Windows Server Posted January 23 Posted January 23 Creating a unified, security-focused case management system Many SecOps teams use Microsoft Sentinel or Microsoft Defender to do security work, and rely on 3rd party tools to manage cases. The majority of these systems are not tuned to the unique needs of SecOps, resulting in generic views and data, lack of security context to efficiently resolve cases, increased time to respond, not to mention the incremental cost of implementing another system. Overreliance on 3rd party ticketing systems for communication and collaboration, inside and outside of the SOC, results in insufficient collaboration capabilities which are not fully integrated with SecOps workflows. Today, we are happy to announce public preview of a new case management service. This feature represents our first steps towards delivering a unified, security-focused case management experience that centralizes rich collaboration, customization, evidence collection, and reporting across SecOps workloads, removing the reliance on external ticketing systems. Case management provides an introductory set of features that will be the foundation for future capabilities. With this new service you can: - Create and track your SecOps related cases in one place with the new cases page - Define your own workflow by configuring custom status values - Improve collaboration, quality, and accountability by assigning tasks and due dates. - Handle escalations and complex cases by linking multiple incidents to a case. - Manage access to your cases using RBAC This is just the first step! On the roadmap is automation, multi-tenant support, additional collaboration, customization, and more. We welcome your feedback as we add features and work towards a robust case management experience for SecOps. Introducing case management You can start your journey by connecting a Microsoft Sentinel Workspace to your Defender Portal to enable the unified security operations platform. Click on the Cases entry in the Defender portal navigation bar, and you will be able to create and view your cases on the Cases page. Each case in the queue has a Case Details page, where you can manage the case and view the contents. In the activity log area, you have plenty of room to make comments, paste in content, and share your findings. In the example case below, a threat hunter is investigating a new hypothetical “Burrowing Attack” that consists of multiple MITRE ATT&CK techniques and IoCs. Every SecOps team has its own processes. Configure your cases to match your processes by setting up custom status values. In the example below, our threat hunter’s statuses enable keeping a backlog of threats that can be triaged on a weekly basis. Custom statuses such as “Research Phase” and “Generate Hypothesis” match this threat hunting team’s process. You can get even more granular using tasks. Each task in a case has its own name, status, priority, owner, and due date. With this information, multiple collaborators can work on a single case, and you will always know who is accountable to complete which task, by which time, and ensure that all necessary steps in the case are completed. Let’s say our threat hunter found malicious activity and created an incident for the IR team. They can link the incident to the case, so that it is clear the incident and case are related. Alternatively, if the IR team needs to escalate one or more incidents to the hunting team, they can create a case and link the incidents there. From the linked incident tab, you can see the status of each of the linked incidents. You can click on the incident name to investigate further on the corresponding incident details page. Can I access this new feature in the Microsoft Sentinel experience in the Azure portal? No, this feature will only be available in the latest experience in the Defender portal. How do cases relate to incidents? Cases and incidents are separate and independent items, each with a role to play. Incidents are great for triaging, security investigations, remediation, and other IR activities. Case management is more general, enabling collaboration and efficiency across multiple SecOps workloads. If I close a case, do I also close linked incidents? Not yet, but we have heard that feedback. Keep an eye out for this in future releases. Looking forward This initial release is just the first step! We welcome your feedback as we add features toward providing unified, security-focused case management experience for SecOps. As we build on this foundation of case management, we're prioritizing these additional robust capabilities as we evolve this solution: Automation and APIs Multi-tenant support Anding more evidence Workflow customization More Defender portal integrations Stay tuned for more information in the coming months. Learn more Case management overview: https://learn.microsoft.com/en-us/unified-secops-platform/cases-overview View the full article Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.