Creating a New Case Manually in Cydarm
- Click on the “Case List” tab to take you to the Case List view. Here you’ll see all active cases assigned to you - this should be empty as this is the first time you’ve used Cydarm.
- Click on the "+ Create New Case" button in the upper right hand corner, and give your case a meaningful description. Should your instance have multiple tenancies, choose the relevant organization from the drop-down menu.
Creating a New Case via the Cydarm Email Poller
- To create a case via email, you can send or forward an email to <tenant_name>@trial.cydarm.io, where <tenant_name> is the first part of your trial instance url. eg for https://firstname.lastname@example.org, the email poller address would be email@example.com
Basic functionality map when working a case in Cydarm
- The Case Severity can be set to indicate the risk of the case. This isn’t required for this competition, but can be used for prioritising cases and reporting.
- The Case Status dictates where the case is in the case workflow. This follows the NIST / SANS PICERL workflow, with minor modifications to suit practical operational case management.
- The case can be assigned to a user. Once assigned, the case will show up in the user dashboard for that user. Cases can be reassigned to different users
- You can add this case to your watchlist, which will add you as a Watcher. This is useful if you aren’t the primary analyst working on the case, but want to keep track of it.
- You can add items to the case using the “Add Item” button. More on that below.
- This is the Case ID, a unique code for this case.
Adding files and other items
You can add items to the case in a number of ways:
- By dragging and dropping items into the window. For example, files or screenshots
- By clicking "Add Item" and selecting one of the following item types:
Adding a Note
To add a text note to the case. For example, noting an activity or outcome. You can change the significance associated with the comment, which will affect how it is displayed in the case view. You can also upload files associated with the comment from here.
You can add a variety of structured data types, including IP address, URL, domain name, email address or file artefact. The date that the data was first observed is required. These can be tagged as IOCs, have credibility and significant levels associated. These items get added as STIX objects.
You can configure forms with specified fields and data types. These can be used to add consistent, structured data to cases. For example, you could capture a Risk Assessment result: