Case ManagerConfigure Case Manager

Table of Contents

Ingest Data into Case Manager

To use Case Manager, you must ingest data from an incident source and pull a specific type of data using an incident feed. After Case Manager has this data, it can create incidents for you to work on.

An incident source is the server from which Case Manager ingests data, like:

  • Advanced Analytics. Case Manager automatically creates an incident when a user or asset crosses a risk threshold and becomes notable.

  • A security product such as a SIEM or an endpoint solution.

  • Microsoft Office 365 or Outlook via email ingest.

An incident feed is the type of data you pull (Carbon Black, FireEye, etc.). You must configure an incident server before you configure an incident feed.

You create, edit, or delete incident sources and feeds.

Add an Incident Source

Add an incident source, like ServiceNow, Splunk, or IBM QRadar, to ingest logs from those servers into Case Manager. You must add an incident source before you add an incident feed.

  • IP address or host name of the server

  • TCP port

  • Username and password

To add ServiceNow, you must have specific prerequisites.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then navigate to Case Management > Incident Ingestion.

  2. Select the INCIDENT SOURCES tab.

  3. Click Add a new incident source A blue circle with a white plus sign..

  4. Enter information about the incident source:

  5. To validate your connection to the source, click TEST CONNECTIVITY. If you see an error, verify the information you entered, then retest the connection.

  6. Click SAVE.

    To specify the type of data to query from the source, add an incident feed.

Add an Incident Feed

If you've added an incident source, specify the type of data to query from the source.

  1. Ensure that you've added an incident source.

  2. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, navigate to Case Management > Incident Ingestion.

  3. Select the INCIDENT FEEDS tab.

  4. Click Add a new incident feed A blue circle with a white plus sign..

  5. Fill in the fields, then click SAVE.

  6. Click RESTART LOG INGESTION ENGINE.

  7. Choose to restart the log engine immediately or specify a date, then click RESTART.

Email Ingest

Ingest suspicious emails and investigate phishing incidents using Email Ingest.

Case Manager Email Ingest creates incidents from potential phishing emails. It ingests suspicious emails from a designated phishing mailbox, parses relevant fields, creates an incident, then deletes the email from the inbox.

Configure Email Ingest

Link Case Manager to your phishing inbox to forward suspicious emails to Case Manager and ingest suspicious emails.

  • A dedicated phishing inbox that Case Manager has access to. No one should delete, move, or otherwise touch the emails in this inbox. The mailbox cannot be a shared mailbox or subfolder.

  • Credentials for the phishing inbox. The account and credentials must have read and write access to the entire mailbox.

  • Connection to IMAP, POP3, or Exchange.

    Protocol

    Port

    IMAP

    143

    IMAP + SSL

    993

    POP3

    110

    POP3 + SSL

    995

    Exchange

    443

Note

For SaaS Cloud deployments, only port 443 is open. To open other ports, contact your Technical Account Manager.

  1. Ensure that emails aren't encrypted and attachments are in EML format. MSG files are not yet supported.

  2. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then navigate to Case Management > Incident Ingestion.

  3. Select the EMAIL tab.

  4. Select the add A blue circle with a white plus sign. button.

  5. Fill in the fields:

  6. To validate the source, select TEST CONNECTIVITY. If you receive an error, verify that you entered the correct information.

  7. Select SAVE.

Restart Email Ingest

If email ingest isn't working, restart it to troubleshoot.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then navigate to Case Management > Incident Ingestion.

  2. Select the EMAIL INGEST tab.

  3. Hover over an email server, then click edit A grey pencil..

  4. Click Start.

    If email ingest starts successfully, the server appears in the list of email feeds with a Running status.

Create an Incident Rule

Assign, prioritize, and restrict new incidents with incident rules.

When Case Manager creates an incident, an incident rule evaluates it against one or many conditions that you define, then assigns it to a queue or priority, or restricts access to it. For example, you can create an incident rule that assigns an incident to a Tier 3 queue if an email's to field is phishing@mycompany.com.

Case Manager evaluates an incident against each rule in the list from top to bottom. Once the incident reaches the first rule for which it matches the conditions, Case Manager stops evaluating and ignores the remaining rules in the list.

  1. In the navigation menu, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then navigate to Case Management > Incident Rules

  2. Click Add new triage rules A blue circle with a white plus sign..

  3. Enter information about the rule:

    Note

    The conditions are case sensitive. For example, if you set a condition so the "to" field is JohnSmith@company.com, the rule won't trigger if the "to" field is johnsmith@company.com.

  4. Click SAVE.

Reorder Incident Rules

An incident is evaluated against each rule in the list from top to bottom. It stops evaluating once it reaches the first rule that matches the condition and ignores the remaining rules in the list.

  1. In the navigation menu, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then navigate to Case Management > Incident Rules

  2. To move a rule up or down in the list, select the up A grey arrow pointing up. or down A grey arrow pointing down. arrows next to the rule.

Edit an Incident Rule

Change the title, conditions, and details of an incident rule.

  1. In the navigation menu, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then navigate to Case Management > Incident Rules

  2. Hover over an incident rule, then select Edit Rule A grey pencil..

  3. Change the rule title, conditions, the queue or priority an incident is assigned to, and/or who it is restricted from.

  4. Click SAVE.

Delete an Incident Rule

When Case Manager ingests an incident, it evaluates it against an incident rule. If you don't want to evaluate an incident against a certain rule, delete the rule.

  1. In the navigation menu, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then navigate to Case Management > Incident Rules

  2. Hover over an incident rule, then select Delete Rule A grey trash can with a white x in the body of the trash can..

  3. A warning appears. Click DELETE.