Case ManagerInvestigate a Security Incident

Manually Add an Entity

Add the primary objects you're investigating to the incident.The Difference Between Entities and Artifacts

Add a File Entity

  1. Navigate to an incident or its workbench:

    • To start from an incident, in the navigation bar, click INCIDENTS, then select an incident.

    • To start from an incident's workbench, in the navigation bar, click INCIDENTS, select an incident, then select View Workbench

  2. Click Add a new entity A grey circle with a white computer, and a blue circle with a white + in the top right..

    In an incident, you may also locate the Entities panel and click Add a new entity A blue circle with a white plus sign..

  3. Under Entity type, select File.

  4. To extract a file's name, hash, and size, select Upload file. To manually fill all fields, select Manually enter file details.

    • If you selected Upload file:

      1. Click UPLOAD FILE, then select a file from your system.

      2. Under File path, enter where the file is located in your file system.

    • If you selected Manually enter file details, fill in the fields:

      • File name – Enter the name used to uniquely identify the file in the file system.

      • Hash type – Enter at least one hash value from a MD5, SHA256, SHA1, or SHA512 function.

  5. Click SAVE. The entity appears in the incident under the Entities panel.

Add a Device Entity

  1. Navigate to an incident or its workbench:

    • To start from an incident, in the navigation bar, click INCIDENTS, then select an incident.

    • To start from an incident's workbench, in the navigation bar, click INCIDENTS, select an incident, then select View Workbench

  2. Click Add a new entity A grey circle with a white computer, and a blue circle with a white + in the top right..

    In an incident, you may also locate the Entities panel and click Add a new entity A blue circle with a white plus sign..

  3. Under Entity type, select Device.

  4. To extract data from an existing host, IP or URL asset in Advanced Analytics, select Select from AA. To manually enter all details, select Custom.

    • If you selected Select from AA, start typing to search for a host or IP, select a result, then enter an associated URL. Fill in the fields:

      • Type – Select an operating system, Windows, Linux, or Mac.

      • Zone – Enter the internal network location the device last connected from. This may be a city, business unit, building, or room.

      • Location – Enter the city, U.S. state (if applicable), and country the device last connected from.

    • If you selected Custom, enter at least one Host, IP, or URL, then fill in the fields:

      • Type – Select an operating system, Windows, Linux, or Mac.

      • Zone – Enter the internal network location the device last connected from. This may be a city, business unit, building, or room.

      • Location – Enter the city, U.S. state (if applicable), and country the device last connected from.

  5. Click SAVE. The entity appears in the incident under the Entities panel.

Add a User Entity

  1. Navigate to an incident or its workbench:

    • To start from an incident, in the navigation bar, click INCIDENTS, then select an incident.

    • To start from an incident's workbench, in the navigation bar, click INCIDENTS, select an incident, then select View Workbench

  2. Click Add a new entity A grey circle with a white computer, and a blue circle with a white + in the top right..

    In an incident, you may also locate the Entities panel and click Add a new entity A blue circle with a white plus sign..

  3. Under the Entity type, select User.

  4. To extract data from an existing user in Advanced Analytics, select Select from AA. To manually enter all details, select Custom.

    • If you selected Select from AA, start typing to search for a user, then select from the results. Case Manager extracts all data available in Advanced Analytics.

    • If you selected Custom, enter the user's Full Name or Username, then fill in the fields:

      • Account ID – Enter the account ID associated with the user's login credentials.

      • User email – Enter the user's work email address

      • User title – Enter the user's job title.

      • User department – Enter the corporate department the user works in.

      • Employee type – Indicate the user's employee type; for example, full-time, part-time, or contractor.

      • Zone – Enter the internal network zone within your organization the user last connected from. This may be a city, business unit, building, or room.

      • User office phone – Enter the phone number the user uses at their office location.

      • User cell phone – Enter the user's personal cell phone number.

      • Manager name – Enter the full name of the user's manager.

      • Manager email – Enter the manager's work email address/

      • Manager title – Enter the manager's job title.

      • Manager office phone – Enter the phone number the manager uses at their office location.

      • Manager cell phone – Enter the manager's personal cell phone number.

  5. Click SAVE. The entity appears in the incident under the Entities panel.