# Case Management and Ticketing Best Practices One-sentence definition: Structure investigations and operational work with consistent fields, SLAs, and evidence links. ## Key Facts - Mandatory fields: severity, owner, timeline, artifacts, actions, status. - Integrate SIEM/SOAR to auto-create cases with context. - Use workflows, approvals, and closure criteria; measure throughput/aging. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose standardized cases to improve handoffs and auditability. **Mnemonic:** “**Track** to **treat**.” ## Mini Scenario Q: Duplicate cases flood SOC—control? A: Correlation/dedup in SOAR; suppression rules; ownership assignment. ## Revision Checklist - Three mandatory fields. - Integration point. - Closure rule. ## Related [[Security Operations Center (SOC) Fundamentals]] · [[Playbooks and SOAR Automation]] · [[Operational Metrics and KPIs (MTTD MTTR Coverage)]] · [[IR Communications and Stakeholder Notifications]] · [[Domain 7 - Index]]