Mission Control: Promoting an Event to a Case

This article is a part of a series describing key features of the Phantom Security Automation and Orchestration Platform and how they work to improve the analyst experience.

In this specific installment of the series, we will talk about the ability to promote an event to case and what the case management view looks like from the analyst’s perspective.

At a higher level of workflow and orchestration, a common sequence for event management and triage is as follows:

Ingest Event -> Automated Triage via Phantom Playbooks ->
Determine True/False Positive -> Elevate True Positive Events to Case

Phantom 3.0 case management allows you to manage the full lifecycle of a case entirely on the Phantom Platform. There are several key benefits to this:

  • Analysts no longer need to manually shuttle data between platforms, avoiding scenarios where data is lost in translation or incomplete,
  • Event context is maintained throughout the transition from event to case, and
  • While working on a case, all tools needed are available to the analyst (e.g. integration with SOC tools, on-demand action and playbook execution, collaboration, and source data) through the Mission Control view.

There are two key elements to Phantom 3.0 that enable these benefits: Automatically or Manually promoting an event to a case and case management integration with Mission Control™.

Promoting an Event to a Case, Manually or through Automation

From within the Mission Control view of an event, the analyst can promote an event to a case by clicking the case button:


Figure 1.png
Promoting an Event to a Case within Mission Control.

When promoting an event to case, the analyst will need to select which case template to apply to the new case or attach the event to an existing case. The case template that is applied to new cases are intended to apply the company’s Standard Operating Procedure (SOP) or Incident Response Plan (IRP) to the case. While the platform ships with default case templates, many customers create their own templates that match their environment and scenario (e.g. malware outbreak, DDoS, malicious insider, etc).


For customers leveraging automation and playbooks to determine if an event should be promoted to a case, they now have the ability to promote that event from within the playbook via the phantom.promote() API. This API is accessible through the Visual Playbook Editor.


Figure 2.png
Applying a Case Template to an Event During Manual Promotion.


This API unlocks significant functionality and scale; events now have the opportunity be fully triaged and escalated through an automated process without human intervention. When considering a scenario where an organization must process hundreds or thousands of events per day, allowing the automated playbooks triage the event queue at machine speed and present to the analyst the promoted cases significantly scales-up SOC resources.

This leads us to our second key element of case management in Phantom 3.0, which relates to how analysts manually interact with cases.

Case Management integration with Mission Control

The case management view is now a superset of the Mission Control view. By building on the Mission Control view for case management, all the tools, features, and data available in Mission Control are available for cases. Case management extends the Mission Control view by overlaying the selected case template onto the Mission Control view.


Figure 3.png
Case View from within Mission Control.


Leveraging the Mission Control is a powerful addition to case management in Phantom because it allows the analyst to launch Actions and Playbooks against the evidence and data contained within the case, and more tightly integrates the core automation engine with case management. Through this, analysts save significant time and preserve data accuracy by avoiding the task of shuttling data from the Phantom platform to an external ticketing or case management system, and vice versa. Historically when an event is posted to a ticketing system, there is still a need for the analyst to interact with data and tools on the Phantom platform. Keeping the case resident on the Phantom platform saves the analyst time by not changing interfaces and eliminates the task of keeping data in sync between disparate platforms. Additionally, the team managing the case can stay on task with case execution by overlaying the cast template on the Mission Control view.

In closing, Phantom 3.0 allows the entire event and case lifecycle to be managed in the platform, with the ability to incorporate automation into the process. The same goal remains and that is to shorten the MTTR for events and cases. Allowing programmatic escalation of events to cases, as well as integrating case management into the Mission Control view have a direct impact on that goal. Stay tuned for future installments of the Mission Control series where we will continue diving deeper into each capability available in Mission Control.

If you haven’t experienced the Phantom Platform yet, we invite you to join the Phantom Community to gain access to the free the free Community Edition.

Other articles in this series can be found here.