LogSentinel SIEM supports case management in two ways:
- built-in case management - directly managing cases within LogSentinel SIEM
- case management integrations - opening cases in external case management systems through automated response integrations (API, IFTTT, Zapier)
Built-in Case Management¶
Whenever an alert is triggered, an analyst has two options:
- create a new case and associated the alert with it
- associate the alert with an existing case
Each case has a name, description, status, assigned user, associated alerts, associated additional log entries, associated data sources (and therefore assets), time to resolution.
Cases are displayed in the "Case management" menu, where users can choose to see active cases, resolved cases or cases assigned to them.
For each case, users can see a full timeline of events and alerts.
Users can reassign cases, change their category (based on the ENISA taxonomy) and status. Once a case is resolved, all associated alerts are also marked as resolved.
Cases can be searched and filtered based on all of their properties.
Adding data to cases¶
Data is added to existing cases in two ways:
- adding a new alert to an existing case - this is done from the "Triage"/"Details" screen of each alert
- adding an individual log entry or event - this is done via a dedicated icon on the main dashboard. Investigations that involve detailed searches can pinpoint events that should be added to a particular case
Case management reports¶
LogSentinel SIEM supports case reporting, including the following reports:
- Mean time to resolution (global)
- Mean time to resolution (for each individual user)
- Average weekly cases
- Total unresolved cases
Case Management Integrations¶
LogSentinel SIEM can be integrated with external case management systems, through IFTTT and Zapier. These include: JIRA, Trello, Asana, ServiceNow, Basecamp, Redmine, Zendesk, Kanbanize and more.
Integration is done via the automated response options. Each alert can be sent to an external service with all the associated metadata (log entries, IoCs, risk level, data source) to open respective tickets.