Overview

The case Overview tab provides a quick view of the case and the status of any ongoing investigation from IBM Security Threat Investigator. You can see a summary view of key case information such as automated case severity, findings, tasks list, related cases, playbook status, and artifacts. You can drill down into any of these sections.

The Overview tab provides key information for the case in a single view, providing insight into case severity, status, and any case investigations. For example, you can see the automated severity assigned to the case, progress of case tasks, QRadar platform findings, playbook status, details of any case artifacts, and related cases.

The following graphic shows an example of a case overview.
example of automated case severity
Click the links on the tab to view more detailed information:
  • Click the View details link in the Case details section to go to the Details tab, containing comprehensive case details.
  • Click any individual finding to open a sideview of that finding, or click View findings to view all findings in the Evidence tab.
  • From the Tasks list section, you can click an individual task to view that task or click View tasks to go to all tasks for the case.
  • Click View artifacts to go to the case Evidence tab.
  • or click View playbooks to go to the Playbook progress.
The following example shows a finding sideview, showing its details and related artifacts.
image sideview with related artifacts

Examining automated severity components

The QRadar platform assigns an automated severity to the case to help identify high priority cases quickly. The automated severity is shown in the Case details on the overview tab, and is also shown in the case list.

To better understand how the case was assigned its automated severity, click the Automated severity pill to open the Case severity side view, as shown in the following graphic.
The surrounding text describes this graphic, which is a snap shot of the user interface.

The case severity sideview shows the data used to assign the automated severity, including the findings associated with the case severity.

From the chart, you can click a severity icon to filter findings by severity Critical, High, Medium, Low, and Benign.
example showing filtering by findings
From the list, click a finding to view the findings details and the enrichments that contributed to the finding severity.
example of a finding

From the graph, click a severity icon to filter by severity.

There are three types of finding enrichments, rule, threat intelligence, or machine learning based enrichments.
Rule based enrichments
These are enrichments drive by specified rules. The following example shows a rule based enrichment.
example of an enrichment
Threat intelligence based enrichments
Some enrichment is done by threat intelligence services.
Machine learning based enrichments
Machine learning enrichments show the enrichment detail, including top indicators, severity, and the confidence degree. An example of a machine learning based enrichment is a score that is based on historical alerts.
To avoid duplicates, additional enrichments in the same category are grouped together and a group icon is displayed. These grouped enrichments can also contribute to the enrichment severity. When you view enrichments that are grouped, the enrichments with the highest severity are ordered at the top of the list.

Click any enrichment to view the enrichment details. To go back to the finding that contains the enrichments, click the back button at the top of the sideview. From the finding view in the sidebar, you can click Go to finding to go to the detailed view of the finding, which shows comprehensive details of the finding, including artifacts, enrichments, and related findings.

The following example provides a walkthrough of information and data that resulted in the case severity.

  • This example starts from the cases list. We select a case and from the Case overview tab, we click the Case severity pill to open the Case severity sideview.
  • We click the Critical icon to filter by critical findings. From here, we can see the various enrichments associated with the finding.
  • We view some enrichments and then go back to the finding sideview.
  • Lastly, we navigate from the Findings sideview to the details Findings view in the Evidence tab.