Customize Incidents

Customize incident types, fields, and layouts to better align Case Manager with your existing or other internal ticketing systems.

Depending on your organization and your industry, consider customizing incidents to tailor Case Manager to your needs. For example, a hospital SOC may create a HIPAA field to review the percentage of historical incidents in which HIPAA data was breached, or view all active incidents that contain HIPAA data.

Start by creating an incident type. Then, create custom fields for that type and organize them into a layout that works best for you.Create an Incident TypeCreate a Custom Incident Field

For each incident type, create phases and tasks to standardize your team's response to that type of incident and enforce them to take certain steps.Create a PhaseCreate a PhaseCreate a Task for a Specific Incident

Incident Types

Standardize information, actions, and evidence for common security incidents using incident types.

An incident type is a category that represents a security scenario. When you create an incident type, you standardize incident fields phases, tasks, and playbooks, and ensure you have the information and tools you need to resolve an incident based on attack vector or case context.Create a Custom Incident FieldExabeam PhasesExabeam TasksPlaybooks

For example: In your organization, a phishing campaign targets multiple users, and each user automatically triggers and creates an incident. Since all these incidents are of a specific type—phishing—you need a specific set of information, actions, and evidence to resolve them, like sender, recipient, or email subject. The phishing incident type makes sure those are all included in a phishing incident so you have everything you need to research and resolve it.

Create an Incident Type

Create an incident type to represent a common security scenario and standardize information, actions, and evidence.

In the navigation bar, click the menu , select Settings, then navigate to Case Management > Incident Configuration.
In the Types tab, click ADD TYPE.
In the CREATE INCIDENT TYPE menu, enter a name and description for the incident type.
Click SAVE. The new incident type appears in the list of incident types with a Custom status.
For your new incident type, create custom incident fields or design a custom layout.

Delete an Incident Type

When you delete an incident type, you can no longer apply the type to any incidents. You won't delete an existing incident that was assigned the type or any of its data.

In the navigation bar, click the menu , select Settings, then navigate to Case Management > Incident Configuration.
In the TYPES tab, hover over an incident type, select the More menu, then select Delete.
A warning appears. Click DELETE.

Customize the Layout of an Incident Type

If you created an incident type, organize the incident fields based on what's relevant to the type. For example, for a phishing incident type, design a layout that includes incident fields like subject, sender, and email body.

In the navigation bar, click the menu , select Settings, then navigate to Case Management > Incident Configuration.
To create an incident type or edit an existing type, hover over the incident type, select the More menu, then select Edit.
Design the layout:
- To add a field to the layout, select a field, then click and drag the field from the left-side column to the editor on the right.
  To find a field, select the search icon then enter a search term, or select Sort by: to sort them.
  To create a custom field, click + ADD FIELD.
- To rearrange fields in the editor, click and drag the fields to where they should be positioned.
- To remove a field from the layout, hover over the field, then click REMOVE.
Click SAVE.

Create a Custom Incident Field

If you created an incident type, create specific incident fields for that type to standardize the information you need.

In the navigation bar, click the menu , select Settings, then navigate to Case Management > Incident Configuration.
Select the FIELDS tab.
Click ADD FIELDS.
Enter information about your field. The information required varies based on field type.
To list multiple values, select List predefined options. If people can enter or select multiple values from this list, select Can enter or select multiple values.
Click SAVE.

Edit a Custom Incident Field

When you edit an incident field, the changes only apply to new incidents. If an existing incident has this field, it doesn't change.

In the navigation bar, click the menu , select Settings, then navigate to Case Management > Incident Configuration.
Select the FIELDS tab.
Hover over an incident type, click the More menu, then select Edit.
Edit the field inputs.
Click SAVE.

Delete a Custom Incident Field

When you delete an incident field, the field still appears in incidents that already have it but you can't add it to a new incident layout.

In the navigation bar, click the menu , select Settings, then navigate to Case Management > Incident Configuration.
Select the FIELDS tab.
Hover over an incident field, click the More menu, then select Delete.

Case ManagerConfigure Case Manager

Table of ContentsTable of Contents