Case ManagerConfigure Case Manager

Table of Contents

Customize Incidents

Customize incident types, fields, and layouts to better align Case Manager with your existing or other internal ticketing systems.

Depending on your organization and your industry, consider customizing incidents to tailor Case Manager to your needs. For example, a hospital SOC may create a HIPAA field to review the percentage of historical incidents in which HIPAA data was breached, or view all active incidents that contain HIPAA data.

Start by creating an incident type. Then, create custom fields for that type and organize them into a layout that works best for you.Create an Incident TypeCreate a Custom Incident FieldCustomize the Layout of an Incident Type

For each incident type, create phases and tasks to standardize your team's response to that type of incident and enforce them to take certain steps.Create a PhaseCreate a Task for a Specific IncidentCreate a Task for a Phase or Incident Type

Incident Types

Standardize information, actions, and evidence for common security incidents using incident types.

An incident type is a category that represents a security scenario. When you create an incident type, you standardize incident fields phases, tasks, and playbooks, and ensure you have the information and tools you need to resolve an incident based on attack vector or case context.Create a Custom Incident FieldPlaybooks

For example: In your organization, a phishing campaign targets multiple users, and each user automatically triggers and creates an incident. Since all these incidents are of a specific type—phishing—you need a specific set of information, actions, and evidence to resolve them, like sender, recipient, or email subject. The phishing incident type makes sure those are all included in a phishing incident so you have everything you need to research and resolve it.

Create an Incident Type

Create an incident type to represent a common security scenario and standardize information, actions, and evidence.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then navigate to Case Management > Incident Configuration.

  2. In the Types tab, click ADD TYPE.

  3. In the CREATE INCIDENT TYPE menu, enter a name and description for the incident type.

  4. Click SAVE. The new incident type appears in the list of incident types with a Custom status.

    For your new incident type, create custom incident fields or design a custom layout.

Delete an Incident Type

When you delete an incident type, you can no longer apply the type to any incidents. You won't delete an existing incident that was assigned the type or any of its data.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then navigate to Case Management > Incident Configuration.

  2. In the TYPES tab, hover over an incident type, select the More The more options menu; three vertical grey dots on a white background. menu, then select Delete.

  3. A warning appears. Click DELETE.

Customize the Layout of an Incident Type

If you created an incident type, organize the incident fields based on what's relevant to the type. For example, for a phishing incident type, design a layout that includes incident fields like subject, sender, and email body.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then navigate to Case Management > Incident Configuration.

  2. To create an incident type or edit an existing type, hover over the incident type, select the More The more options menu; three vertical grey dots on a white background. menu, then select Edit.

  3. Design the layout:

    • To add a field to the layout, select a field, then click and drag the field from the left-side column to the editor on the right.

      To find a field, select the search A blue magnifying glass. icon then enter a search term, or select Sort by: to sort them.

      To create a custom field, click + ADD FIELD.

    • To rearrange fields in the editor, click and drag the fields to where they should be positioned.

    • To remove a field from the layout, hover over the field, then click REMOVE.

  4. Click SAVE.

Create a Custom Incident Field

If you created an incident type, create specific incident fields for that type to standardize the information you need.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then navigate to Case Management > Incident Configuration.

  2. Select the FIELDS tab.

  3. Click ADD FIELDS.

  4. Enter information about your field. The information required varies based on field type.

    To allow people to enter their own value, select Editable Field. If people can enter multiple values, select Allow multiple values.

  5. Click SAVE.

Edit a Custom Incident Field

When you edit an incident field, the changes only apply to new incidents. If an existing incident has this field, it doesn't change.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then navigate to Case Management > Incident Configuration.

  2. Select the FIELDS tab.

  3. Hover over an incident type, click the More The more options menu; three vertical grey dots on a white background. menu, then select Edit.

  4. Edit the field inputs.

  5. Click SAVE.

Delete a Custom Incident Field

When you delete an incident field, the field still appears in incidents that already have it but you can't add it to a new incident layout.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then navigate to Case Management > Incident Configuration.

  2. Select the FIELDS tab.

  3. Hover over an incident field, click the More The more options menu; three vertical grey dots on a white background. menu, then select Delete.

Exabeam Phases

Organize your investigations and ensure everyone responds consistently using phases.

A phase is a general stage of your investigating process. It contains tasks that an analyst must complete in each phase.

Phases and tasks ensure everyone across your organization responds to different security scenarios consistently. A manager builds a set of standard scenarios and creates processes for each one. When analysts investigate an incident, they follow this process, working on separate items in parallel so their efforts don't overlap.

Exabeam provides five phases out of the box:

  • Detection

  • Containment

  • Eradication & Mitigation

  • Recovery

  • Post-Incident Activity

Rename phases or create your own phase according to your needs. You can also delete and reorder phases.Rename a PhaseCreate a PhaseDelete a PhaseReorder Phases

Create a Phase

To standardize how you respond to incidents, break out your investigating process into phases and assign tasks to each one.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then navigate to Case Management > Incident Configuration.

  2. Select the Tasks & Phases tab.

  3. Click ADD PHASE.

  4. Enter a unique phase name, then click SAVE.

  5. Click PUBLISH. The phase appears only in new incidents. It doesn't appear in existing incidents, open or closed.

Rename a Phase

Rename any phase to change how they appear in incidents.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then navigate to Case Management > Incident Configuration.

  2. Select the TASKS & PHASES tab.

  3. Hover over a phase, then select edit A grey pencil..

  4. Change the phase name.

  5. Click SAVE.

  6. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.

Reorder Phases

Reorder a phase to change the order that they appear in incidents.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then navigate to Case Management > Incident Configuration.

  2. Select the Tasks & Phases tab.

  3. Hover over a phase, then select the up An arrow pointing up. or down An arrow pointing down. arrows to move the phase up or down.

  4. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.

Delete a Phase

Remove a phase from any new incidents you create.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then navigate to Case Management > Incident Configuration.

  2. Select the Tasks & Phases tab.

  3. You can only delete a phase that does not have tasks assigned to it. If the phase you're deleting has any tasks assigned to it, reassign them to a new or existing phase.

  4. Hover over the phase, then select the trash A grey trash can..

  5. Click DELETE.

  6. Click PUBLISH. The phase doesn't appear in new incidents. It still appears in existing incidents, open or closed.

Exabeam Tasks

Assign specific responsibilities and ensure everyone responds consistently using tasks.

A task is an action an analyst must complete when they investigate; for example, confirm incident is contained, capture volatile data from systems as evidence, determine root cause. Tasks are organized into phases of an investigation.

Phases and tasks ensure everyone across your organization responds to different security scenarios consistently. A manager builds a set of standard scenarios and creates processes for each one. When analysts investigate an incident, they follow this process, working on separate items in parallel so their efforts don't overlap.

Create a Task for a Phase or Incident Type

Create a task that always appears under a specific phase or incidents of a certain type.

You can create a task just for one specific incident. To automatically create a task depending on the conditions of an incident, set up a playbookCreate a Playbook.Create a Task for a Specific Incident

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then navigate to Case Management > Incident Configuration.

  2. Select the Tasks & Phases tab.

  3. Click ADD A TASK.

  4. Enter information about the task:

    • Name – Enter a name for the task.

    • Instructions – Enter instructions, details, or other information about the task.

    • Phase – Select the phase that the task appears under.

    • (Optional) Incident type – Select the incident type that the task appears under.

    • Due date – If there is no due date, select None. If there is a due date, select how many days after the task is initiated.

    • (Optional) Required task – If the task is required, select this box.

  5. Click SAVE.

  6. Click PUBLISH.

Edit a Task for a Phase or Incident Type

Edit a task that appears under a phase or for all incidents of a certain type.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then navigate to Case Management > Incident Configuration.

  2. Select the Tasks & Phases tab.

  3. Hover over a task, then select edit A grey pencil..

  4. Change the task details:

    • Name – Enter a name for the task.

    • Instructions – Enter instructions, details, or other information about the task.

    • Phase – Select the phase that the task appears under.

    • (Optional) Incident type – Select the incident type that the task appears under.

    • Due date – If there is no due date, select None. If there is a due date, select how many days after the task is initiated.

    • (Optional) Required task – If the task is required, select this box.

  5. Click SAVE.

  6. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.

Reorder Tasks in a Phase

Reorder tasks to change the order they appear in a phase.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then navigate to Case Management > Incident Configuration.

  2. Select the Tasks & Phases tab.

  3. Hover over a task, then select the up An arrow pointing up. or down An arrow pointing down. arrows to move the task up or down.

  4. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.

Delete a Task for a Phase or Incident Type

Delete a task that appears under a phase or for all incidents of a certain type.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then navigate to Case Management > Incident Configuration.

  2. Select the Tasks & Phases tab.

  3. Hover over a task, then select the trash A grey trash can.. A warning appears.

  4. Click DELETE.

  5. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.