Skip to content

Case Management

CYBERQUEST provides a case management module designed to help organizations and users to create and track workflows in order to quickly address incidents. Every case created has an owner which can assign collaborators to enhance the decision-making process and streamline the case resolution. The case allows adding of all existing evidence based on the event or alert that led to creation of the case.

Overview

The Case Management module can be accessed by selecting "Case Management" button, in the left-side menu in Web Interface. The main interface presents a comprehensive view of all cases, offering intuitive controls for filtering, searching, and managing investigations.

Users are presented with Case Management > My Cases page allowing the managing of existing cases and opening new ones, as needed:

  • To initiate a new investigation, click the NEW CASE button.

  • To display all cases where the currently authenticated user is the owner, select the My Cases switch.

To filter cases based on their status, use the Status drop-down menu. The available options include:

  • All: Displays every case in the system, regardless of its current status.
  • New: Shows recently created cases awaiting initial triage and assignment.
  • Open: Lists active investigations currently being worked on by the security team.
  • Solved - Displays cases marked as solved.
  • Closed - Lists cases that have been finalized and closed.

  • Archived - Shows cases that have been archived for record-keeping or future reference.

  • Template - A drop-down list that allows selection of a predefined case template. These templates are created and managed in the Case Templates section and are used to streamline case creation

  • To locate a specific case, use the Quick Filter search box available on the right side of the web interface.

  • All cases are displayed in chronological order, with the most recently created cases appearing at the top of the list.

In the case list, the Actions menu is located on the right side and provides options to view, export, edit, or delete a case.

To remove a case, click the Alt Imagebutton located in the top-right corner of the Case Management interface.

To modify a selected case, click the Alt Image button in the same area.

Use the button to export case data.

The Response Remaining / Confirm Remaining columns provide critical visibility into service level agreement (SLA) compliance, ensuring timely incident response and resolution. These metrics help security teams prioritize cases and meet regulatory requirements.

  • Response Due Time: Indicates the deadline for initial case acknowledgment and assignment. This is the time by which the security team must acknowledge the case and begin initial investigation.
  • Confirmation Due Time: Represents the deadline for confirming the resolution of the case. This is the time by which the security team must confirm that all necessary remediation steps have been taken and the incident is fully resolved.
  • Response Remaining: Shows the time remaining until the Response Due Time is reached. If this time has passed, it indicates how much time has elapsed since the deadline was missed.
  • Confirm Remaining: Shows the time remaining until the Confirmation Due Time is reached. If this time has passed, it indicates how much time has elapsed since the deadline was missed.

Detailed Case View

The Case Details View presents essential information and metadata related to a specific case. This includes general identifiers such as Case ID, name, type, and description, along with timestamps marking important lifecycle events—like when the case was created, modified, closed, or reopened.

It also provides SLA-related metrics such as Response Due Time, Confirmation Due Time, and their respective remaining or overdue durations. Ownership and access are indicated by fields like Case Owner, assigned users, and current Status.

Additional insights include duplication tracking (e.g., duplication hash and count), user classification, and whether the case is flagged as a duplicate or the most recent duplicate. These details support efficient case management, auditing, and prioritization.

Click the to access a quick view of a specific case.

Alt Image

At the top of the page, available actions include running a playbook, adding a note, editing the case, and changing the case status.

Cases Manual Deduplication

Manual deduplication allows analysts to link cases that are determined to be related or identical based on their investigation. This process streamlines case management, reduces redundancy, and ensures that all relevant information is consolidated under the most appropriate case.

To start manual deduplication, click the Alt Image button in the case view, then choose either “Add Deduplicate Item” or “Set Deduplicate Of”:

Alt Image

Alt Image

Deduplication Options:

  • Add Deduplicate Item: Adds the current case to a temporary list of items that are considered potential duplicates. This list is used to build a set of related cases before assigning a primary case.
  • Set Deduplicate Of: Assigns the current case as a duplicate of another case selected from the list previously built using Add Deduplicate Item. This action establishes a clear relationship between the duplicate case and the primary case, consolidating all relevant information under the primary case.

Create a New Case

The Case Management module enables the creation of investigative records that group related alerts, evidence, and user activity into a structured workflow. Each case serves as a centralized point for tracking incident progress, assigning responsibilities, and maintaining comprehensive documentation throughout the investigation lifecycle.

To initiate a new case, click the Alt Image button. This action opens a case creation window:

Alt Image

  • Name: Provide a concise and descriptive title that clearly reflects the nature of the issue. Following a consistent naming convention within the organization ensures clarity and traceability.
  • Collaborators: Select users from the dropdown menu who will participate in or have access to the case. Collaborators can contribute to the investigation, add notes, and access case-related information.
  • Status: Choose the case's current phase from the dropdown menu:
    • New - The case has just been opened and is awaiting initial assessment and triage. This status indicates that the incident requires immediate attention to determine its scope and potential impact.
    • Open - The case is actively being investigated by the security team. Evidence is being gathered, analysis is being performed, and containment measures are being implemented.
    • Solved - The security issue has been resolved, and the case is awaiting final closure. This status indicates that all necessary remediation steps have been taken, but documentation and approvals are still pending.
    • Closed - The case has been finalized, and no further action is required. All investigation, remediation, and documentation tasks have been completed, and the case has been formally closed.
    • Archived - The case has been stored for historical or audit purposes. Archived cases are typically retained for compliance reasons or to provide a reference for future investigations. It is recommended to establish an internal procedure within the organization that defines when a case should transition between statuses such as New, Open, Solved, Closed, or Archived.
  • Case Types: Establish a list of case types tailored to the organization's specific needs. These categories are useful for organizing and sorting cases for historical tracking and analysis.
  • Description: Provide a concise explanation of the case’s context and purpose, aiding collaborators in quickly understanding its scope.
  • Evidence: Upload supporting material such as logs, documents, screenshots, or other files relevant to the case.
  • Case Template: Select a predefined template from the drop-down list to streamline the case creation process. Templates are created and managed in the Case Templates section. Using a template ensures consistency and saves time when handling recurring or standardized case scenarios.

Click the "Save" button to apply the changes and create the case, or select "Cancel" to discard and return to the main page.

Edit Case

To modify an existing case, click the Alt Image button. The Edit Case window allows updates to key case details like as title, status, description, collaborators, attached evidence, and case template. After making the necessary changes, click "Save" to confirm or "Cancel" to discard and return to the main page.

Generate Reports

The Generate Reports feature allows exporting case information for documentation or audit purposes.

Click the Alt Image icon to open the reporting interface:

Alt Image

  • Summary Report - Exports a general overview of all cases created in Case Management as an HTML file.

Alt Image

  • Detailed Report - Enables tailored report creation by selecting specific fields from a drop-down list. Reports are generated in HTML format and can be customized to highlight precise case attributes. Save the configuration to finalize the report layout.

Alt Image

Alt Image

Associating Events/Alerts with a Case

Case Management is tightly integrated throughout key CYBERQUEST investigation modules, enabling seamless transition from threat identification to investigation. This integration allows security analysts to efficiently convert potential security incidents identified in other modules directly into managed cases. Wherever the Case Management action menu is available - typically accessible via an action arrow - items can be used as evidence by creating a new case or attaching them to an existing one.

Integration with Browser Module

The Browser module allows users to explore and analyze security events in detail. When an analyst identifies a potential security incident in the Browser, they can directly create a case or add the event to an existing case:

  1. Navigate to the Browser module and locate the event of interest.
  2. Click the Alt Image icon next to the desired event.
  3. From the dropdown menu, select either:
  4. Create Investigation Case - Opens a new case creation window with the event pre-populated as evidence.
  5. Add to Existing Investigation - Presents a list of existing cases to which the event can be added as evidence.

Alt Image

Integration with Alerts Module

The Alerts module generates notifications when potential security incidents are detected based on correlation rules. Analysts can quickly convert these alerts into cases for the investigation:

  1. Navigate to the Alerts module and locate the alert requiring investigation.
  2. Click the Alt Image button to expand the alert details:

Alt Image

  1. From the expanded view, select either:
  2. Create Investigation Case - Opens a new case creation window with the alert pre-populated as evidence.
  3. Add to Existing Investigation - Presents a list of existing cases to which the alert can be added as evidence.

Case Overview

The Case Overview provides a graphical summary of all cases and can be accessed anytime by clicking the Alt Image button in the quick access section on the left side of the web interface.

This module delivers a centralized view of case activity across the organization, offering valuable insights into trends, statuses, and investigative workflows to support informed decision-making.

Alt Image

1) Total number of cases currently marked with the "Open" status.

2) Number of cases that have exceeded their Response Due Date.

3) Number of cases that have exceeded their Confirmation Due Date.

4) A list of the most recently modified cases

5) Overview of case statuses (New, Open, Solved, Closed, and Archived) identified within a specified time interval

6) Displays the top users based on the number of cases they are associated with.

7) Cases where the latest Confirmation Due Date has been exceeded.

8) Cases where the latest Response Due Date has been exceeded.

To export the Case Overview in CSV format, click the Alt Image button.

CYBERQUEST - DORA Regulatory Assistance Module

The DORA module integrated into the CYBERQUEST SIEM platform is purpose-built to assist financial institutions in meeting the Digital Operational Resilience Act (DORA) requirements. This specialized module transforms CYBERQUEST into a comprehensive compliance platform that not only detects and manages security incidents but also ensures all activities align with DORA's stringent reporting based on: EUR-lex Alt Image

The DORA module enhances the Case Management environment with dedicated features for regulatory compliance:

  • DORA Journey - A dedicated interface that guides organizations through their readiness and compliance assessment, helping them identify gaps and track progress. This step-by-step framework ensures all DORA requirements are systematically addressed, from initial gap analysis to full compliance achievement.

  • Standardized Reporting - Automatically generated initial, intermediate, and final reports, fully aligned with DORA's mandated structure and format. These reports can be quickly created and forwarded to supervisory authorities by security analysts, significantly reducing the time and effort required for regulatory reporting.

  • Correlation - Advanced correlation capabilities help reduce incident response time, eliminate reporting errors, and ensure consistent documentation of security events.

  • Incident Classification - Manual categorization of security incidents based on DORA criteria, helping organizations determine which events require formal reporting to regulatory authorities and which can be managed internally.

CYBERQUEST empowers organizations to move beyond basic regulatory checklists by embedding real-time visibility, structured workflows, and data-driven insights into their operational resilience efforts.