SOC Cases: Pull Aggregation data into case or have button to duplicate full aggregation in hunt

[btdewey]

Problem: When creating a case based off an aggregation, event data is not displayed in the case. Expanding the aggregation in the case exposes individual specific filters that can be used to pivot to hunt. It is necessary to manually add any additional filters to be able to see a similar representation of the data in the hunt console.

Solution: Either run the aggregation query and provide the data similar to the "drill down" capability in the alert console or create button on the aggregation that will create a hunt query with all the aggregation filters pre-populated.

[dougburks]

Instead of creating a case based on an aggregation, have you considered drilling into the aggregation and creating the case based on an individual event?

From https://docs.securityonion.net/en/2.3/cases.html#creating-a-new-case:

Alternatively, if you find events of interest in Alerts, Dashboards, or Hunt, you can escalate directly to Cases using the escalate button (blue triangle with exclamation point). Clicking the escalate button will escalate the data from the row as it is displayed. This means that if you’re looking at an aggregated view, you will get limited details in the resulting escalated case. If you want more details to be included in the case, then first drill into the aggregation and escalate one of the individual items in that aggregation.

[btdewey]

This would be to decrease effort. If there are multiple alerts for the same thing it's possible to click on a drill down and then individually select each item, but it takes less time and effort to escalate the aggregation and then work with the aggregation in the case. This would be similar to the drill down in the alerts console.

[btdewey]

More context, we are kind of abusing the cases functionality to allow analyst to tag that they are investigating an alert so that operators know that an alert is being triaged and don't duplicate effort. While an alert can be "acknowledge" to remove it off the alerts page there is no ability to tag something as being investigated by a particular analyst until they make a determination that it is a FP or TP. Aggregations allow a large number of events to be removed from the alerts page and tied to an analyst until they make a determination. Manually tracking what analyst is investigating what alerts to ensure there is no duplication does not scale well and greatly increases the effort on analysts.

[tiger-greenhell]

I can only agree with that

[dougburks]

@btdewey We may improve this in the future but, for now, could you escalate an individual alert to get the detail into Cases and then escalate the aggregation to remove it from the Alerts page?