Describe the feature:
Field names that are interesting for a case can be tagged or manually added as IOCs (indicators of compromise) within a case. These IOCs are displayed in a list in the case and can be enriched with threat intel information.
Describe a specific use case for the feature:
While investigating a case the security analyst tags a destination.ip, a host.name, and a file.hash.sha1 field as IOCs in the case. These IOCs are listed in the 'artifacts' or 'IOCs' section of the case to make it easier to see them. When an IOC is added to a case we should automatically do a search for that IOC in the Threat Intel index patterns and enrich the fields with that information.
Describe the feature: Field names that are interesting for a case can be tagged or manually added as IOCs (indicators of compromise) within a case. These IOCs are displayed in a list in the case and can be enriched with threat intel information.
Describe a specific use case for the feature: While investigating a case the security analyst tags a
destination.ip
, ahost.name
, and afile.hash.sha1
field as IOCs in the case. These IOCs are listed in the 'artifacts' or 'IOCs' section of the case to make it easier to see them. When an IOC is added to a case we should automatically do a search for that IOC in the Threat Intel index patterns and enrich the fields with that information.