Tracecat’s case management system is designed to help you manage and track security incidents. It’s design is inspired by Rapid7’s SMAC (status, malice, action, context) methodology and the alert management system at Brex bank.

Open case

Use the Open Case Action in a workflow to open a new case.

View cases

Go to the Cases tab to view all cases. Cases are displayed in a table with the following columns:

Payload

A JSON object containing information about the case.

Status

Is the case open, closed, reported, escalated, or resolved?

Malice

Is the case payload indicative of malicious activity? There are only two options avaiable: malicious or benign.

Action

What steps can I take to move towards closing or resolving this case?

Context

Context represents information not already captured in the case payload.

Best Practices

To keep incident response repeatable, we recommend expressing case actions as a list of tags.

For example, given a newly opened phishing email case, you might want want to set the tags: “quarantine” and “user-education”.

Check out the MITRE D3FEND matrix for ideas.

Tracecat automatically fills the case context with the following MITRE ATT&CK labels (if applicable).

For example:

{
  "tactic": "initial-access",
  "technique": "phishing",
  "procedure": "email-attachment",
  "threat_group": "0ktapus",
}

You can disable this AI feature in settings.

Add evidence

Coming soon

Multi-media evidence can be added to a case from the side panel. Tracecat supports the following evidence types:

  • Text
  • Images
  • Video
  • Audio
  • PDF

Close case

Select the case you want to close in the case table. The case side panel will open. Use the case status dropdown menu to change the case status to Closed.