The Open Cases Dashboard provides SOC analysts with a centralized view of all Security Hub findings currently being reviewed by team members. This feature helps prevent duplicate work, provides visibility into analyst workload, and enables efficient case management.
- From Main Dashboard: Click the "Open Cases" button in the header of the main findings dashboard
- Direct URL: Navigate to
/open-casesin the application - Browser Bookmark: Bookmark the Open Cases page for quick access
- Requires the same authentication as the main application
- Uses your existing ENTRA (Azure AD) session
- No additional login required
The Open Cases dashboard follows the same professional AWS Console-style design as the main findings dashboard:
┌─────────────────────────────────────────────────────────────┐
│ Header: "Open Cases" | Refresh Button | Back to Findings │
├─────────────────────────────────────────────────────────────┤
│ Summary Stats: Total Open Cases | Active Analysts │
├─────────────────────────────────────────────────────────────┤
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Open Cases Table │ │
│ │ ┌─────────┬──────────┬─────────┬──────────┬──────────┐ │ │
│ │ │ Finding │ Severity │ Analyst │ Duration │ Actions │ │ │
│ │ ├─────────┼──────────┼─────────┼──────────┼──────────┤ │ │
│ │ │ S3.13 │ HIGH │ analyst │ 02:15:30 │ View │ │ │
│ │ │ EC2.1 │ CRITICAL │ analyst │ 01:45:12 │ View │ │ │
│ │ └─────────┴──────────┴─────────┴──────────┴──────────┘ │ │
│ └─────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
- Finding Title: Brief description of the security issue
- Finding ID: Truncated Security Hub finding identifier
- Severity: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL
- Compliance Status: FAILED, WARNING, PASSED, NOT_AVAILABLE
- Resource: Primary AWS resource affected
- Analyst Email: Email of the analyst currently reviewing the finding
- Session Duration: Real-time calculation of how long the session has been active
- Opened At: Timestamp when the analyst started reviewing the finding
- Severity Badges: Color-coded severity indicators
- 🔴 CRITICAL (Red)
- 🟠 HIGH (Orange)
- 🟡 MEDIUM (Yellow)
- 🟢 LOW (Green)
- 🔵 INFORMATIONAL (Blue)
- Active Session Indicator: Red email text indicates active review session
- Auto-refresh: Page automatically refreshes every 60 seconds
- Manual Refresh: Click the refresh button for immediate updates
- Session Duration: Live calculation of session time
- Status Changes: Reflects when findings are resolved or sessions end
- View Finding Details: Click on any finding to navigate to the detailed view
- Back to Main Dashboard: Return to the main findings dashboard
- Direct Links: All finding links work with complete ARN support
- Active Sessions Only: Shows only findings currently being reviewed
- No Duplicate Work: Prevents multiple analysts from working on the same finding
- Audit Trail: Complete tracking of who opened and is working on each case
- Check Open Cases: Review what cases are currently being worked on
- Workload Assessment: See which analysts are active and their case load
- Priority Review: Identify high-severity cases that need attention
- Avoid Duplicates: Check if a finding is already being reviewed before starting
- Load Balancing: Distribute work based on current analyst activity
- Handoff Management: Coordinate case transfers between shifts
- Team Activity: Monitor analyst productivity and case resolution times
- Bottleneck Identification: Identify cases that have been open too long
- Resource Allocation: Adjust team assignments based on workload
1. Analyst opens main findings dashboard
2. Identifies a CRITICAL finding to investigate
3. Checks Open Cases to ensure no one else is working on it
4. Clicks on finding to start investigation (auto-starts session)
5. Finding appears in Open Cases for other analysts to see
1. Outgoing analyst reviews their open cases
2. Documents progress in finding details
3. Resolves completed cases (auto-ends sessions)
4. Incoming analyst checks Open Cases for ongoing work
5. Continues investigation on handed-off cases
1. Supervisor opens Open Cases dashboard
2. Reviews session durations to identify long-running cases
3. Checks analyst workload distribution
4. Reassigns cases or provides additional resources as needed
- Duration Tracking: Real-time calculation of session length
- Analyst Activity: Visual representation of who is working on what
- Case Load: Number of active cases per analyst
- Resolution Patterns: Historical data on case completion times
- Average Session Duration: Typical time to resolve findings by severity
- Analyst Efficiency: Cases resolved per analyst per time period
- Workload Distribution: Even distribution of cases across team members
- Priority Handling: Response time for CRITICAL and HIGH severity findings
- Consistent Design: Same AWS Console-style interface
- Shared Authentication: Single sign-on across all pages
- Real-time Sync: Changes in one view reflect in the other
- Session Tracking: Sessions started in main dashboard appear in Open Cases
- Status Updates: Resolving findings in details view removes them from Open Cases
- Audit Trail: Complete tracking across all interfaces
- Endpoint:
/open-casesfor retrieving active sessions - Authentication: JWT ID token required
- Real-time Data: Current session information with duration calculations
- Error Handling: Graceful degradation if session tracking is unavailable
- Optimized Queries: Efficient retrieval of active sessions only
- Caching: Appropriate caching for performance without sacrificing real-time updates
- Responsive Design: Works on desktop and tablet devices
Symptoms: Empty dashboard or loading spinner Solutions:
- Check network connectivity
- Verify authentication status
- Refresh the page
- Check browser console for errors
Symptoms: Cases show without analyst information Solutions:
- Verify session tracking is enabled
- Check DynamoDB connectivity
- Confirm analyst started session properly
- Wait for next auto-refresh cycle
Symptoms: Links not working or 404 errors Solutions:
- Ensure complete ARN support is deployed
- Check URL encoding/decoding
- Verify API Gateway configuration
- Clear browser cache
- CloudWatch Logs: Monitor API Gateway and Lambda logs
- X-Ray Tracing: Trace request flow for performance issues
- Error Tracking: Comprehensive error logging for debugging
- Check Open Cases First: Always check before starting new investigations
- Resolve Promptly: Mark findings as resolved when investigation is complete
- Document Progress: Use finding details to document investigation progress
- Communicate: Coordinate with team members on complex cases
- Regular Monitoring: Check Open Cases dashboard throughout the day
- Load Balancing: Ensure even distribution of work across team
- Time Management: Monitor session durations for efficiency
- Training: Use session data to identify training opportunities
- Shift Handoffs: Use Open Cases for smooth shift transitions
- Escalation: Monitor high-severity cases for timely escalation
- Metrics: Track team performance using session analytics
- Process Improvement: Use data to optimize SOC workflows
- Advanced Analytics: Detailed reporting on analyst performance
- Notifications: Alerts for long-running sessions or high-priority cases
- Case Assignment: Automated case assignment based on workload
- Integration: Enhanced integration with ticketing systems
- Use the application feedback mechanisms to suggest improvements
- Report bugs or issues through standard support channels
- Participate in user experience surveys for future enhancements