Case management team

A security analyst in a case management team is responsible for monitoring and responding to cases, assigning and resolving tasks, analyzing data, and more.

Security analysts use Case Management to manage cases, respond to tasks, perform statistical analysis, and more.

Case Management is a central hub for incident responses. It is customizable so that it can be tailored to meet the needs of your company or organization. Therefore, how you interact with Case Management depends on these customizations.

An incident is an event in which data or a system might be compromised. The Case Management allows these incidents to be entered by users or systems that are integrated with Case Management. You can then monitor the status from the start to the resolution of the case.

An incident in Case Management can contain the following objects:

Task. A unit of work to be accomplished by a user, device, or process. IBM® Security QRadar SOAR handles some tasks automatically. You can be assigned tasks to do manually and mark them those tasks as done when you complete them. Incident owners can track the progress of the various tasks.
Note. Text added to an incident or task for clarification or additional information.
Attachment. A file that is uploaded and attached to an incident or task.
Artifact. Data that supports or relates to the incident. Artifacts are organized by type, such as file name, MAC address, suspicious URL, MD5 and SHA1 file hashes, and more. An artifact can also have an attachment, such as an email, log file, or malware sample. Artifacts with the same value but in different incidents can be shown as related.

In addition to objects, an incident can run one or more workflows. A workflow is a predefined set of activities that can run a complex set of instructions. With the proper permission, you can view the status of an incident’s workflows and, if necessary, stop a workflow.

Note: The terms cases and incidents are sometimes used interchangeably in this documentation.