This article is a part of a series describing key features of the Phantom Security Automation and Orchestration platform.
In this installment of the series, we will explore how Phantom Mission Control™ integrates case management tasks into a security operations team’s workflow. By merging case management tasks into Mission Control, analysts save time and better preserve data by eliminating the need to shuttle data between the Phantom Platform and an external ticketing or case management system. When escalating an event to a case, pre-defined case tasks, defined in case templates, that make up your incident response plan are inserted into Mission Control to ensure handling according to your organization’s Standard Operating Procedures (SOPs). In addition, automation playbooks and actions can be embedded within a case template as a task and easily launched from the tasks view, allowing quick access and consistent execution.
By building on the Mission Control view for case management, all the tools, features, and data available in Mission Control are also available for cases. Where case management extends the Mission Control view is by adding case tasks in the tasks view adjacent to the activity view. Tasks that are described in the case template are viewable in the Mission Control layout.
This is an important point and a shift from your experience with Mission Control in past versions of the Phantom Platform—analysts can now use Mission Control while also managing the overall response plan. Each phase can contain a set of tasks with task descriptions, as well as playbooks or actions.
Embedding a playbook and/or action as part of a task in a case allows the automation engine to be tightly coupled with case management. These playbooks or actions can be launched directly from the case task itself, which ensures that the right technical steps will be executed every time the case template is used. In addition, by leveraging automation to execute the task, the team can be certain that the task will be executed in a predictable and consistent manner, at machine speed.
For each case task, ownership can be assigned and the owner can mark the task complete throughout processing the case. For any viewer of the case, the task listing will show a snapshot of the current phase of execution as well as what tasks have been completed.
The task listing itself is driven off of case templates, which are configurable through the administration menu. Case templates are a way for users to create and apply their incident response plans (or standard operating procedures) to events that are escalated to cases. For more information on the event escalation process, check out the Promoting Events to a Case blog post.
Case management will continue to evolve over time as we collect more feedback from community users and customers. If you have a suggestion, we’d love to hear from you! Stay tuned for more information on enhancements to the integrated case management features over the coming weeks and months!
If you haven’t experienced the Phantom Platform yet, we invite you to join the Phantom Community to gain access to the free the free Community Edition.
Other articles in this series can be found here.
More info on Phantom Mission Control can be found here.