Ingest Data into Case Manager

To use Case Manager, you must ingest data from an incident source and pull a specific type of data using an incident feed. After Case Manager has this data, it can create incidents for you to work on.

An incident source is the server from which Case Manager ingests data, like:

Advanced Analytics. Case Manager automatically creates an incident when a user or asset crosses a risk threshold and becomes notable.
A security product such as a SIEM or an endpoint solution.
Microsoft Office 365 or Outlook via email ingest.

An incident feed is the type of data you pull (Carbon Black, FireEye, etc.). You must configure an incident server before you configure an incident feed.

You create, edit, or delete incident sources and feeds.

Add an Incident Source

Add an incident source, like ServiceNow, Splunk, or IBM QRadar, to ingest logs from those servers into Case Manager. You must add an incident source before you add an incident feed.

IP address or host name of the server
TCP port
Username and password

To add ServiceNow, you must have specific prerequisites.

In the navigation bar, click the menu , select Settings, then navigate to Case Management > Incident Ingestion.
Select the INCIDENT SOURCES tab.
Click Add a new incident source .
Enter information about the incident source:
- Server Type – Select the source you wish to ingest data from.
- IP Address or Hostname – Enter the IP address or host name of the server.
- TCP Port – Enter the TCP port number of the server.
- Username – Enter your username for the server.
- Password – Enter your password for the server.
To validate your connection to the source, click TEST CONNECTIVITY. If you see an error, verify the information you entered, then retest the connection.
Click SAVE.
To specify the type of data to query from the source, add an incident feed.

Add an Incident Feed

If you've added an incident source, specify the type of data to query from the source.

Ensure that you've added an incident source.
In the navigation bar, click the menu , select Settings, navigate to Case Management > Incident Ingestion.
Select the INCIDENT FEEDS tab.
Click Add a new incident feed .
Fill in the fields, then click SAVE.
Click RESTART LOG INGESTION ENGINE.
Choose to restart the log engine immediately or specify a date, then click RESTART.

Email Ingest

Ingest suspicious emails and investigate phishing incidents using Email Ingest.

Case Manager Email Ingest creates incidents from potential phishing emails. It ingests suspicious emails from a designated phishing mailbox, parses relevant fields, creates an incident, then deletes the email from the inbox.

Configure Email Ingest

Link Case Manager to your phishing inbox to forward suspicious emails to Case Manager and ingest suspicious emails.

A dedicated phishing inbox that Case Manager has access to. No one should delete, move, or otherwise touch the emails in this inbox. The mailbox cannot be a shared mailbox or subfolder.
Credentials for the phishing inbox. The account and credentials must have read and write access to the entire mailbox.
Connection to IMAP, POP3, or Exchange.
Protocol
Port
IMAP
143
IMAP + SSL
993
POP3
110
POP3 + SSL
995
Exchange
443

Protocol	Port
IMAP	143
IMAP + SSL	993
POP3	110
POP3 + SSL	995
Exchange	443

Note

For SaaS Cloud deployments, only port 443 is open. To open other ports, contact your Technical Account Manager.

Ensure that emails aren't encrypted and attachments are in EML format. MSG files are not yet supported.
In the navigation bar, click the menu , select Settings, then navigate to Case Management > Incident Ingestion.
Select the EMAIL tab.
Select the add button.
Fill in the fields:
- Host name – A mail server, for example, outlook.office365.com
- Username – An assigned username. For IMAP, enter the email address. For Exchange, enter [domain]\[username]
- Email address – The email address where emails are sent. This cannot be a shared email.
- Authentication type (Exchange only) – BASIC or NTLM
- Protocol – The email protocol used to connect to your mail server: IMAP, POP3, Exchange. Select the box if your email provider supports Secure Sockets Layer (SSL).
- Port – The port number your mail server or host uses.
- Log level – how verbose the log is: low, verbose, or very verbose
- Folder (EDS/Exchange protocol only) – which folder in an account you want to pull emails from. The default folder is Inbox.
To validate the source, select TEST CONNECTIVITY. If you receive an error, verify that you entered the correct information.
Select SAVE.

Restart Email Ingest

If email ingest isn't working, restart it to troubleshoot.

In the navigation bar, click the menu , select Settings, then navigate to Case Management > Incident Ingestion.
Select the EMAIL INGEST tab.
Hover over an email server, then click edit .
Click Start.
If email ingest starts successfully, the server appears in the list of email feeds with a Running status.

Create an Incident Rule

Assign, prioritize, and restrict new incidents with incident rules.

When Case Manager creates an incident, an incident rule evaluates it against one or many conditions that you define, then assigns it to a queue or priority, or restricts access to it. For example, you can create an incident rule that assigns an incident to a Tier 3 queue if an email's to field is phishing@mycompany.com.

Case Manager evaluates an incident against each rule in the list from top to bottom. Once the incident reaches the first rule for which it matches the conditions, Case Manager stops evaluating and ignores the remaining rules in the list.

In the navigation menu, click the menu , select Settings, then navigate to Case Management > Incident Rules
Click Add new triage rules .
Enter information about the rule:
Note
The conditions are case sensitive. For example, if you set a condition so the "to" field is JohnSmith@company.com, the rule won't trigger if the "to" field is johnsmith@company.com.
- Rule Title – Give the incident rule a unique name.
- Conditions – Assign a condition that evaluates the incident. To add more than one condition, click +ADD.
  The conditions are case sensitive. For example, if the "to" field is JohnSmith@company.com, the rule won't trigger if the "to" field is johnsmith@company.com.
- Assign to Queue – Assign the incident to a queue. Otherwise, assign the incident to the default Unassigned Queue.
- Priority – Assign the incident to low, medium, high, or critical priority.
- Restrict To – Restrict who can access, see, or search for this incident. You can restrict access to one person or a group. These are groups you named when you configured LDAP.
Click SAVE.

Reorder Incident Rules

An incident is evaluated against each rule in the list from top to bottom. It stops evaluating once it reaches the first rule that matches the condition and ignores the remaining rules in the list.

In the navigation menu, click the menu , select Settings, then navigate to Case Management > Incident Rules
To move a rule up or down in the list, select the up or down arrows next to the rule.

Edit an Incident Rule

Change the title, conditions, and details of an incident rule.

In the navigation menu, click the menu , select Settings, then navigate to Case Management > Incident Rules
Hover over an incident rule, then select Edit Rule .
Change the rule title, conditions, the queue or priority an incident is assigned to, and/or who it is restricted from.
Click SAVE.

Delete an Incident Rule

When Case Manager ingests an incident, it evaluates it against an incident rule. If you don't want to evaluate an incident against a certain rule, delete the rule.

In the navigation menu, click the menu , select Settings, then navigate to Case Management > Incident Rules
Hover over an incident rule, then select Delete Rule .
A warning appears. Click DELETE.

Case ManagerConfigure Case Manager

Table of ContentsTable of Contents