Cases and objects

A case is an incident or event in which data or a system might be compromised. Application users or systems integrated with the application can enter these cases. You can then act on the case and monitor its status from the start to the resolution.

The application uses objects to classify types of data. You select an object type when you create a rule, script, or workflow. The object type specifies which type of data on which you want to act. A case is considered an object, and it has the following child objects:
  • Task. A unit of work to be accomplished by a user, device, or process. The application handles some tasks automatically. Members of the response team can be assigned tasks to accomplish manually and mark them as complete when done. Case owners can track the progress of the various tasks.
  • Note. Text added to a case or task for clarification or additional information.
  • Attachment. A file uploaded and attached to an incident or task.
  • Artifact. Data that supports or relates to the incident. The application organizes artifacts by type, such as file name, MAC address, suspicious URL, MD5 and SHA1 file hashes, and more. An artifact can also have an attachment, such as an email, log file, or malware sample.
  • Milestone. A date for an important event within the incident timeline.
  • Data Table. Field values organized in a tabular format.

The task object can also have notes and attachments as child objects.