Case ManagerInvestigate a Security Incident

Table of Contents

Add Advanced Analytics Evidence to a Case Manager Incident

If an Advanced Analytics-generated incident doesn't include all the entities or artifacts you need, add them to the incident directly from Advanced Analytics.

When an Advanced Analytics user or asset session crosses a configured risk threshold, Case Manager automatically creates an incident. By default, Advanced Analytics adds some evidence from notable events to the incident as entities or artifacts. If it misses any entities and artifact you need, or if you discover more relevant entities or artifacts as you investigate the timeline, add these entities or artifacts to the incident directly from the notable session.

When you update an incident with the relevant entities and artifacts, you can use them in playbooks to effectively triage, investigate, and respond to incidents.

You can only add Advanced Analytics evidence to an existing incident. You can't create a new incident directly from a notable session.

  1. Navigate to an Advanced Analytics asset or user Smart Timeline:

    • To navigate from a Case Manager incident: navigate to the incident, find the Timeline Page incident field, then select Go to page.

    • To navigate to an asset Smart Timeline in Advanced Analytics: On the HOME page, find the NOTABLE ASSETS watchlist or other watchlist you created, then select an asset's risk score. Or, from a watchlist, select the asset's name, then under RISK REASONS click GO TO TIMELINE.

    • To navigate to a user Smart Timeline in Advanced Analytics: On the HOME page, find the NOTABLE USERS, Account Lockouts, Executive Users, or other watchlist you created, then select a user's risk score. Or, from a watchlist, select the user's name, then under RISK REASONS click GO TO TIMELINE.

    • Search for a user or asset, select from the results, then under RISK REASONS click GO TO TIMELINE.

  2. Select an event in the Smart Timeline. The event expands to review further details.

  3. Click the More The more options menu; three vertical grey dots on a white background. menu, then click Add to Incident.

  4. Select a Case Manager incident from your list of most recent assigned incidents, or to search for a specific incident, start typing. If you navigated directly from a Case Manager incident, this field is automatically populated.

  5. Select the entities and/or artifacts. To create all the entities or artifacts, select the first checkbox.

  6. Select ADD TO INCIDENT.