Getting Started With Cydarm
How to log in to Cydarm
1. Go to your instance URL and click Log In
2. Enter the username and password (available from emailed instructions). Leave “Use MFA Token” unchecked and Source set to “Internal”. Your screen should look similar to the below screenshot.
3. This will take you to the Analyst Dashboard. This will be empty as it’s the first time you’ve logged into Cydarm.
Cydarm Case Basics
Creating a new case in Cydarm
1. Click on the “Case List” tab to take you to the Case List view. Here you’ll see all active cases assigned to you - this should be empty as this is the first time you’ve used Cydarm
2. Click on the "+ Create New Case" button in the upper right hand corner, and give your case a meaningful description. Should your instance have multiple tenancies, choose the relevant organization from the drop-down menu.
Basic functionality map when working a case in Cydarm
1. The Case Severity can be set to indicate the risk of the case. This isn’t required for this competition, but can be used for prioritising cases and reporting.
2. The Case Status dictates where the case is in the case workflow. This follows the NIST / SANS PICERL workflow, with minor modifications to suit practical operational case management.
3. The case can be assigned to a user. Once assigned, the case will show up in the user dashboard for that user. Cases can be reassigned to different users
4. You can add this case to your watchlist, which will add you as a Watcher. This is useful if you aren’t the primary analyst working on the case, but want to keep track of it
5. You can add items to the case using the “Add Item” button. More on that below.
6. This is the Case ID, a unique code for this case.
Adding files and other items
You can add items to the case in a number of ways:
1. By dragging and dropping items into the window. For example, files or screenshots
2. By clicking "Add Item" and selecting one of the following item types:
Note - to add a text note to the case. For example, noting an activity or outcome. You can change the significance associated with the comment, which will affect how it is displayed in the case view. You can also upload files associated with the comment from here.
Data - you can add a variety of structured data types, including IP address, URL, domain name, email address or file artefact. The date that the data was first observed is required. These can be tagged as IOCs, have credibility and significant levels associated. These items get added as STIX objects.
Form - this is an advanced feature which can be used for actions such as creating ServiceNow tickets or triggering automations in other systems. These have not been configured in this instance.