Transcript
management and assign cases in the automated fashion. To begin, let's login to Fortisim, go to CMDB, then expand Users tab. Here I have pre-created three analyst groups named as Escalations, Level 1 and Level 2. Each with varying technical expertise of analysts. Next, we'll navigate to the Admin tab, under Settings, select Case Management. Click New in the General tab to create a new policy, provide a policy name and define the service level agreement and escalation procedures. In the Auto Assignment section, select how cases will be assigned, by role, team member or manually. I will choose random assignment within team members. Finally, use the Permissions tab to control case status. You can also customize notifications based on subject, recipients and delivery method. The Auto Close option allows cases to be closed automatically. Next, I will create a new policy named Level 2 Analyst Policy. The only change will be in the Auto Assignment, where cases will be assigned solely to the team lead. All other settings remain unchanged. To create an automation policy, navigate to the General section, under Settings, create a new policy named Level 1 Team. In the Rules section, specify the relevant categories for the analyst group. I'm assigning Availability and Performance related cases. Configure the policy to generate a case when an incident occurs. Then select the previously defined case management policy that determines case management based on the policy configuration. Recall that we established different analyst groups with varying expertise. For this policy, I will choose Level 1 Analyst and then Level 2 Analyst and then click Save. I will create another new policy named Level 2 Team to handle medium and high severity cases. I will choose the Changes and Security categories in the Rules section, so cases related to these areas are automatically assigned. In the Action field, I will modify the Create case when incident is created. This automation policy will handle change and security incidents, which require advanced skills. Therefore, I will assign it to the Level 2 Analyst group. For case management, I will use the previously created Level 2 Analyst policy that automatically assign cases to the team leads within that group. Enable both rules to activate the automation policy. Next, we'll navigate to Case tab. Fortisim's Case Management Overview page provides analysts with a comprehensive understanding of case trends. By analyzing open cases, severity levels, and escalated cases, analysts can identify patterns, prioritize incidents, and assess overall security posture. Additionally, Key Performance Indicators KPIs offer insights into the efficiency of the incident response process, from event detection to case creation, and highlight the source of the incident generation. Go to Cases tab and select List View. In a few minutes, you will see cases automatically assigned to analysts according to the policy. The incident summary identifies unusual service installations on domain control servers. The case has been automatically assigned to a Level 2 Analyst based on its severity. By diving deeper into this case, analysts can view related incidents, hosts, observables, and tactics and techniques used. This information is invaluable for understanding the attack. Clicking Explore reveals details about each linked incident on this case. Mitre mappings help identify related incidents and the techniques used to gain access. Finally, the Investigate tab provides a chronological timeline for the incident, aiding in understanding the attack's progression. This demonstrates Fortisim's robust case management capabilities, from initial assignment to thorough investigation. Thanks for watching.
