Automated Case Assignment and Policy Configuration
This demonstration walks through FortiSIEM 7.2's automated case management capabilities, showing how security operations teams can streamline incident handling through policy-based assignment. The workflow begins with creating analyst groups organized by expertise level—Escalations, Level 1, and Level 2—each designed to handle cases matching their technical capabilities. Administrators can configure case management policies that define service level agreements, escalation procedures, and assignment methods including random distribution among team members or direct assignment to team leads. The automation policies tie incident categories to specific analyst groups, ensuring availability and performance issues route to Level 1 analysts while security and change-related incidents requiring advanced skills automatically escalate to Level 2 teams.
Case Investigation and MITRE ATT&CK Integration
Beyond assignment automation, FortiSIEM provides analysts with comprehensive investigation tools once cases are created. The Case Management Overview page surfaces key performance indicators tracking incident response efficiency from event detection through case creation. When analysts drill into individual cases, they gain visibility into related incidents, affected hosts, observables, and the tactics and techniques employed by attackers. MITRE ATT&CK mappings help identify attack patterns and techniques used to gain access, while a chronological timeline in the Investigate tab reveals the attack's progression. This end-to-end workflow—from automated triage to deep investigation—demonstrates how FortiSIEM aims to reduce manual overhead while maintaining thorough incident analysis capabilities.
