# Case Management [[Case Management]] is a [[Incident Containment]] capability. Case Management involves the systematic handling of correlated alerts that require additional investigation or manual enrichment to proceed or close the issues. It ensures that all correlated alerts that become cases are tracked, investigated, and resolved in a structured manner, providing a comprehensive capability for managing security events and alerts. This capability hands off Cases that are deemed Incidents to Incident Management to ensure the issue is properly handled and contained once it is determined to be an Incident by Case managers. ## Map ``` mermaid <!-- element style="width:90%; height:auto" --> graph TD Top[[Cybersecurity]] --- E[[Incident Containment]] E --- E.1[[Alert Correlation]] E --- E.2[[Case Management]] E --- E.3[[Incident Management]] E --- E.4[[Forensic Analysis]] E --- E.5[[Asset Restoration]] E --- E.6[[Abuse Reporting]] E --- E.7[[Failure Tracing]] %% Class Definitions %% ===================== class Top,A,A.1,A.2,A.3,A.4,A.5,A.6,B,B.1,B.2,B.3,B.4,B.5,C,C.1,C.2,C.3,C.4,D,D.1,D.2,D.3,D.4,D.5,E,E.1,E.2,E.3,E.4,E.5,E.6,E.7 internal-link,font-color:white; class Top cssClassL0; classDef cssClassL0 fill:black,stroke:black,stroke-width:4px,font-size:15px,font-color:white; class A,B,C,D,E cssClassL1; classDef cssClassL1 fill:darkblue,stroke:darkblue,stroke-width:4px,font-size:15px,font-color:white; class A.1,A.2,A.3,A.4,A.5,A.6,B.1,B.2,B.3,B.4,B.5,C.1,C.2,C.3,C.4,D.1,D.2,D.3,D.4,D.5,E.1,E.2,E.3,E.4,E.5,E.6,E.7 cssClassL2; classDef cssClassL2 fill:blue,stroke:blue,stroke-width:4px,font-size:15px,font-color:white; class E.2 cssClassCurrent; classDef cssClassCurrent fill:#2f9503,stroke:#2f9503,stroke-width:4px,font-size:15px,font-color:white; ``` ## Definition > [!success] Definition > **Case Management** is the process of managing correlated events and alerts from detection to resolution, ensuring that all issues are properly tracked, investigated, and resolved in a structured and efficient manner. ## Goals > [!cm-goal] Goal 1  > **Efficient Case Handling** - Ensure that cases are created and handled efficiently to promote or close the issue after preliminary investigation. > [!cm-goal] Goal 2  > **Comprehensive Tracking** - Maintain comprehensive tracking of all alerts that become cases to ensure accountability and transparency. > [!cm-goal] Goal 3  > **Structured Investigation** - Provide a structured approach to investigating cases to ensure thorough and consistent analysis to arrive at a decision about what the issue is. > [!cm-goal] Goal 4  > **Effective Resolution** - Ensure that cases are resolved effectively to prevent recurrence and mitigate risks. Rules are tuned to continue to reduce the number of false positives when necessary. ## Scope The scope of Case Management covers all correlated events and alerts which are rendered suspicious or greater and require human analysis to determine whether an incident exists. ## Process ```mermaid flowchart LR A1[Receive Cases <br /> from Alert Correlation] A2[Receive Cases <br /> from External Notification] B[Receive Cases] C[Enrich Cases] D[Triage Cases] E[Investigate Cases] F[Identify Incident] G[Send Incidents <br /> to Stakeholders] A1 --> B A2 --> B B --> C --> D --> E --> F --> G ``` ## Metrics > [!cm-metric] Metric: [[% of Cases Resolved within SLA]] > [!cm-metric] Metric: [[Mean Time to Resolve a Case]] > [!cm-metric] Metric: [[% of Cases Reopened]] > [!cm-metric] Metric: [[% of Cases with Complete Documentation]] > [!cm-metric] Metric: [[% of Cases Leading to Policy Changes]] > [!cm-metric] Metric: [[% of Cases with Root Cause Analysis]] > [!cm-metric] Metric: [[% of Cases with Corrective Actions Implemented]] > [!cm-metric] Metric: [[% of Cases Leading to Training and Awareness]] ## Inspiration & Resources + ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.