Case ManagerInvestigate a Security Incident

Table of Contents

Send Messages from an Incident

Send messages, collaborate, and track information right from within an incident.

From an incident's details, under the Messages tab, send messages and securely distribute information about an incident to your team members or those outside your SOC.

There are two types of messages:

  1. Case Notes - Comments added directly to and contained within an incident. Case Notes are enabled by default.

  2. Incident Emails - Messages to those in your organization who can't access Case Manager or are external to your SOC. You send, receive, and track emails directly from an incident. You can add an email attachment to an incident as an artifact.

You can sort, filter, and restrict views to both types of messages.

Case Notes

Add findings or data to your investigation and communicate with people from directly within an incident using case notes.

A case note is free-form text you use to add descriptions, observations, and artifacts to your incident. Use case notes when your findings or data points are relevant to your investigation but do not fit in the generic incident fields and categories, or Case Manager can't measure or filter them.

Case notes are one way you message people directly from an incident. You can view an incident's case notes if you can access Case Manager and the incident. To collaborate with people who can't access Case Manager and still track the conversation within the incident, send an email.

Add a Case Note to an Incident

Add descriptions, observations, and artifacts to your incident using case notes.

  1. On the INCIDENTS page, select an incident.

  2. On the Messages tab, click NEW CASE NOTE.

  3. Enter the case findings, like descriptions, observations, and artifacts.

  4. Click ADD CASE NOTE.

Incident Emails

To collaborate with people who can't access Case Manager, send an email directly from an incident.

Email people who can't access Case Manager, like non-SOC staff in your organization, to exchange questions, instructions, and feedback about an investigation.

Case Manager transports emails using your organization's email servers. Your email server or service policies may restrict your email size and who you can send emails to.

Send an Email from an Incident

Send emails directly from an incident to communicate with people who can't access Case Manager.

  1. From the navigation bar, click INCIDENTS, then select an incident.

  2. On the Messages tab, click NEW EMAIL MESSAGE.

  3. Compose the email and attach evidence.

  4. Click SEND.

Send Attachments With Your Incident Email

To add evidence to an incident, send and receive attachments directly from an incident. When you receive an attachment, safely preview it, view attribute details, and download it.

Your internal mailbox and email policies may limit and restrict the attachments, like size and file type.

  1. In the navigation bar, click INCIDENTS, select an incident, then select the Messages tab.

  2. Create a new email, then click INSERT ATTACHMENT. The attachment appears as an icon in the email body.

  3. Click SEND. The attachment is added to the incident.

    After 60 days, the attachment is purged, but the email text is not. To add the attachment to the incident indefinitely so you can run actions and playbooks on it, convert it into an artifact.

Convert an Email Attachment to an Artifact

When you receive an email attachment, convert it to an artifact to investigate it further.

  1. On the INCIDENTS page, select an incident, then select the Messages tab.

  2. Ensure that the artifact doesn't already exist. You may duplicate an existing artifact you've already created.

  3. Find the email that contains the attachment.

  4. On the attachment, click the More The more options menu; three vertical dark grey dots on an off-white background. menu, then select Add to Artifacts List.

Download an Email Attachment

Download an attachment you received in an incident email.

  1. On the INCIDENTS page, select an incident, then select the Messages tab.

  2. Find the email that contains the attachment.

  3. On the attachment, click the More The more options menu; three vertical dark grey dots on an off-white background. menu, then select Download.