nadouani
commented
5 years ago which makes the case name really long
Hello, do you know that case titles can be updated, even after a merge?
Open twingbat opened 5 years ago
nadouani
commented
5 years ago which makes the case name really long
Hello, do you know that case titles can be updated, even after a merge?
nadouani
commented
5 years ago That said, the idea of configuring a list of tasks to add to a Case based on the ongoing analysis is a good idea.
twingbat
commented
5 years ago I hadn't noticed that you can change the case name. My bad on that one :) Thanks for considering this feature!
Request Type
Feature Request
It would be great if the case template system were more agile by allowing something like task templates to be merged into existing cases.
This is the use case: We would like to have a generic "Malware Response" case template for all malware related alerts. This would contain all the steps that are required for ALL malware investigations and would provide a basic skeleton format for those investigations. However, during the investigation if it is determined that the malware is ransomware (for instance), it would be nice to have a task template with the extra steps for ransomware response. Currently we would have to create a generic malware case template and a specific ransomware case template, then merge the two (which makes the case name really long). When really all we want is a way to add templated tasks to existing cases. I know you can adhoc add tasks to existing cases on the fly, but that relies on the analyst to remember to do it and consistency would suffer, as each analyst would do it their own way. Ideally we would have a handful of generic case templates for various response scenarios (DDoS, Phishing, Malware, etc.) and a library of tasks to accompany them (Hyperlink Phish, Attachment Phish, Ransomware Malware, Worm Malware, Trojan Malware).
Hopefully that is detailed enough. Thanks for this system, it is quite valuable!