Case ManagerConfigure Case Manager

Table of Contents

Customize Incidents

Customize incident types, fields, and layouts to better align Case Manager with your existing or other internal ticketing systems.

Depending on your organization and your industry, consider customizing incidents to tailor Case Manager to your needs. For example, a hospital Security Operations Center (SOC) may create a HIPAA field to review the percentage of historical incidents in which HIPAA data was breached, or view all active incidents that contain HIPAA data.

Start by creating an incident type. Then, create custom fields for that type and organize them into a layout that works best for you. For each incident type, create phases and tasks to standardize your team's response to that type of incident and enforce them to take certain steps.Create a Custom Incident TypeCreate a Custom Incident FieldCustomize the Layout of an Incident TypeCreate a PhaseCreate a Task for a Phase or Incident Type

If you don't want to start from scratch, you can also edit out-of-the-box incident types, fields, phases, and tasks to better suit your needs.

Incident Types

Standardize information, actions, and evidence for common security incidents using incident types.

An incident type is a category that represents a security scenario. Incident types standardize incident fields, phases, tasks, and playbooks, and ensure you have the information and tools you need to resolve an incident based on attack vector or case context.Playbooks

For example: In your organization, a phishing campaign targets multiple users, and each user automatically triggers and creates an incident. Since all these incidents are of a specific type—phishing—you need a specific set of information, actions, and evidence to resolve them, like sender, recipient, or email subject. The phishing incident type ensures they are all included in a phishing incident, and you have everything you need to research and resolve it.

There are 22 out-of-the-box incident types: one for each Exabeam Threat Detection, Investigation, and Response (TDIR) Use Case Package, one automatically assigned to all incidents, and one specifically for incidents created from notable Advanced Analytics sessions.

You can modify these out-of-the-box incident types to better suit your needs or create your own incident type from scratch.

Generic Incident Type

The Generic incident type standardizes incident fields for every incident created, manually or automatically.

Every incident created, manually or automatically, is automatically assigned the Generic incident type. You can't unassign the Generic incident type from an incident; every incident must be assigned the Generic incident type.

The Generic incident type comes with specific incident fields. You can't remove these incident fields from the incident type, but you can add custom incident fields for information you want to appear in every incident. You can also customize the incident type's layout and rearrange how these fields appear in an incident.Create a Custom Incident Field

Behavior Analytics Incident Type

The out-of-the-box Behavior Analytics incident type standardizes incident fields, phases, and tasks for incidents created from a notable Advanced Analytics session or sequence.

When an Advanced Analytics user session or asset sequence becomes notable and creates a Case Manager incident, the incident is automatically assigned the Behavior Analytics incident type.

The Behavior Analytics incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

You can assign additional incident types on top of the Behavior Analytics type to keep the Behaviour Analytics incident fields, or reassign the incident to a more accurate incident type. To quickly and accurately reassign the incident to the correct type, consider using the Automated Incident Classification turnkey playbook.Automated Incident Classification Turnkey Playbook

Out-of-the-Box Incident Types for Compromised Insiders Use Cases

Standardize information, actions, and evidence for Compromised Insiders incidents using seven related out-of-the-box incident types.

There are seven out-of-the-box incident types for each Compromised Insiders use case:

Compromised Credentials Incident Type

Use the out-of-the-box Compromised Credentials incident type to standardize incident fields, phases, and tasks for incidents in which an external actor steals credentials to access your system.

The Compromised Credentials use case describes when an attacker disguises as a valid user with legitimate access and uses stolen credentials to access your system. Assign the Compromised Credentials incident type to incidents in which someone has stolen credentials, authenticated anomalously, or done something else to indicate they are compromising your system externally.

The Compromised Credentials incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Lateral Movement Incident Type

Use the out-of-the-box Lateral Movement incident type to standardize incident fields, phases, and tasks for incidents in which an external actor moves through your network and jumps between devices to search for sensitive data.

The Lateral Movement use case describes when an attacker moves through a network and jumps between devices to search for sensitive data and other high-value assets. Assign the Lateral Movement incident type to incidents in which a privileged account or asset does something unusual, or a non-privileged user does something that typically requires privileged access.

The Lateral Movement incident type comes with specific, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Privilege Escalation Incident Type

Use the out-of-the-box Privilege Escalation incident type to standardize incident fields phases, and tasks for incidents in which an external actor steals credentials to access your system.

The Privilege Escalation use case describes when an attacker increases the privileges of an account they compromised or switches accounts to increase their access. Assign the Privilege Escalation incident type to incidents in which a host or person uses brute-force techniques to find valid credentials, executes BloodHound, or switches accounts.

The Privilege Escalation incident type comes with specific incident fields,and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Privileged Activity Incident Type

Use the out-of-the-box Privileged Activity incident type to standardize incident fields, phases, and tasks for incidents in which there's unusual behavior around privileged accounts, assets, or other activity.

The Privileged Activity use case describes when a privileged account or asset does something unusual, or a non-privileged user does something that typically requires privileged access. Assign the Privileged Activity incident type to an incident in which a disabled or deactivated user account become active, a non-privileged user accesses privileged assets, an account anomalously access domain controllers, or an administrative account triggers a security alert.

The Privilege Activity incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Account Manipulation Incident Type

Use the out-of-the-box Account Manipulation incident type to standardize incident fields, phases, and tasks for incidents in which an attacker uses persistence techniques to maintain their access to your network.

The Account Manipulation use case describes when an attacker uses persistence techniques to maintain access to your network even if you try to interrupt or cut off their access. Persistence techniques include creating or manipulating user accounts, or modifying credentials or permissions to groups. If an incident involves any of these behaviors, assign it the Account Manipulation incident type.

The Account Manipulation incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Data Exfiltration Incident Type

Use the out-of-the-box Data Exfiltration incident type to standardize incident fields, phases, and tasks for incidents in which an attacker compromises an account in your organization to exfiltrate data.

The Data Exfiltration use case describes when an attacker illicitly transfers data outside your organization. Assign the Data Exfiltration incident type to incidents in which an account triggers Data Loss Prevention (DLP) alerts, uploads large amounts of data, or use other techniques to exfiltrate data from your network.

The Data Exfiltration incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Evasion Incident Type

Use the out-of-the-box Evasion incident type to standardize incident fields, phases, and tasks for incidents in which an attacker uses techniques to avoid being detected.

The Evasion use case describes when an attacker uses techniques to avoid being detected as they compromise your system. Assign the Evasion incident type to an incident in which someone disables or uninstalls security software, obfuscates or encrypts data, or otherwise abuse trusted processes to hide malware.

The Evasion incident type comes with specific, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Out-of-the-Box Incident Types for Malicious Insiders Use Cases

Standardize information, actions, and evidence for Malicious Insiders incidents using eight related out-of-the-box incident types.

There are eight out-of-the-box incident types for each Malicious Insiders use case:

Data Leak Incident Type

Use the out-of-the-box Data Leak incident type to standardize incident fields, phases, and tasks for incidents in which someone in your organization transfers or steals data.

The Data Leak use case describes when an employee, partner, or contractor illicitly transfers data outside your organization. Assign the Data Leak incident type to an incident in which someone in your organization sends email to personal accounts, uploads a lot of data, triggers Data Loss Prevention (DLP) alerts, or use other techniques to exfiltrate data from your network.

The Data Leak incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Privilege Abuse Incident Type

Use the out-of-the-box Privilege Abuse incident type to standardize incident fields, phases, and tasks for incidents in which someone takes over a privileged account and uses it to access, exploit, or damage confidential business entities.

The Privilege Abuse use case describes when a privileged account does something unusual, or a non-privileged user does something that typically requires privileged access. Assign the Privileged Abuse incident type to an incident in which a non-privileged, privileged, service, executive, or disabled account anomalously accesses assets, creates accounts, or triggers security alerts.

The Privilege Abuse incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Data Access Abuse Incident Type

Use the out-of-the-box Data Access Abuse incident type to standardize incident fields, phases, and tasks for incidents in which someone in your organization anomalously accesses and collects data.

The Data Access Abuse incident type describes when someone in your organization anomalously accesses sensitive corporate data and resources, which is usually a precursor to a data leak. Assign the Data Access incident type to an incident in which someone in your organization accesses certain applications or database for the first time, accesses data from risky geographical locations, or use other techniques to collect data.

The Data Access Abuse incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Audit Tampering Incident Type

Use the out-of-the-box Audit Tampering incident type to standardize incident fields, phases, and tasks for incidents in which someone clears logs or other data to destroy an audit trail.

The Audit Tampering use case describes when someone in your organization audits logs to destroy an incriminating audit trail and evade detection. Assign the Audit Tampering incident type to an incident in which clears audit or event logs, or use other techniques to manipulate, interrupt, or destroy data and avoid being detected.

The Audit Tampering incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Destruction of Data Incident Type

Use the out-of-the-box Destruction of Data incident type to standardize incident fields, phases, and tasks for incidents in which someone in your organization destroys or manipulates data to sabotage your organization.

The Destruction of Data use case describes when someone in your organization deletes data to harm your organization and disrupt critical business operations. Assign the Destruction of Data incident type to incidents in which someone starts deleting accounts, anomalously manipulates files, or use other techniques to manipulate, interrupt, or destroy your data.

The Destruction of Data incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Physical Security Incident Type

Use the out-of-the-box Physical Security incident type to standardize incident fields, phases, and tasks for incidents in which someone in your organization anomalously accesses a physical space.

The Physical Security use case describes when someone in your organization anomalously accesses physical spaces. Assign the Physical Security incident type to incidents in which someone fails to badge in somewhere they've never been, uses disabled account to try accessing a physical space, or otherwise anomalously badges into a building or location.

The Physical Security incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Workforce Protection Incident Type

Use the out-of-the-box Ransomware incident type to standardize incident fields, phases, and tasks for incidents in which

The Workforce Protection use case describes when someone in your organization shows signs of leaving your organization, communicates with a competitor, or anomalously attends a web conference. Assign the Workforce Protection incident type to incidents in which someone in your organization searches for a job, or badges into a physical space at an unusual time, or triggers a Data Loss Prevention (DLP) alert.

The Workforce Protection incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Abnormal Authentication and Access Incident Type

Use the out-of-the-box Abnormal Authentication and Access incident type to standardize phases and tasks for incidents in which someone in your organization does something unusual, outside their typical behavior patterns.

The Abnormal Authentication and Access use case describes when someone in your organization anomalously does things that aren't typical of them, like accessing or authenticating into unusual applications, critical servers, or browsers. Assign the Abnormal Authentication and Access incident type to incidents in which someone uses a user-agent string for the first time, connects to your network on an unusual day of the week, does something from an unusual geographical location, accesses an application using an unusual operating system or browser, or consecutively fails to log in to their account an excessive number of times.

The Abnormal Authentication and Access incident type doesn't come with specific incident fields, but it does prescribe specific phases and tasks for investigating, containing, and remediating the incident. You can create your own incident fields and customize the phases and tasks to better suit your needs.

Out-of-the-Box Incident Types for External Threats Use Cases

Standardize information, actions, and evidence for External Threats incidents using five related out-of-the-box incident types.

There are five out-of-the-box incident types for each External Threat use case:

Phishing Incident Type

Use the out-of-the-box Phishing incident type to standardize incident fields, phases, and tasks for incidents in which an attacker sends fraudulent messages and uses social engineering techniques to trick someone in your organization.

The Phishing use case describes when an attacker uses social engineering techniques in emails or other messaging services to deceive their victims into assisting them. Assign the Phishing incident type to an incident in which someone in your organization receives an email from an unknown domain, sends more emails than usual, receives an email with malicious links or attachments; or if the incident includes other signs of phishing.

The Phishing incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Malware Incident Type

Use the out-of-the-box Malware incident type to standardize incident fields, phases, and tasks for incidents in which someone becomes a target of malicious program or code that accesses or damages your system.

The Malware use case describes when an attacker develops malicious programs or code to access your system without authorization, or damage your data or system. Assign the Malware incident type to incidents in which someone accesses a domain generated by a domain generation algorithm (DGA, or triggers an antivirus or endpoint detection and response (EDR) security alert.

The Malware incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Ransomware Incident Type

Use the out-of-the-box Ransomware incident type to standardize incident fields, phases, and tasks for incidents in which an attacker uses malicious software to encrypt data on your system and extract monetary compensation.

The Ransomware use case describes when an attacker encrypts critical corporate assets and monetarily extorts your organization in exchange for unlocking the assets. Assign the Ransomware incident type to incidents in which an attacker encrypts data on your systems so no one can access files or data, from common user files like PDFs, images, audio or text to critical system files, disk partitions, or a Master Boot Record (MBR).

The Ransomware incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Brute Force Attack Incident Type

Use the out-of-the-box Brute Force Attack incident type to standardize incident fields, phases, and tasks for incidents in which an automated bot exploits weak passwords and generates numerous fake credentials to access a valid account.

The Brute Force Attack use case describes when automated bots generate numerous combinations of usernames and passwords and use trial-and-error to guess a valid account's credentials. Assign the Brute Force Attack incident type to an incident in which someone has failed to log in to an account multiple times.

The Brute Force Attack incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Cryptomining Incident Type

Use the out-of-the-box Cryptomining incident type to standardize incident fields, phases, and tasks for incidents in which an attacker maliciously mines for cryptocurrencies using your corporate computing systems.

The Cryptomining use case describes when an attacker exploits high-performance corporate computing systems to maliciously mine for cryptocurrencies. Assign the Cryptomining incident type to incidents in which someone in your organization accesses cryptocurrency websites, accesses websites that mine for cryptocurrency in the browser's background, or runs cryptomining processes on their workstation or host.

The Cryptomining incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Create an Incident Type

Create an incident type to represent a common security scenario and standardize information, actions, and evidence.Incident Types

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. In the Types tab, click ADD TYPE.

  4. In the CREATE INCIDENT TYPE menu, enter a name and description for the incident type.

  5. Click SAVE. The new incident type appears in the list of incident types with a Custom status.

    For your new incident type, create custom incident fields or design a custom layout.

Delete an Incident Type

When you delete an incident type you created, you can no longer apply the type to any incidents. You won't delete an existing incident that was assigned the type or any of its data.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. In the TYPES tab, hover over an incident type, select the More The more options menu; three vertical grey dots on a white background. menu, then select Delete.

  4. A warning appears. Click DELETE.

Incident Fields

Display information about security incidents using incident fields.

An incident field represents an attribute of a security incident, like its description or the time it was created.

Incident fields are specific to an incident type. For example, the Phishing incident type includes fields like subject, email body, and attachment name. There are also default incident fields that appear in every incident, like description, vendor, or source, under the Generic incident type.Incident Types

You can create a custom incident field for a specific incident type. After you create a custom incident field, arrange how it appears in the incident type's layout.Create a Custom Incident FieldCreate a Custom Incident FieldCustomize the Layout of an Incident Type

Generic Incident Fields

Review out-of-the-box incident fields specific to the Generic incident type.

You cannot remove the out-of-the-box fields from the Generic incident type. You can add custom incident fields to the Generic incident type to ensure they appear in every incident.Customize the Layout of an Incident Type

  • Incident type – The category the incident belongs under, usually representing a common security scenario. Incident types standardize incident fields, phases, and tasks.

  • Description – A short account of the incident; for example, what occurred and who was involved.

  • Vendor – The vendor that generated the log; for example, Exabeam

  • Source – The product that generated the log; for example, Exabeam AA.

  • Source severity – The severity of the third party security alert that created the Case Manager incident.

  • Source ID – The Advanced Analytics session ID, if the incident was created from a notable Advanced Analytics session.

  • Source URL – A link to the notable session in Advanced Analytics , if the incident was created from a notable Advanced Analytics session.

  • Event start time – When the notable session first started, if the incident was created from a notable Advanced Analytics session.

  • Event end time – When the notable session ended, if the incident was created from a notable Advanced Analytics session.

  • Source info – The raw log of the third party security alert that created the Case Manager incident.

  • Created by – The person who created the incident in Case Manager.

  • Creation time – When the incident was created in Case Manager.

  • Updated by – The person who updated the incident in Case Manager.

  • Updated – When the incident was last updated in Case Manager.

  • Resolved time – When the incident's status was changed to Resolved.

  • Closed time – When the incident's status was changed to Closed or Closed - False Positive

  • Closed reason – Why the incident's status was changed to Closed or Closed - False Positive. To close the incident, you must enter a value for this field.

Behavior Analytics Incident Fields

Review out-of-the-box incident fields specific to the Behavior Analytics incident type.

Incident field

Description

Data type

Alert count

The number of security alerts triggered during the notable session.

Integer

Asset count

The number of assets affected in the notable session.

Integer

Asset ID

The notable asset's ID.

String

Event count

The number of events in the notable session.

Integer

Exabeam risk score

The risk score for the notable session.

Integer

Location count

The number of geographical locations involved in the notable session.

Integer

Risk reasons

All rules that triggered during the notable session.

Multi-line text

Rule count

The number of rules that triggered during the notable session.

Integer

Sequence ID

The notable session or sequence's ID.

String

Sequence type

Whether a notable user session or asset sequence created the incident. If a notable user session created the incident, the value is Session. If a notable asset sequence created the incident, the value is Asset.

String

Timeline page

Link to the notable session or sequence in the Smart Timeline™.

URL

User ID

The notable user's username.

String

User page

Link to the notable user's profile.

URL

Zones count

The number of zones involved in the notable session.

Integer

Out-of-the-Box Incident Fields for Compromised Insiders Incident Types

Each incident type has a unique set of incident fields. Review the incident fields for each Compromised Insiders incident type.

There are seven out-of-the-box incident types, one for each Compromised Insiders use case. Each incident type contains a specific set of incident fields out of the box:

You can edit certain incident fields and rearrange how they appear in the incident type's layout to better suit your needs.

Compromised Credentials Incident Fields

Review out-of-the-box incident fields specific to the Compromised Credentials incident type.

Incident field

Description

Data type

User status

The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated.

String

Access level

The level of access granted to the account; for example, non-privileged, executive, or administrative.

String

Account type

The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system.

String

Asset count

The number of assets affected in the notable session.

Integer

Asset type

The type of asset accessed in the incident; for example, workstation, domain, controller, or critical system.

String

Compliance governed

The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO.

String

Compromised credentials knowledge base article

Link to an Exabeam Community article describing the Compromised Credentials use case.

URL

Data accessed

The type of data that was accessed; for example, files or database records.

Multi-line text

Data classification level

How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property.

String

Data type identification

The type of data that was accessed, exfiltrated, manipulated, or destroyed; for example, file, email, database, records, or application data.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

Outcome

The result of the activity; for example, failed, denied, approved, or successful.

String

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

User type

The type of employee involved in the incident; for example, contractor, partner, or employee.

String

Lateral Movement Incident Fields

Review out-of-the-box incident fields specific to the Lateral Movement incident type.

Incident field

Description

Data type

Asset count

The number of assets affected in the notable session.

Integer

Asset type

The type of asset accessed in the incident; for example, workstation, domain, controller, or critical system.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

Destination port

The port accessed at the destination host or IP.

Integer

Firewall rule

The firewall rule that allowed or denied the network traffic.

String

Lateral movement knowledge base article

Link to an Exabeam Community article describing the Lateral Movement use case.

URL

Outcome

The result of the activity; for example, failed, denied, approved, or successful.

String

Source country

The country or geolocation where the source is located.

String

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

Privilege Escalation Incident Fields

Review out-of-the-box incident fields specific to the Privilege Escalation incident type.

Incident field

Description

Data type

User

The names of the people involved in the incident.

String

Target account

The name of the account targeted in the incident.

String

Account type

The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system.

String

Access level

The level of access granted to the account; for example, non-privileged, executive, or administrative.

String

Asset count

The number of assets affected in the notable session.

Integer

Asset type

The type of asset accessed in the incident; for example, workstation, domain, controller, or critical system.

String

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

Process name

The name of the executed process; for example, powershell.exe

String

PID

The process identifier of the executed process.

Integer

Process path

The file path of where the executed process is located.

Multi-line text

Privilege escalation knowledge base article

Link to an Exabeam Community article describing the Privilege Escalation use case.

URL

Privileged Activity Incident Fields

Review out-of-the-box incident fields specific to the Privileged Activity incident type.

Incident field

Description

Data type

User status

The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated.

String

Access level

The level of access granted to the account; for example, non-privileged, executive, or administrative.

String

Activity type

What was done in an application or on an object; for example, create, delete, download, upload, backup, or change object.

String

Compliance governed

The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO.

String

Data accessed

The type of data that was accessed; for example, files or database records.

Multi-line text

Data classification level

How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property.

String

Data type identification

The type of data that was accessed, exfiltrated, manipulated, or destroyed; for example, file, email, database, records, or application data.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

Failure reason

A description of why the activity failed.

String

Outcome

The result of the activity; for example, failed, denied, approved, or successful.

String

Privileged activity knowledge base article

Link to an Exabeam community article describing the Privilege Activity use case.

URL

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

User type

The type of employee involved in the incident; for example, contractor, partner, or employee.

String

Account type

The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system.

String

Account Manipulation Incident Fields

Review out-of-the-box incident fields specific to the Account Manipulation incident type.

Incident field

Description

Data type

Account manipulation action

How the target user account was manipulated; for example, user created, password changed, or permissions removed.

String

Access level

The level of access granted to the account; for example, non-privileged, executive, or administrative.

String

User

The names of the people involved in the incident.

String

Target account

The name of the account targeted in the incident.

String

Account type

The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system.

String

Group name

The name of the group on which an account operated.

String

Group domain

The domain of the group on which an account operated.

String

Asset count

The number of assets affected in the notable session.

Integer

Asset type

The type of asset accessed in the incident; for example, workstation, domain, controller, or critical system.

String

Account manipulation knowledge base article

Link to an Exabeam Community article describing the Account Manipulation use case.

URL

Data Exfiltration Incident Fields

Review out-of-the-box incident fields specific to the Data Exfiltration incident type.

Incident field

Description

Data type

Account type

The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system.

String

User status

The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated.

String

Access level

The level of access granted to the account; for example, non-privileged, executive, or administrative.

String

Asset count

The number of assets affected in the notable session.

Integer

Compliance governed

The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO.

String

Data accessed

The type of data that was accessed; for example, files or database records.

Multi-line text

Data classification level

How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property.

String

Data exfiltration knowledge base article

Link to an Exabeam Community article describing the Data Exfiltration use case.

URL

Data type identification

The type of data that was accessed, exfiltrated, manipulated, or destroyed; for example, file, email, database, records, or application data.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

DLP policy

The violated Data Loss Prevention (DLP) policy.

String

Exfiltration amount

The volume of exfiltrated data.

Integer

Exfiltration channel

The channel used to exfiltrate data; for example, email, web upload, removable device (like a USB or CD), printer, or domain name system (DNS).

String

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

User type

The type of employee involved in the incident; for example, contractor, partner, or employee.

String

Evasion Incident Fields

Review out-of-the-box incident fields specific to the Evasion incident type.

Incident field

Description

Data type

Activity type

What was done in an application or on an object; for example, create, delete, download, upload, backup, or change object.

String

Audit category

The Windows audit policy category of the changed audit policy; for example, audit account logon events, audit logon events, audit account management, audit directory service access, or audit object access.

String

Audit policy

The name of the changed audit policy.

String

Audit subcategory

The Windows audit policy subcategory of the changed audit policy; for example, logon, process creation, user account management, or directory service access.

String

Compliance governed

The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO.

String

Data accessed

The type of data that was accessed; for example, files or database records.

Multi-line text

Data classification level

How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property.

String

Data type identification

The type of data that was accessed, exfiltrated, manipulated, or destroyed; for example, file, email, database, records, or application data.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

Evasion knowledge base article

Link to an Exabeam community article describing the Evasion use case.

URL

PID

The process identifier of the executed process.

Integer

Process name

The name of the executed process; for example, powershell.exe

String

Process path

The file path of where the executed process is located.

Multi-line text

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

Out-of-the-Box Incident Fields for Malicious Insiders Incident Types

Each incident type has a unique set of incident fields. Review the incident fields for each Malicious Insiders incident type.

There are eight out-of-the-box incident types, one for each Malicious Insiders use case. Most Malicious Insiders incident types contain a specific set of incident fields out of the box:

The Abnormal Authentication and Access incident type does not include specific incident fields out of the box.

You can edit certain incident fields and rearrange how they appear in the incident type's layout to better suit your needs.

Data Leak Incident Fields

Review out-of-the-box incident fields specific to the Data Leak incident type.

Incident field

Description

Data type

User status

The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated.

String

Access level

The level of access granted to the account; for example, non-privileged, executive, or administrative.

String

Account type

The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system.

String

Compliance governed

The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO.

String

Data accessed

The type of data that was accessed; for example, files or database records.

Multi-line text

Data classification level

How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property.

String

Data leak knowledge base article

Link to an Exabeam Community article describing the Data Leak use case.

URL

Data type identification

The type of data that was accessed, exfiltrated, manipulated, or destroyed; for example, file, email, database, records, or application data.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

DLP policy

The violated Data Loss Prevention (DLP) policy.

String

Exfiltration amount

The volume of exfiltrated data.

Integer

Exfiltration channel

The channel used to exfiltrate data; for example, email, web upload, removable device (like a USB or CD), printer, or domain name system (DNS).

String

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

User type

The type of employee involved in the incident; for example, contractor, partner, or employee.

String

Privilege Abuse Incident Fields

Review out-of-the-box incident fields specific to the Privilege Abuse incident type.

Incident field

Description

Data type

User status

The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated.

String

Account type

The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system.

String

Access level

The level of access granted to the account; for example, non-privileged, executive, or administrative.

String

Activity type

What was done in an application or on an object; for example, create, delete, download, upload, backup, or change object.

String

Compliance governed

The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO.

String

Data accessed

The type of data that was accessed; for example, files or database records.

Multi-line text

Data classification level

How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property.

String

Data type identification

The type of data that was accessed, exfiltrated, manipulated, or destroyed; for example, file, email, database, records, or application data.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

Outcome

The result of the activity; for example, failed, denied, approved, or successful.

String

Privilege abuse knowledge base article

Link to an Exabeam Community article describing the Privilege Abuse use case

URL

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

User type

The type of employee involved in the incident; for example, contractor, partner, or employee.

String

Data Access Abuse Incident Fields

Review out-of-the-box incident fields specific to the Data Access Abuse incident type.

Incident field

Description

Data type

User status

The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated.

String

Account type

The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system.

String

Access level

The level of access granted to the account; for example, non-privileged, executive, or administrative.

String

Compliance governed

The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO.

String

Data access abuse knowledge base article

Link to an Exabeam Community article describing the Data Access Abuse use case.

URL

Data accessed

The type of data that was accessed; for example, files or database records.

Multi-line text

Data classification level

How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property.

String

Data type identification

The type of data that was accessed, exfiltrated, manipulated, or destroyed; for example, file, email, database, records, or application data.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

Outcome

The result of the activity; for example, failed, denied, approved, or successful.

String

PID

The process identifier of the executed process.

Integer

Process name

The name of the executed process; for example, powershell.exe

String

Process path

The file path of where the executed process is located.

Multi-line text

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

User type

The type of employee involved in the incident; for example, contractor, partner, or employee.

String

Audit Tampering Incident Fields

Review out-of-the-box incident fields specific to the Audit Tampering incident type.

Incident field

Description

Data type

Audit category

The Windows audit policy category of the changed audit policy; for example, audit account logon events, audit logon events, audit account management, audit directory service access, or audit object access.

String

Audit policy

The name of the changed audit policy.

String

Audit subcategory

The Windows audit policy subcategory of the changed audit policy; for example, logon, process creation, user account management, or directory service access.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

PID

The process identifier of the executed process.

Integer

Process name

The name of the executed process; for example, powershell.exe

String

Process path

The file path of where the executed process is located.

Multi-line text

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

User status

The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated.

String

User type

The type of employee involved in the incident; for example, contractor, partner, or employee.

String

Destruction of Data Incident Fields

Review out-of-the-box incident fields specific to the Destruction of Data incident type.

Incident field

Description

Data type

User status

The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated.

String

Access level

The level of access granted to the account; for example, non-privileged, executive, or administrative.

String

Activity type

What was done in an application or on an object; for example, create, delete, download, upload, backup, or change object.

String

Compliance governed

The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO.

String

Data classification level

How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

Destruction of data knowledge base article

Link to an Exabeam Community article describing the Destruction of Data use case.

URL

File name

The name of the accessed, exfiltrated, manipulated, or destroyed file.

String

File owner

The person who owns the file.

String

File path

The file path of where the file is located; for example, C:\Windows32\myfile.txt

Multi-line text

File type

The format of the file; for example, file, folder, or link.

String

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

User type

The type of employee involved in the incident; for example, contractor, partner, or employee.

String

Account type

The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system.

String

Physical Security Incident Fields

Review out-of-the-box incident fields specific to the Physical Security incident type.

Incident field

Description

Data type

Badge ID

The ID of the badge used to access a physical space.

String

Building

The name or ID of the building someone attempted to access.

String

City

The name or code of the city where someone entered a physical space.

String

Door

The door someone attempted to used to access a physical space.

String

Outcome

The result of the activity; for example, failed, denied, approved, or successful.

String

Physical security knowledge base article

Link to an Exabeam Community article describing the Physical Security use case.

URL

Workforce Protection Incident Fields

Review out-of-the-box incident fields specific to the Workforce Protection incident type.

Incident field

Description

Data type

User status

The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated.

String

Access level

The level of access granted to the account; for example, non-privileged, executive, or administrative.

String

Assigned assets

Corporate assets the employee has access to.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

Employee ID

The employee's ID.

String

Employee name

The employee's name.

String

Employee tenure

How long the employee has been with your organization.

Integer

Recipient (To)

The email address the email was sent to.

Email address

Risk factors

Factors that increase risk or further indicate someone's intent.

String

Sender

The email address that sent the email.

Email address

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

URL

An entire URL string including the host, fully qualified domain name (FQDN), and path. For example, www.exabeam.com/info?user=abc

URL

User type

The type of employee involved in the incident; for example, contractor, partner, or employee.

String

Web domain

The host the employee accessed; for example, gmail.google.com.

URL

Workforce protection knowledge base article

Link to an Exabeam Community article describing the Workforce Protection use case.

URL

Out-of-the-Box Incident Fields for External Threats Incident Types

Each incident type has a unique set of incident fields. Review the incident fields for each External Threats incident type.

There are five out-of-the-box incident types, one for each External Threats use case. Each incident type contains a specific set of incident fields out of the box:

You can edit certain incident fields and rearrange how they appear in the incident type's layout to better suit your needs.

Phishing Incident Fields

Review out-of-the-box incident fields specific to the Phishing incident type.

Incident field

Description

Data type

Attachment name

The file name of an email attachment.

String

CC

The email addresses CC'd in an email.

Email address

Email body

The content of an email.

Multi-line text

Message ID

An email's unique identifier.

String

Payload type

The method used to deliver the payload in a phishing attack; for example, attachment, hyperlink, client vulnerability, or business email compromise (BEC).

String

Phishing knowledge base article

Link to an Exabeam Community article describing the Phishing use case.

URL

Received date

The date the email was received.

URL

Recipient (To)

The email address the email was sent to.

Email address

Sender

The email address that sent the email.

Email address

Source country

The geographical location from where the sender sent the email.

String

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

Subject

An email's subject line.

String

User agent

The browser's user agent.

String

Malware Incident Fields

Review out-of-the-box incident fields specific to the Malware incident type.

Incident field

Description

Data type

Alert ID

The alert's unique identifier.

String

Alert name

The name of the alert; for example, Oracle Database User Authentication Brute Force Attempt.

Alert severity

How critical the alert is, according to the vendor.

String

Alert type

The type of alert, which usually describes the threat the alert detected; for example, trojan, vulnerability, or unauthorized access.

String

Alert URL

The alert's URL.

URL

Attacker file

The file the malicious entity used to deliver the malware payload

String

Attacker IP

The malicious entity's IP identifier.

IP

Attacker URL

The malicious entity's URL identifier.

URL

Malware category

The malware type, which usually describes what the malware does on your computer; for example, ransomware, spyware, adware, trojan, or worm.

String

Malware knowledge base article

Link to an Exabeam Community article describing the Malware use case.

URL

Malware name

The name of the malware, typically in the Computer Antivirus Research Organization (CARO) malware naming scheme; for example, Ransom.Win32.Locky.A.dldl or Backdoor:Win32/Caphaw.D!Ink.

String

Method of intrusion

The method used to deliver the malware or ransomware; for example, malvertisement, phishing email, or USB.

String

PID

The process identifier of the executed process.

Integer

Process name

The name of the executed process; for example, powershell.exe

String

Process path

The file path of where the executed process is located.

Multi-line text

Victim host

The name of the machine targeted for the malware.

String

Ransomware Incident Fields

Review out-of-the-box incident fields specific to the Ransomware incident type.

Incident field

Description

Data type

Alert ID

The alert's unique identifier.

String

Alert name

The name of the alert; for example, Oracle Database User Authentication Brute Force Attempt.

Alert severity

How critical the alert is, according to the vendor.

String

Alert type

The type of alert, which usually describes the threat the alert detected; for example, trojan, vulnerability, or unauthorized access.

String

Alert URL

The alert's URL.

URL

Attacker file

The file the malicious entity used to deliver the malware payload

String

Attacker IP

The malicious entity's IP identifier.

IP

Attacker URL

The malicious entity's URL identifier.

URL

Malware category

The malware type, which usually describes what the malware does on your computer; for example, ransomware, spyware, adware, trojan, or worm.

String

Ransomware knowledge base article

Link to an Exabeam Community article describing the Ransomware use case

URL

Malware name

The name of the malware, typically in the Computer Antivirus Research Organization (CARO) malware naming scheme; for example, Ransom.Win32.Locky.A.dldl or Backdoor:Win32/Caphaw.D!Ink.

String

Method of intrusion

The method used to deliver the malware or ransomware; for example, malvertisement, phishing email, or USB.

String

PID

The process identifier of the executed process.

Integer

Process name

The name of the executed process; for example, powershell.exe

String

Process path

The file path of where the executed process is located.

Multi-line text

Victim host

The name of the machine targeted for the malware.

String

Brute Force Attack Incident Fields

Review out-of-the-box incident fields specific to the Brute Force Attack incident type.

Incident field

Description

Data type

Brute force attack knowledge base article

Link to an Exabeam Community article describing the Brute Force Attack use case.

URL

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

Failure reason

A description of why the activity failed.

String

Logon type

The methods used to log on to a system; for example, through the system’s local console (interactive) or through a task scheduler (batch).

String

Outcome

The result of the activity; for example, failed, denied, approved, or successful.

String

PID

The process identifier of the executed process.

Integer

Process name

The name of the executed process; for example, powershell.exe

String

Process path

The file path of where the executed process is located.

Multi-line text

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

Cryptomining Incident Fields

Review out-of-the-box incident fields specific to the Cryptomining incident type.

Incident field

Description

Data type

Cryptomining knowledge base article

Link to an Exabeam Community article describing the Cryptomining use case.

URL

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

Source post

The port used by the source IP or host.

Integer

Failure reason

A description of why the activity failed.

String

Firewall rule

The firewall rule that allowed or denied network traffic.

String

Outcome

The result of the activity; for example, failed, denied, approved, or successful.

String

PID

The process identifier of the executed process.

Integer

Process name

The name of the executed process; for example, powershell.exe

String

Process path

The file path of where the executed process is located.

Multi-line text

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

User agent

The browser's user agent.

String

Create a Custom Incident Field

Create incident fields to standardize the information displayed in an incident type.Incident Types

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the FIELDS tab.

  4. Click ADD FIELDS.

  5. Enter information about your field. The information required varies based on field type.

    To list multiple values, select List predefined options. If people can enter or select multiple values from this list, select Can enter or select multiple values.

  6. Click SAVE.

Delete a Custom Incident Field

When you delete an incident field, the field still appears in incidents that already have it but you can't add it to a new incident layout.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the FIELDS tab.

  4. Hover over an incident field, click the More The more options menu; three vertical grey dots on a white background. menu, then select Delete.

Customize the Layout of an Incident Type

For an incident type, organize the incident fields based on what's relevant to the type. For example, for a phishing incident type, design a layout that includes incident fields like subject, sender, and email body.Incident Types

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. To create an incident type or edit an existing type, hover over the incident type, select the More The more options menu; three vertical grey dots on a white background. menu, then select Edit.

  4. Design the layout:

    • To add a field to the layout, select a field, then click and drag the field from the left-side column to the editor on the right.

      To find a field, select the search A blue magnifying glass. then enter a search term, or select Sort by: to sort them.

      To create a custom field, click + ADD FIELD.

    • To rearrange fields in the editor, click and drag the fields to where they should be positioned.

    • To remove a field from the layout, hover over the field, then click REMOVE.

  5. Click SAVE.

Exabeam Phases

Organize your investigations and ensure everyone responds consistently using phases.

A phase is a general stage of your investigating process. It contains tasks that an analyst must complete in each phase.

Phases and tasks ensure everyone across your organization responds to different security scenarios consistently. A manager builds a set of standard scenarios and creates processes for each one. When analysts investigate an incident, they follow this process, working on separate items in parallel so their efforts don't overlap.

Exabeam provides five phases out of the box:

  • Detection

  • Containment

  • Eradication & Mitigation

  • Recovery

  • Post-Incident Activity

Rename phases or create your own phase according to your needs. You can also delete and reorder phases.Rename a PhaseCreate a PhaseDelete a PhaseReorder Phases

Create a Phase

To standardize how you respond to incidents, break out your investigating process into phases and assign tasks to each one.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Click ADD PHASE.

  5. Enter a unique phase name, then click SAVE.

  6. Click PUBLISH. The phase appears only in new incidents. It doesn't appear in existing incidents, open or closed.

Rename a Phase

Rename any phase to change how they appear in incidents.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the TASKS & PHASES tab.

  4. Hover over a phase, then select edit A grey pencil..

  5. Change the phase name.

  6. Click SAVE.

  7. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.

Reorder Phases

Reorder a phase to change the order that they appear in incidents.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Hover over a phase, then select the up An arrow pointing up. or down An arrow pointing down. arrows to move the phase up or down.

  5. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.

Delete a Phase

Remove a phase from any new incidents you create.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. You can only delete a phase that does not have tasks assigned to it. If the phase you're deleting has any tasks assigned to it, reassign them to a new or existing phase.

  5. Hover over the phase, then select the trash A grey trash can..

  6. Click DELETE.

  7. Click PUBLISH. The phase doesn't appear in new incidents. It still appears in existing incidents, open or closed.

Exabeam Tasks

Assign specific responsibilities and ensure everyone responds consistently using tasks.

A task is an action an analyst must complete when they investigate; for example, confirm incident is contained, capture volatile data from systems as evidence, determine root cause. Tasks are organized into phases of an investigation.

Phases and tasks ensure everyone across your organization responds to different security scenarios consistently. A manager builds a set of standard scenarios and creates processes for each one. When analysts investigate an incident, they follow this process, working on separate items in parallel so their efforts don't overlap.

Create a Task for a Phase or Incident Type

Create a task that always appears under a specific phase or incidents of a certain type.Incident Types

You can create a task just for one specific incident. To automatically create a task depending on the conditions of an incident, set up a playbook.Create a Task for a Specific IncidentCreate a Playbook

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Click ADD A TASK.

  5. Enter information about the task:

    • Name – Enter a name for the task.

    • Instructions – Enter instructions, details, or other information about the task.

    • Phase – Select the phase that the task appears under.

    • (Optional) Incident type – Select the incident type that the task appears under.

    • Due date – If there is no due date, select None. If there is a due date, select how many days after the task is initiated.

    • (Optional) Required task – If the task is required, select this box.

  6. Click SAVE.

  7. Click PUBLISH.

Edit a Task for a Phase or Incident Type

Edit a task that appears under a phase or for all incidents of a certain type.Incident Types

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Hover over a task, then select edit A grey pencil..

  5. Change the task details:

    • Name – Enter a name for the task.

    • Instructions – Enter instructions, details, or other information about the task.

    • Phase – Select the phase that the task appears under.

    • (Optional) Incident type – Select the incident type that the task appears under.

    • Due date – If there is no due date, select None. If there is a due date, select how many days after the task is initiated.

    • (Optional) Required task – If the task is required, select this box.

  6. Click SAVE.

  7. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.

Reorder Tasks in a Phase

Reorder tasks to change the order they appear in a phase.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Hover over a task, then select the up An arrow pointing up. or down An arrow pointing down. arrows to move the task up or down.

  5. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.

Delete a Task for a Phase or Incident Type

Delete a task that appears under a phase or for all incidents of a certain type.Incident Types

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Hover over a task, then select the trash A grey trash can.. A warning appears.

  5. Click DELETE.

  6. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.