SPLK-2003 Case Management and Workbooks

Case Management and Workbooks Detailed Explanation

In Splunk SOAR, incidents don’t just come and go—they're tracked, analyzed, documented, and resolved as cases. To help structure this process, SOAR uses Workbooks, which act as a roadmap for investigation.

1. Case Management

What is a Case?

A case in Splunk SOAR is like a folder that collects and organizes all the information related to a specific security incident. It's used to manage that incident from beginning to end: detection, analysis, containment, and resolution.

Cases are more than just records—they guide the incident response lifecycle, make collaboration easier, and help standardize how your team handles threats.

Key Case Features

1. Case Creation

There are two ways cases can be created:

• Automatically: Based on event conditions (e.g., severity level, source, type), SOAR can auto-generate a case from an incoming event.

  • Example: Every “Phishing” event with “High” severity becomes a case.

• Manually: Analysts can convert an event into a case when they believe it requires deeper investigation.

This flexibility ensures that only relevant events become full cases, preventing clutter.

2. Case Fields

Each case includes multiple fields to capture essential information:

• Title: Name of the case (e.g., “Phishing email to HR team”).

• Severity: Low, Medium, High, Critical.

• Status: Open, In Progress, Resolved, Closed.

• Owner: Assigned analyst or team responsible for investigation.

• Tags: Keywords like "phishing", "ransomware", "internal", etc.

• Associated Events: Lists all related events and artifacts.

These fields make it easier to search, filter, sort, and prioritize cases.

3. Case Linking

Sometimes multiple alerts or events are related to the same incident.

• In SOAR, you can link multiple events to a single case.

• This is useful when:

  • Several endpoints are affected by the same malware.

  • Multiple users receive the same phishing email.

Case linking reduces duplication and gives you a complete picture of a security incident.

4. Case Templates

A Case Template is a predefined format used to create new cases with consistent structure.

• Useful when dealing with repeatable incident types like:

  • Phishing

  • Malware infections

  • Unauthorized access

• Templates define:

  • Which fields are required.

  • Default values (e.g., default tags, severity).

  • Which workbook to attach.

Templates help teams respond faster and more consistently by removing guesswork.

2. Workbooks

What is a Workbook?

A Workbook in Splunk SOAR is a step-by-step investigation guide attached to a case. It helps analysts follow a structured, repeatable process.

Think of a workbook as a checklist with automation — combining human tasks with machine-executed playbooks.

Key Features

1. Stages and Tasks

A workbook is divided into Stages, and each stage contains Tasks.

• Stages are investigation phases like:

  • Detection

  • Triage

  • Containment

  • Eradication

  • Recovery

• Tasks are what you do in each stage, such as:

  • “Verify sender domain”

  • “Query user login history”

  • “Isolate affected endpoint”

These help guide even junior analysts through the correct process.

2. Task Types

There are two types of tasks in a workbook:

• Manual Tasks: Require human input (e.g., writing a note, reviewing an alert).

• Automated Tasks: Run playbooks in the background to complete the task (e.g., fetch file reputation, disable user).

This blend of automation + human decision-making ensures speed and accuracy.

3. Tracking Progress

Every task and stage in the workbook can be:

• Marked as Pending, In Progress, or Completed.

• Tracked in real-time in the case interface.

• Used for reporting (e.g., “What stage are most cases stuck in?”).

Managers can monitor how far along a case is and identify bottlenecks.

4. Customization

You’re not stuck with default templates — Splunk SOAR lets you build your own workbook templates.

• Create new stages and tasks.

• Define which tasks are automated vs manual.

• Link specific playbooks to tasks.

• Save templates for phishing, malware, insider threat, etc.

Customization ensures your workflows match your company’s policies and response playbooks.

Summary

Feature	Function
Case Creation	Automatically or manually create a case to track an incident
Case Fields	Define metadata like title, severity, tags, and ownership
Case Linking	Combine multiple related events into one unified case
Case Templates	Standardize case setup for common incident types
Workbook Stages	Organize incident response into structured investigation phases
Workbook Tasks	Guide analysts with manual steps and automated playbook execution
Progress Tracking	Monitor task/stage completion and case resolution over time
Customization	Tailor workbook templates to fit your internal processes

Case Management and Workbooks (Additional Content)

1. Case Resolution vs. Case Closure

Understanding the difference between Resolved and Closed statuses is essential for effective case lifecycle management — and it's a frequent exam topic.

a. Resolved

• Indicates that all technical actions have been completed:

  • Threat neutralized

  • Accounts restored or blocked

  • Alerts addressed

• However, the case is still open for review or validation:

  • May require managerial sign-off

  • Additional documentation or investigation may still be pending

• This status often marks the transition phase between operations and administrative closure.

b. Closed

• Means that the case has been fully reviewed and approved.

• No further action is needed.

• It’s officially archived in the system as a completed record.

• Closed cases are typically used for:

  • Reporting

  • Metrics analysis

  • Compliance audits

c. Exam Tip

Question Example:
“Which status indicates that the incident is fully reviewed and no further actions are required?”
Correct answer: Closed

2. Binding Workbooks to Cases

Workbooks provide structured guidance in case handling. Understanding how they are assigned to cases is key to workflow control.

a. When Can You Attach a Workbook?

• At Case Creation:

  • When an analyst creates a new case, they can manually select a workbook template.

• Via Case Templates:

  • Case templates can have default workbooks pre-configured, so that each new case using the template automatically has a workbook attached.

• On Existing Cases:

  • If a case was created without a workbook, users with sufficient permissions can manually attach or replace a workbook later.

b. Permissions May Affect This

• Only users with edit or case management permissions can change the workbook binding.

• Limited-role users may not see the workbook reassignment option.

c. Exam Tip

Question Example:
“How can a workbook be assigned to a case after it’s been created?”
Correct answer: Manually by users with proper permissions, or through a template at creation

3. Relationship Between Workbooks and Playbooks

It’s important to distinguish the function of workbooks (human-driven) from playbooks (automation-driven) — especially in exam scenarios.

a. Workbooks Define Workflow, Not Automation

• A workbook is a checklist of tasks that guides an analyst through stages of investigation (e.g., Triage, Containment, Recovery).

• Tasks in a workbook can be:

  • Manual: Requires the analyst to add notes or review findings.

  • Automated: Can be configured to trigger a playbook.

b. Playbooks Are Not Run Directly by the Workbook

• Playbooks are linked to tasks inside a workbook, but not embedded inside it.

• The task may say: “Run IP Reputation Lookup”

  • The workbook will trigger the linked playbook when this task is started.

• This separation of logic allows reusability and modularity.

c. Why This Matters

• In exams, some questions might imply that workbooks execute playbooks directly — which is incorrect.

• The correct model is: Workbooks → Tasks → (may trigger) Playbooks

d. Exam Tip

Question Example:
“Does a workbook directly run playbooks as part of its execution?”
Correct answer: No — tasks within the workbook can be configured to trigger playbooks.

Summary

Topic	Detail
Resolved vs. Closed	Resolved = handled, Closed = verified and finalized
Workbook Binding	Can be added via case template, at creation, or manually later
Workbook–Playbook Link	Tasks within workbooks can trigger playbooks, but don’t run them directly