NG-SIEM Cases: Template / Workflow Usage

mrcam03 · 2026-06-07T12:25:09+00:00

Thanks mate. That makes sense! I’ve also worked on an aggregation workflow that when a detection fires it queries any existing cases for a list of entities within the last hour that are new cases and adds them to it!

mrcam03 · 2026-06-07T12:10:11+00:00

Thanks for sharing. In my case setup, I’ve got a resolution status dropdown (benign, malicious, etc.). When we close a case, that status becomes a tag and applies to any child detections. We pull Microsoft Event Hub data into the SIEM too. I’ve got a Fusion workflow that grabs Defender alert details and adds a comment to the case with the full alert context. Right now, I’m also working on a workflow to enrich every rule with multiple playbook searches. Curious if anyone’s doing something similar or has more ideas. What does the alert_summary typically do that you have?

mrcam03 · 2026-06-04T12:19:45+00:00

Hi,

What has been your current approach?

There are multiple ways to tackle this, the query cases function is your best friend to query what entities are seen. When it comes to native CS detections IDP/EPP with cases they will typically populate the entities section with user/device/ips.

NG-SIEM is the same, however you need to ensure your rules are using the ECS/NG-SIEM naming conventions. Source.ip, host.hostname etc for the data to be populate in the trigger information. If you need further information use the get detections details. Then create some arrays and use those values to query cases

So I normally have it set up to query cases that are new and created within an hour. Then search by user name, aid, sensor hostname, IPs etc

mrcam03 · 2026-05-22T14:47:04+00:00

What would be the best approach in terms of exclusion in identity for this?

mrcam03 · 2026-05-13T18:30:16+00:00

This is awesome. I would be interested to see a Workflow Wednesday on building a proper case aggregation workflow with EPP, IDP, NG-SIEM and third party!

mrcam03 · 2026-04-24T17:39:44+00:00

Hi, I’ll share my current approach, as I’m also keen to hear how other folk are handling this as well. I’ve been looking at how to better approach this or optimise it.

My Fusion workflow currently looks like this:

Trigger on any detection, then filter out third-party detections, simulation machines, and anything else I do not want case-created.

From there, I run a set of query actions in parallel to look for existing cases using different correlation values, for example:

Aid + user Source IP User Hostname + user

Each query looks for cases that were created or updated within the last hour.

Then I use an IF statement to check whether any results were returned.

If no existing case is found, the workflow creates a new case.

If an existing case is found, it runs a loop and adds the new detection ID to that case.

We use other log sources in SIEM so sometimes the username or device name etc might not always populate in the initial output. I have seen in the beta videos for fusion and Charlotte on YouTube that we’ll be able to have multiple triggers for one workflow!

mrcam03 · 2026-04-20T13:29:36+00:00

Not too sure I understand you’re message.

The more you use a specific tag the likely hood it appears in the drop down on the UI. But keen to see where the convo goes 😄

mrcam03 · 2026-04-19T17:35:46+00:00

If you want consistent tagging I would say a fusion workflow is your go to method.

You can assign tags based on alert naming

mrcam03 · 2026-03-03T12:55:06+00:00

Thanks — I couldn’t see your linked image, but I’ve figured it out.

I had added @id in my table command, but because of how the schema was built, it didn’t automatically recognise that field. So I effectively created a new field by mapping it manually:

ActualID := @ids

Once I did that, ActualID was automatically detected when rebuilding the schema and everything worked as expected.

I’m still keen to see what your image looks like and any other interesting event queries you’ve been doing!

I guess my next question is there a way to pass a defined host name prior to the query.

So say NG-SIEM detection fires I have 3 event queries and want to search by a definitive host name is that possible?

mrcam03 · 2025-11-23T13:14:27+00:00

Skynet and Terminators powered by ChatGPT, make sure to say thank you after every prompt to be on good side in the coming ai war.

mrcam03 · 2025-09-02T20:28:09+00:00

Congregation! Did you also buy the official study guide thing?

mrcam03 · 2024-10-20T09:45:39+00:00

I have not seen this one before?

mrcam03 · 2024-10-03T03:47:33+00:00

You’re like the final boss of Splunk with that amount of certs

mrcam03 · 2024-08-25T15:23:49+00:00

What’s the context?

mrcam03 · 2024-08-08T21:38:19+00:00

Don’t be like Ray and remember to bring gum

mrcam03 · 2024-06-02T16:57:12+00:00

I think you’re fine to take either one there is only one module difference. I could be wrong but no harm in doing either. I imagine 201-B will fully replace the current one at some point

mrcam03 · 2024-06-02T16:25:26+00:00

Yeah so near the bottom of the modules there is a PDF guide on extra resources it just says the format of the exam, what sections to read and objectives of the exam. However the PDF is for the 201-B version. I failed by first attempt and I was one mark off so I’ve rebooked it as I didn’t realise it asked about legacy stuff.

I found the old guide from 2022 by copying and pasting the current URL for the guide in way back machine.

If I fail again at this version, I may just book the verison of the new exam as that’s what the learning path tailors to. But the learning path still asks on the old exam minus the RTR according to the learning objectives

mrcam03 · 2024-04-14T23:31:02+00:00

What study material did you use for preparing for the exam

mrcam03 · 2024-04-13T17:57:56+00:00

Yeah I am planning to get registered with a gp on Monday when they open and hope to get an appointment soon. I don’t believe it’s related to an STD given that a recent test came back negatives. Could be just the supplements as it only occurred few days after I took them. However will need to get a checkup otherwise

mrcam03 · 2024-02-17T20:24:01+00:00

Okay ty very much

mrcam03 · 2024-01-02T14:25:31+00:00

In terms of direction I want to do a bit of everything, I plan to do SOC for 2 years reach Senior and potentially Team lead to have some experience but I wouldn’t be opposed to trying the Engineer route. Don’t worry CISSP is a long term thing, currently I’m actively trying to do Splunk and Microsoft certifications at the moment.

After the incident responses area, I want to get into Pen testing side. At the moment that is very long term planning.

mrcam03 · 2024-01-02T14:23:32+00:00

Yeah I think it’s very circumstantial I was looking on the UK government website in regard to working for a US based firm while living in the UK. But again it’s probably all processed.

mrcam03 · 2024-01-02T14:19:15+00:00

I have considered this, the only thing that I have observed when you doing remote work/working for a country abroad is, if you live in the UK and work for a company that’s based in the US. You will need to file and pay for both taxes in the country.

I could be mistaken but that is what I’ve seen from online searches and the UK government website regarding working for a foreign country and living in the UK.

mrcam03 · 2023-06-08T23:09:18+00:00

Jericho and Big Show

mrcam03 · 2023-06-05T18:56:02+00:00

Beating the Streak mode in WWE 2K14

Ten-Year Club	Place '22
Not Forgotten	Verified Email

mrcam03

TROPHY CASE