Cases in Guardian Ops provide a structured workflow for managing network abuse incidents efficiently. This feature enables security teams to investigate, track, and resolve abuse reports within a centralized interface.

Key Features

  • Case Creation: Quickly generate new cases based on abuse reports or manual inputs.
  • Automated Case Enrichment: Cases are enriched with threat intelligence and network metadata to accelerate investigations.
  • Collaboration & Notes: Add comments, attach evidence, and collaborate with team members.
  • Status Tracking: Assign cases, set priority levels, and update status to streamline workflows.
  • Export & Reporting: Generate reports and export case details for compliance and record-keeping.

Accessing Cases

To access the Cases feature:
  1. Log in to Guardian Ops.
  2. Navigate to the Cases section in the left-hand menu.
  3. Click New Case to create a case or select an existing case to view details.

Creating a Case

  1. Click New Case in the Cases dashboard.
  2. Enter relevant details, including:
    • Case name
    • Associated abuse type
    • Affected IPs or domains
    • Description of the incident
  3. Optionally, attach files or notes for additional context.
  4. Click Save to create the case.

Investigating a Case

  1. Open a case from the Cases dashboard.
  2. Review the automatically populated metadata and enrichment data.
  3. Add comments, upload evidence, and assign the case to team members.
  4. Update the case status (e.g., Open, In Progress, Resolved).

Closing a Case

Once a case is resolved:
  1. Update the status to Resolved or Closed.
  2. Add a final comment summarizing the resolution.
  3. Export the case details if needed for reporting.

Best Practices

  • Use tags to categorize cases for better organization.
  • Regularly update case statuses to maintain workflow visibility.
  • Leverage automated enrichment to reduce manual effort.
  • Document findings thoroughly to support future investigations.

Case Rule

A case rule defines the logic for creating or associating a case with an event. By default, the system provides one primary rule:
  • Default Rule: For every incoming event, one case is created per customer.
    • The case ID is a C followed by a UUID, e.g. C-2A51B5A1-BD0C-42F1-AF43-FCFA0FD03607
The process works as follows:
  1. Search for an Existing Case: The system checks if an open (state is not resolved) case already exists for the customer that fits the rule.
  2. Create a New Case: If no open case exists, a new case is created and its status is set to “new.”
In addition to the default rule, users can customize case creation using the following options:

Case Creation Options

  1. Separate Case per Contract: A case is created not only for each customer but also for every contract the customer holds. This means there could be multiple cases for the same customer, each tied to a different contract.
  2. Single Event per Case: This option disables the search for an existing case. A new case is opened for every event, ensuring that each event has its own individual case, following the rules specified above.

Combination of Rules

All the above options can be combined, allowing for highly flexible case creation workflows. For example, you can create a rule that opens a new case for each contract and each event type while also ensuring that each event gets its own case.