Argus-Investigation

4 min read

Cases #

Overview:

Cases in Argus Ticketing are used to track and manage incidents, investigations, and other operational workflows.

Location in Argus:

Find the Cases module under Investigation > Cases.

Subsections:

  • Case Operations: Manage case details, status, and assignments.
  • IOCs: Handle Indicators of Compromise within cases.
  • Notes: Add and manage notes to document case activities.
  • Tasks: Create and assign tasks related to each case.

How to Configure:

  • Define case templates and workflows to standardize operations.
  • Set up automation rules to trigger actions based on case statuses.

How to Opening a case

To open a case anywhere, press the + button in the top right corner.
A popup appears and allows to fill the basic information of the new case.

A new window appears, requesting additional information. The following information are required:

  • Customer: Name of the customer the case is related to
  • Case name: Name of the case
  • Short description: Short description of the case – this will be set as the summary of the case

The following information is optional:

  • Case template: Template to use for the case. If not set, the case will be created empty
  • Case classification: The classfication of the case
  • SOC ticket ID: The ID of the ticket in the SOC ticketing system

Once Create is clicked, the case is created and a popup ask whether to the get redirected to the case or to add a new one.

Switching between cases

Each case has its own context. To switch between cases/context, either click on the name of the current case at the top left, or click on the switch button on the top right.

A popup appears and allows to select the case to switch to. By default the last 100 cases are displayed. To look further in the past, one can use the search bar.
Press Save to validate the switch. The page reloads with the new context

Alerts #

Overview:

The Alerts feature allows you to monitor and manage notifications based on predefined conditions.

Location in Argus:

Go to Investigation > Alerts to access and configure alerts.

How to Configure:

  • Set up alert rules by defining conditions and thresholds.
  • Choose the notification method (email, SMS, etc.) and specify the recipients.

How to Use:

  • Regularly review and adjust alert rules to align with evolving security needs.
  • Monitor alert history to understand and respond to incidents promptly.

Activities #

This is an user activity log interface.

There are multiple filtering options for each column:

  • Show non case-related activity: A checkbox option to filter out non-case-related activities.
  • Show [10] entries: A dropdown to select how many entries to display at once, with 10 as the current value.

Table Layout

  • Date: Shows timestamps for each activity.
  • User: Displays the user responsible for the activity

Ex: In this case, the user is “administrator”.

  • Case: Represents the case ID or name the activity is associated with.

Ex:”#7 – AI CASE.”

  • Manual Input: Indicates whether the activity was input manually or not.

Ex:  A “✖” represents no manual input.

  • From API: Displays whether the activity came from an API call, where a green checkmark (“✔”) represents an API input.
  • Activity: Details the specific action or note.

Ex: shown as “Created note” followed by a unique identifier (e.g., “1718373322.128568967”).

DIM TASKS #

ARGUS TICKETING TOOL Module (DIM) is a Python package allowing to extend ARGUS TICKETING TOOL features. DIMs are not running constantly and are only called following specific actions done by users.

Distinct two types of modules:

Pipeline modules: Allow uploading and processing of evidences through modular pipelines (eg: EVTX parsing and injection into a database or data visualiser). These are called when a user queries Update case and select evidences to process.

Processor modules: Allow processing of ARGUS TICKETING TOOL data upon predefined actions / hooks. (eg: be notified when a new IOC is created and get VT/MISP insights for it). These are either called automatically upon specific events, or if a user manually triggers them.

This interface is divided into several columns. The columns and their functionalities are as follows:

Task ID:A unique identifier for each task. The Task ID is presented as a clickable link, allowing users to view more details or logs related to the specific task.Users can filter tasks based on their ID by entering the desired identifier into the filter box below the column heading.

State:  Indicates the current state or status of the task.

Case: The specific case associated with the task. This field is used for categorization or tracking within larger investigative processes.

Processing Module: Displays the name of the processing module responsible for handling the task. In the screenshot, the module shown is celery.backend_cleanup.

Initiating User: Indicates the user or system that initiated the task. In the screenshot, the tasks are initiated by “Shadow Argus Ticketing Tool.”

Leave a Reply

Your email address will not be published. Required fields are marked *