Home > SOC Analysis

Ticketing & Case Management Tools

Ticketing & Case Management Tools

Ticketing and case management systems keep the SOC organized by tracking alerts, investigations, evidence, timelines, and analyst actions. Without these tools, incidents become chaotic, analysts lose context, and investigations break down. A SOC must treat every alert as a structured case with assigned workflows, deadlines, and documentation.

Why Ticketing Matters in SOC

Every SIEM alert, EDR alert, firewall alert, or cloud alert must be logged as a ticket or case. This ensures:

  • Accountability

  • Traceability

  • Proper escalation

  • Consistency

  • Documented evidence

  • Clear communication

  • No alert is ignored

If the SOC receives 3,000 alerts per day, ticketing becomes the backbone of managing that volume.

What Ticketing Systems Do

A SOC ticketing system must support:

  • Alert intake

  • Assignment to analysts

  • Severity classification

  • Investigation notes

  • Evidence attachment

  • Timeline tracking

  • Escalation to higher tiers

  • Communication with other teams

  • Automated updates from SIEM

  • Closing and post-incident summaries

This is not optional; it is mandatory for real SOCs.

Popular Ticketing Tools (With Practical Use)

1. ServiceNow Security Operations

Widely used in enterprises. Integrates with SIEM and SOAR.
Practical example:

New Incident: High Severity
Source: SIEM (Azure AD)
Alert: Impossible travel login for user mayur@company.com
Assigned to: SOC Tier 1
Status: In Progress

Analyst adds:

  • Investigation notes

  • IP reputation screenshot

  • Login logs

  • MFA history

If confirmed malicious, they escalate to Tier 2 with a single click.

2. JIRA (Security Projects)

Very customizable for SOC workflows.
Example:

Ticket: Suspicious DNS activity detected
Category: Network Threat
Attachments: Zeek logs, PCAP snippet

JIRA is flexible but needs SOC-specific workflows.

3. TheHive (SOC-Focused Open Source)

Designed for incident response.
Analyst can:

  • Add observables (IPs, hashes, domains)

  • Run enrichment via Cortex

  • Attach PCAPs, EDR logs

  • Collaborate across T1/T2/T3

Example observable entry:

Observable: malicious-ip: 185.88.112.93
Type: ip
Tags: c2, ransomware, high-risk

4. RTIR (Request Tracker for Incident Response)

Used by CERT teams.
Good for formal incident workflow documentation.

Case Management Features SOC Analysts Need

1. Evidence Attachment

Analysts attach:

  • Sysmon logs

  • Firewall logs

  • PCAP files

  • EDR process trees

  • Screenshots

  • Memory dumps

Example:

Attached: sysmon_4624.txt
Attached: pcap_exfil_traffic.pcap

2. Investigation Notes

Analysts write real-time notes:

  • What commands were suspicious

  • Timeline reconstruction

  • Why an alert was true positive or false positive

  • Pivot points used

Example:

10:33 - Initial alert triggered by EDR.
10:36 - Noticed suspicious PowerShell encoded command.
10:41 - Blocked outbound connection at firewall.
10:45 - Confirmed C2 traffic. Escalating to Tier 2.

3. Timeline Reconstruction

SOC must know the exact sequence of events:

  • When attacker logged in

  • When malware executed

  • When exfiltration began

Case management systems provide time-based charts.

4. Task Assignment

L1 → L2 → L3 escalation chain.

Example:

L1 Action: Validate alert  
L2 Action: Deep investigation  
L3 Action: Forensics + threat hunting

Tasks appear directly inside the ticket.

Integrating SIEM and Ticketing

SIEM alerts automatically create cases.

Example SIEM → ServiceNow integration:

SIEM Alert: Multiple failed logins from IP 91.84.112.3
Auto-generated Ticket: INC-20223
Severity: Medium
Assigned: SOC L1

Automatic enrichment:

  • Geo-IP lookup

  • Threat intel score

  • User identity

  • Historical behavior

This eliminates manual work.

Integrating SOAR and Ticketing

SOAR workflows automate repetitive tasks:

  • IP reputation Lookups

  • Hash scanning

  • Sandbox analysis

  • Blocking malicious IPs

  • Isolating endpoints

SOAR updates ticket states dynamically.

Example update pushed to ticket:

SOAR Action: Host Isolated
Result: Success
Time: 12:11 PM

Analysts see all actions without leaving the case.

Practical Example: Full Case Lifecycle

Step 1: Alert Generated

SIEM triggers:

Alert: Unusual PowerShell execution
Host: WIN-DEVICE-12

Ticket is created automatically.

Step 2: L1 Triage

L1 checks:

  • Sysmon Event ID 1

  • Event log 4104 (script block)

  • EDR alert

L1 notes:

Suspicious encoded command detected. Possible lateral movement.
Escalating to Tier 2.

Step 3: L2 Deep Investigation

L2 adds:

  • Process tree screenshot

  • PCAP evidence

  • Firewall logs

Finds actual malware:

SHA256 hash: 48af92cdd44e991... flagged as Cobalt Strike Beacon

L2 starts containment.

Step 4: L3 Forensics

Performs:

  • Memory dump

  • Persistence artifact check

  • Full timeline analysis

Documents:

Attacker used Run registry key for persistence.
Removed malicious payload.
Patched vulnerable service.

Step 5: Ticket Closure

The case is closed with:

  • Summary

  • Evidence

  • Lessons learned

  • Recommendations

What Makes a Ticket “Good” in SOC

A high-quality SOC case includes:

  • Clear summary

  • Indicators of compromise

  • Evidence files

  • Analyst notes

  • Timeline

  • Containment actions

  • Root cause

  • Recovery steps

  • Prevention recommendations

A weak ticket means analysts in the future will not understand what happened.

Intel Dump

  • Ticketing systems track alerts, investigations, evidence, and escalation.

  • Tools like ServiceNow, TheHive, JIRA, and RTIR are widely used in SOCs.

  • Tickets store evidence such as logs, PCAPs, process trees, and screenshots.

  • SIEM and SOAR integrations automate case creation and enrichment.

  • Cases must contain timelines, analyst notes, containment steps, and root cause analysis.

  • Proper case management ensures structured investigations and consistent incident handling.

HOME LEARN COMMUNITY DASHBOARD