.
The Case Detail view has the following main components:
- 
                                                    Case Identification – The Case Identification panel is at the top of the page and stays visible throughout all Case Detail views. It gives you the who, what, when and where for a case, including the the system-generated Case ID, the case name, the associated tenant and tenant group, and the case's score, color-coded to indicate its severity. Names for system-generated cases start out with a summary of the underlying alerts and date. You can click or tap in the name cell to edit the system-generated case name. If you do manually edit a case name, Stellar Cyber stops automatically updating it. As a result, any alert counts shown in the name might no longer reflect the current number of associated alerts. If the case is synchronized with a third-party application such as ServiceNow using an InSync, a status indicator for the InSync appears at the top of the panel with its name, status, time of last synchronization in browser time, and a ticket number link to the synchronized case in the third-party application.  From here, you can also associate tags, edit the status and priority of cases, as well as assign resources, share the case via email, or export the case to share it with others outside the Stellar Cyber Platform. The Case Identification panel is described in detail later on in this topic. 
- 
                                                    Case Workspace – The Case Workspace is where you identify, assess, triage, and respond to cases. The Case Workspace provides the tabs summarized below. Click on any of the tabs listed below to see a detailed description of the corresponding tab. - 
                                                            Detection Tab – The Detection tab provides a high-level summary of the case, including a breakdown of what Stellar Cyber has seen and why it is scoring the case the way it is. You can also see a summary of the XDR Kill Chain stages involved, and a table of Associated Alerts. 
- 
                                                            Analysis Tab – The Analysis tab is where you investigate the case. You can rearrange the associated entities, select them to drill to further details, and hover your mouse over links to see contextual pop-ups. Separate Observables and Timeline panels at the right of the tab let you view either a summary of the entities associated with the case or a sortable timeline showing the elapsed time between each of the case's events. Both views let you drill to further details on the underlying evidence for the case. 
- 
                                                            Response Tab – The Response tab is where you take action on the case. Stellar Cyber automatically suggests appropriate actions based on the alerts involved and the response actions available for the associated connectors, from blocking an IP address to disabling a user or disconnecting a host. 
 
- 
                                                            
- 
                                                    Case Activity – The Case Activity panel provides an audit trail for the case, chronicling any changes made to its associated alerts, Score, Severity, Status, Resolution, Assignee, Tags, or Description, in addition to any synchronization events with third-party applications such as ServiceNow via a Stellar Cyber InSync. You can also add your own comments to the Case Activity panel, helping you annotate changes made during the investigation of a case. Comments are viewable by all users, but can only be edited or deleted by the user who created them. Changes to comments also correspondingly update the Last Modified date for the case. Open the Case Activity panel by selecting its button  at the far right of the Case Detail view. The Case Activity panel is available in all Case Detail views, regardless of the currently displayed tab. at the far right of the Case Detail view. The Case Activity panel is available in all Case Detail views, regardless of the currently displayed tab. When you export a case, all relevant data from the Case Activity panel is included, including changes to its severity, status, assignee, and size (number of associated alerts). Timestamps are provided showing when each change occurred. When you export a case, all relevant data from the Case Activity panel is included, including changes to its severity, status, assignee, and size (number of associated alerts). Timestamps are provided showing when each change occurred.
- 
                                                    Evidence Locker – The Evidence Locker (described in detail below) provides a handy spot for you to store and share items that help your team bolster its case, including emails, PDF files, CSV files, and links to other locations in the Stellar Cyber Platform. Open the Evidence Locker by selecting its button  at the far right of the Case Detail view. Similar to the Case Activity panel, the Evidence Locker is available in all Case Detail views, regardless of the currently displayed tab. at the far right of the Case Detail view. Similar to the Case Activity panel, the Evidence Locker is available in all Case Detail views, regardless of the currently displayed tab.
Using the Case Identification Panel
The Case Identification panel is available at the top of all Case Detail views. The Case Identification panel provides the following information on the case:
- 
                                                    Case Name – Stellar Cyber automatically assigns a name to each case it reports. You can either accept the default name or supply your own. 
- 
                                                    Score – Stellar Cyber assigns scores to cases based on how critical they are. A case score updates in real time as events and entities are added to or removed from the case. Scores are color-coded to indicate the seriousness of the case. 
- 
                                                    Who – The users and hosts associated with the case. You can find details on the observables for the case in the Analysis tab. 
- 
                                                    What – The Tactic or Technique for the alert with the highest severity associated with this case. - 
                                                            Tags – Use this field to assign custom tags to a case that are meaningful to you (for example, AWS or Internal). You can use Tags as filters in the Case table, giving you a way to group cases based on criteria that are meaningful to your deployment. 
 
- 
                                                            
- 
                                                    When – The time at which the case was first created. 
- 
                                                    Where – The geographic locations associated with the case, if known. You can drill down on the observables listed in the Analysis tab to see which entities were seen where. 
- 
                                                    Severity – The severity of the case (Critical, High, Medium, or Low). Severity automatically changes with a case score until it's changed manually here. Once you manually edit the severity of a case, it no longer updates automatically based on the case score. Severity indicators are color coded to direct your attention to more serious cases. 
- 
                                                    Status – All cases start out with a Status of New. You can use this field to measure your progress as you address the case, changing the Status to In Progress, Resolved, or Cancelled. Filters in the Case table let you view just those cases of a particular status, giving you a handy way to maintain visibility on case status across the enterprise. All changes to the Status field are logged to the Case Activity panel. Once a case's status has been changed to either Resolved or Cancelled, Stellar Cyber no longer associates new alerts with the resolved or cancelled case. Instead, new alerts are either used to create a new case or associated with a different open case. In addition, a dialog box appears providing the following options for resolved or cancelled Cases: Status Action Available Options Case Resolved - 
                                                                            Select a tag describing the case's resolution (None, False Positive, Benign, or True Positive).  
- 
                                                                            Set a comment for the case's resolution. 
- 
                                                                            Update the case's associated alerts to Closed. This option is enabled or disabled according to the setting of the Close all related alerts option in Global Case Settings.  
 Case Cancelled - 
                                                                            Set a comment for the case's cancellation. 
- 
                                                                            Update the case's associated alerts to Ignored . 
 Note that cancelling a case does not delete the case but it does remove it from the Current Cases table under the default display filters. If you want to see cancelled cases in the Current Cases table, you can set the display filters to include Cancelled cases. When you set the Status of a case as Resolved, a dialog box appears that lets you select a tag describing how the case was resolved. Once applied, the tag appears as a special graphic indicator in the Case Identification panel. The figure below summarizes this: You can change the resolution tag for a case as often as you like. All changes are logged to the Case Activity panel. Suggested Usage for the Case Resolution Tags In general, Case Resolution tags are arranged in a hierarchy according to how you perceive the accuracy and threat level of a given case, ascending from None (the least accurate and the lowest threat) to True Positive (the most accurate and a real threat). Broadly speaking, you can use the Benign and True Positive tags for cases whose underlying correlation you are satisfied with while reserving the None and False Positive tags for those with which you are not. Reserve the Benign tag for cases that are accurate but result from pen testing or other artificial events. The table below provides some suggested usages for the available Case Resolution tags. Case Resolution Tag Perceived Case Accuracy/Threat Level Suggested Usage None Somewhat accurate but not a threat. This is the default Case Resolution tag. Leave resolved cases assigned to the None tag if you have judged them to be somewhat accurate but non-threatening. False Positive Not accurate and not a threat. Assign the False Positive tag to cases you have evaluated and judged to be inaccurate and not a threat. Benign Accurate, but not a threat. Assign the Benign tag to cases that are generated in response to artificial alerts (for example, those generated as the result of a pen test). True Positive Accurate and a threat. Assign the True Positive tag to cases that are both accurate and a real threat.. 
- 
                                                                            
- 
                                                    Assigned To – All cases start out as Unassigned. You can use this field to assign a case to any user currently defined in the Stellar Cyber system, providing a degree of traceability. You can sort the Case table by assignee, as well as use the Assignee filters to see different filtered views of cases by assignee. The users available for assignment depend on the scope of the account you are logged in with. For example, If you are logged in as a user with Tenant scope, you can only assign a case to users associated with the same tenant. Similarly, a user with Partner scope can assign cases to any user associated with a tenant belonging to that partner. In addition, if you don't see assignee options at all, it's possible that a root user has hidden the options. All changes to the Assignee field are logged in the Case Activity panel. 
InSync Indicators in the Case Identification Panel 
                                            Cases synchronized with a third-party application such as ServiceNow using a Stellar Cyber InSync include a status indicator for the InSync at the top of the Case Identification panel, as illustrated below.
If the case could not be synchronized automatically to an active InSync configuration, the Sync to ServiceNow button appears instead and can be used for manual synchronization.
The InSync indicator includes the following information:
- 
                                                    Name – The name of the InSync, as configured in the InSyncs page. You can select the InSync name to navigate to the InSyncs page. 
- 
                                                    InSync Status – The status of the InSync is indicated both with text and the color of the circle around the NOW icon: - 
                                                            A green circle indicates a Synced status. 
- 
                                                            A gray circle indicates a Paused status. 
- 
                                                            A red circle indicates an Error status. 
 
- 
                                                            
- 
                                                    Ticket Number Link to ServiceNow – The ticket number of the synchronized case in ServiceNow. You can select the ticket number to drill to the synchronized case in ServiceNow. 
- 
                                                    Timestamp – Each indicator displays a timestamp of the last synchronization, expressed in the time zone of the browser. 
See Using InSyncs for more information on working with InSyncs.
Manually Pushing a Case to ServiceNow
In the Case Detail page, the Sync to ServiceNow button is visible and can be used for manual synchronization when an alert cannot be automatically synchronized to any InSync configuration.
After a successful manual synchronization, the Sync to ServiceNow button is replaced by the ServiceNow icon in the same area of the Case Detail view.
Either a Sync to ServiceNow button or a ServiceNow icon displays on the Case Details page, but not both at the same time.
Sharing or Exporting Cases
Case Detail views provide both Share and Export buttons in the Case Identification panel, as illustrated below:
- 
                                                    Select the Share button  to open a dialog box where you can share the case by email: to open a dialog box where you can share the case by email:Supply the destination address, an optional reply-to address, and any message you'd like to include. The recipient will see the name of the case and your message, along with a link to the case itself. All shares are saved to the Case Activity log. 
- 
                                                    Click the Export button to export the case to PDF. 
Troubleshooting Shared Cases
If you are having trouble finding shared cases in the recipient's email, try checking the spam folder. If you do find the shared case there, you might need to enable DKIM (DomainKeys Identified Mail) for the sending account configured in the System | ORGANIZATION MANAGEMENT | Mail Server page. Certain mail systems (Gmail, for example) automatically mark emails sent without DKIM enabled as spam.
About Case IDs in the Case Views
The Case IDs you see in the Case views are unique for a given tenant – a given tenant will never have multiple cases with the same visible Case ID. Behind the scenes, however, Case IDs are composed of a Tenant ID and a Case ID. Because of this, if you have privileges that let you see cases from multiple tenants, you might notice that the visible Case IDs can repeat for different tenants. That happens because the Case ID portion of the total Case ID is not visible in the Case pages – only the Case ID portion is.
Adding Alerts to a Case Manually
You can add alerts to a case manually from the Alert Details page. Select Detections | Alerts | View for an alert type, select one or more alerts in the table, and then select Add to Case to either create a new case or fadd them to an existing case.
After adding an alert to case manually, it appears in the Associated Alerts table in the Detection tab of the Case's Detail display.
Using the Evidence Locker 
                                            The Evidence Locker lets you store items that help your team bolster its case. You can store any of the following:
- 
                                                    Text – No limit on quantity. If you find yourself adding long text messages, use the maximize button  for easier reading later on. for easier reading later on.
- 
                                                    Emails – Must be in .eml format. Maximum file size is 1 MB. 
- 
                                                    PDF files – Maximum file size is 1 MB. 
- 
                                                    CSV files – For use in spreadsheets. Maximum file size is 1 MB. 
- 
                                                    Links – Links can be to other locations in the Stellar Cyber Platform or external links as well. Clicking or tapping a link stored in the Evidence Locker opens a new browser tab for the link. 
Open the Evidence Locker by selecting its button  at the far right of the Case Detail view. Then use the panel controls to add your evidence as illustrated below:
 at the far right of the Case Detail view. Then use the panel controls to add your evidence as illustrated below:
Keep in mind the following guidance when using the Evidence Locker:
- 
                                                    URLs added as text to the Evidence Locker can be clicked or tapped to open in new browser tabs. 
- 
                                                    Use the pin button  to pin a particular piece of evidence to the top of the Evidence Locker's list. Once evidence has been pinned, its pin icon changes color. Select the pin button again to unpin the piece of evidence. Pinned evidence is sorted by the time at which it was pinned, with the most recently pinned evidence at the top. to pin a particular piece of evidence to the top of the Evidence Locker's list. Once evidence has been pinned, its pin icon changes color. Select the pin button again to unpin the piece of evidence. Pinned evidence is sorted by the time at which it was pinned, with the most recently pinned evidence at the top.
- 
                                                    Unpinned evidence is sorted by modification date. 
- 
                                                    There is no limit on the number of entries that can be added to the Evidence Locker. 
- 
                                                    Evidence can be opened and downloaded, making it easy to share evidence across multiple team members. 
- 
                                                    Changes to the Evidence Locker are logged to the Case Activity panel. 
- 
                                                    Changes to the Evidence Locker also update the Last Modified date for the case. 
- 
                                                    The Evidence Locker does not support drag and drop. 










