Core SA&O Platform Capability: Case Management


This article is a part of a series describing the essential criteria of a Security Automation and Orchestration platform.


Implementing case management can add significant operational efficiency within your Security Operations Center (SOC). It also allows you to demonstrate adherence to any applicable regulatory requirements. Choosing an SA&O platform with integrated case management allows you to benefit from the underlying automation and orchestration capabilities native to the platform. From automated ticketing, to sending email or text notifications, to highly-complex automation responses, case management automation and orchestration allows you to be more productive—which is a primary goal of an SA&O platform.

In the previous article of this series we explored alert management. Once alerts or events are confirmed using automated or manual techniques, the alert details should be incorporated into a case for the broader team to analyze and take actions on. This means that the case management function in an SA&O platform should model and support a cross-functional lifecycle that is customized to your Standard Operating Procedures (SOPs). While alert management is usually technical, case management commonly incorporates technical and non-technical steps into the security operations workflow. As such, the number of cases should be lower in volume than alerts. For example, many organizations receive hundreds or thousands of alerts per day, while their cases tend to number in single digits per day.

Case Management in Phantom v2.1

Here are some additional criteria to consider when evaluating an SA&O platform.

Adaptability to Your Existing SOPs

Many organizations have established SOPs for incident response, emergency, disaster, and other critical situations. The case management functionality should provide a user with the ability to define stages and tasks according to their process, saving them as a template to apply to new cases. Each task in the case should support having a unique owner. The case management function should also allow you to add additional contextual information associated with a task, like instructions to the task owner. Much like task management applications, tasks should have a trackable status and marked as closed when completed by the task owner. The user interface should provide an indicator of progress for the case as well as the overall case status.

Organization of Case Data

All data relating to a case should be aggregated by the case management function. Displaying the information in a single location enables users to efficiently consume it and avoids context switching.

Adding Data to a Case

The case management interface should support attaching relevant technical data such as the alert’s source data and any results from automated or manual actions to the case. The interface should also support attaching relevant non-technical data like: notes, memos, emails, screenshots, recordings, or any other arbitrary data. Automated attachment of information to a case should also be possible from within a playbook.

Linking Cases to Alerts

During a case investigation, it is very common to identify a piece of data that requires additional investigation or a scenario that requires issuing an immediate response-type action. Therefore, if an analyst determines an action should be taken, the case management interface should seamlessly link the analyst to the alert management interface for the respective alert. From the alert management interface, additional actions can be executed and changes to relevant data should be reflected in the case management interface.

Activity Auditing

Additions, modifications, and state changes are important details to a case. All changes to a case should be logged in an audit trail and be exportable.

Changes that should generate audit data might include:
■ Adding data
■ Modifying data
■ Modifying a stage or task
■ Adding files or notes
■ Modifying files or notes
■ Completing a task
■ Any other activity or modification to the case


Whether you have an established set of SOPs or if you are looking to mature your operations, a case management function helps your team stay organized and drives efficiency. The 2.1 release of the Phantom Platform includes unlimited case management in both the Community and Enterprise Editions. Give the Phantom Platform a test drive today and see how the platform’s integrated case management functionality is one way it helps you work smarter.

Chris Simmons,
Director, Product Marketing

Other articles in this series can be found here.
You can also download the entire Phantom Buyer’s Guide here.
Join the Phantom Community to access the free Community Edition.