Case ManagerInvestigate a Security Incident

Entity Types

When you add an entity to an incident, they fall under three types. Each type contains a unique set of data, which you can input to action nodes in Incident Responder playbooks.Add an Action NodeAdd an Action NodePlaybooks

File – Any electronic file; for example, Word and Excel documents, Windows or Linux executables.

Device – A computer, either on an internal network or the internet.

User – A person identified by a corporate directory account ID, email address, or other means (app login ID, full name, etc.).

File Entity Data

Every entity type contains data a unique set of data fields. The file entity contains data about the file path, size, hash, and more. In Incident Responder, you can input this data to a playbook action node.

When you click on a link that redirects you from Case Manager to Advanced Analytics, you must have View Unmasked Data (PII) privileges to view the data in Advanced Analytics if you've turned on data masking in Advanced Analytics settings.

Glossary

File created time

Date and time this file was created.

Example: 2019-05-06 15:56

File name

Name used to uniquely identify the file in the file system.

Example: barbarian.jar

File path

Where in the file system this file was located. If you add a hash, the entity will not contain this information.

Example: c:\user\windows\XXX

File size

How much space the file takes up in storage, in MB. If you add a hash, the entity will not contain this information.

Example: 1.7 MB

MD5

MD5 hash value.

Example: b1d64dfbc73158114f20dee14b994755

SHA1

SHA1 hash value.

Example: aed420a76e730364ca8d804873a7f3c6ca2ff4f4

SHA256

SHA256 hash value.

Example: ee424b6d4657808c1c634fcaa7fc52e2ec9f30b1cb8ed457178559d5f840b40b

SHA512

SHA512 hash value.

Example: 20a5ab43c7106846e4954adec2c2c1348d157beb686fbbb0f23a5efcf89cb49c4ab6c6c369869e05da7661d1386b5f439dfad9e6d60b11cac599be83b0146200

Source

Link to the file asset's Advanced Analytics notable session timeline. If you manually uploaded the file, there is no link.

Device Entity Data

Every entity type contains a unique set of data. The device entity contains data about the device's host, IP address, top user, and more. In Incident Responder, you can input this data to a playbook action node.

When you click on a link that redirects you from Case Manager to Advanced Analytics, you must have View Unmasked Data (PII) privileges to view the data in Advanced Analytics if you've turned on data masking in Advanced Analytics settings.

Glossary

Alerts

Number of third-party security alerts this device has triggered.

Example: 2

City

City the device last connected from.

Example: San Francisco

Country

Country the device last connected from.

Example: United States

Data insights

Link to the device's Data Insights page in Advanced Analytics.

Entity frequency

Number of incidents that contain this entity. Click to view a list of all these incidents.

Example: 2

First seen

Date Advanced Analytics first detected the device in the network.

Example: 1 Apr 2018

IP

IP address assigned to the device.

Example: 10.78.121.42

Last seen

Date of the most recent sequence that involved this device.

Example: 4 May 2018

Risk score

The device's Advanced Analytics risk score at the time Case Manager created the incident. The risk score doesn't update as the notable session continues or when it closes. Click to return to the session and view the final risk score.

Example: 299

Source

Link to the device asset's Advanced Analytics notable session timeline.

State

U.S. state the device last connected from. If the device connected from outside the U.S., the artifact will not contain this information.

Example: California

Top user

Full name of the Advanced Analytics user that logs into this device most frequently. Click to view the user's profile in Advanced Analytics.

Example: Barbara Salazar

Type

Operating system; Windows, Linux, or Mac.

URL

URL associated with the IP address.

Example: www.ddddd.com

Watchlists

Number of watchlists the device appears on in the home page.

Example: 2

Zone

Internal network zone within your organization the device last connected from. This may be a city, business unit, building, or room.

Example: Atlanta office

User Entity Data

Every entity type contains a unique set of data. The user entity type contains data about the user's employment, contact information, manager, and more. In Incident Responder, you can input this data to a playbook action node.

When you click on a link that redirects you from Case Manager to Advanced Analytics, you must have View Unmasked Data (PII) privileges to view the data in Advanced Analytics if you've turned on data masking in Advanced Analytics settings.

Glossary

Account ID

Corporate directory account ID, typically corresponds to a set of login credentials.

Example: bsalazar

Alerts

Number of third-party security alerts this user has triggered.

Example: 3

Data insights

Link to the user's Data Insights page in Advanced Analytics.

Employee type

Type of employee, as defined in the Advanced Analytics user_employee_type context table; for example, full-time, part-time, or contractor.

Example: full-time

Entity frequency

Number of incidents that contain this entity. Click to view a list of all these incidents.

Example: 2

First seen

Date when Exabeam first detected the the user in the IT environment.

Example: 1 April 2018

Full name

First name and last name. Click to navigate to the user's profile in Advanced Analytics.

Example: Barbara Salazar

Last seen

Date the user last logged in to a device or network; the user's most recent Advanced Analytics login event.

Example: 4 May 2018

Manager cell phone

Manager's personal cell phone number.

Example: 212-408-5108

Manager email

Manager's work email address. Click to start writing an incident email to the manager.

Example: tu.peterson@example.com

Manager name

Full name of the user's manager. Click to navigate to the manager's user profile in Advanced Analytics.

Example: Tu Peterson

Manager office phone

Phone number the manager uses at their office location.

Example: 494-512-5019

Manager title

Manager's job title.

Example: VP of Human Resources

Photo

User's display picture in Advanced Analytics.

Risk score

The device's Advanced Analytics risk score at the time Case Manager created the incident. The risk score doesn't update as the notable session continues or when it closes. Click to return to the session and view the final risk score.

Example: 299

Source

Link to the user's Advanced Analytics notable session timeline.

Top device

Device the user logs into most frequently.

Example: srv_143lm_us

User cell phone

A private cell phone number.

Example: 274-557-3374

User department

Corporate department the user works in.

Example: HR

User email

User's work email address. Click to start writing an incident email to the user.

Example: barbara.salazar@example.com

User office phone

Phone number they use at their office location.

Example: 212-408-8076

User title

User's job title.

Example: Human Resources Coordinator

Username

Username in Advanced Analytics.

Example: Barb S.

Watchlist

Number of watchlists the user appears on in the home page.

Example: 2

Zone

Internal network zone within your organization the user last connected from. This may be a city, business unit, building, or room.

Example: Chicago