Cases and objects

A case is an event in which data or a system might be compromised. IBM Security Orchestration & Automation allows these cases to be created by application users or integrated systems. You can then monitor the status from the start to the resolution of the case.

A case in Orchestration & Automation can contain the following objects:

Task. A unit of work to be accomplished by a user, device or process. Some tasks can be processed automatically. What is more relevant is that you can be assigned tasks to accomplish manually and mark them as complete when done. Case owners can track the progress of the various tasks.
Note. Text added to an incident or task for clarification or additional information.
Attachment. A file uploaded and attached to a case or task.
Artifact. Data that supports or relates to the incident. Artifacts are organized by type, such as DNS name, file name, file path, MAC address, URL, MD5 and SHA1 file hashes, and more. An artifact can also have an attachment, such as an email, log file, or malware sample.

In addition to objects, a case can invoke one or more workflows, if your organization has the licensed Orchestration & Automation software. A workflow is a predefined set of activities that can perform a complex set of instructions. With the required permission, you can view the status of an incident’s workflows and, if necessary, terminate a workflow.