Case ManagerConfigure Case Manager

Table of Contents

Ingest Data into Case Manager

To use Case Manager, you must ingest data from an incident source and pull a specific type of data using an incident feed. After Case Manager has this data, it can create incidents for you to work on.

An incident source is the server from which Case Manager ingests data, like:

  • Advanced Analytics. Case Manager automatically creates an incident when a user or asset crosses a risk threshold and becomes notable.

  • A security product such as a SIEM or an endpoint solution.

  • Microsoft Office 365 or Outlook via email ingest.

An incident feed is the type of data you pull (Carbon Black, FireEye, etc.). You must configure an incident server before you configure an incident feed.

You create, edit, or delete incident sources and feeds.

Add an Incident Source

Add an incident source, like ServiceNow, Splunk, or IBM QRadar, to ingest logs from those servers into Case Manager. You must add an incident source before specifying which logs to ingest.

  • IP address or host name of the server

  • TCP port

  • Username and password

To add ServiceNow, you must complete specific prerequisites.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under INCIDENT INGESTION, select Incident Sources.

  3. Click Add a new incident source A blue circle with a white plus sign..

  4. Enter information about the incident source:

  5. To validate your connection to the source, click TEST CONNECTIVITY. If you see an error, verify the information you entered, then retest the connection.

  6. Click SAVE.

    To specify the type of data to query from the source, add an incident feed.

Add an Incident Feed

If you've added an incident source, specify the type of data to query from the source.

  1. Ensure that you've added an incident source.

  2. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  3. Under INCIDENT INGESTION, select Incident Feeds.

  4. Click Add a new incident feed A blue circle with a white plus sign..

  5. Fill in the fields, then click SAVE.

  6. Click RESTART LOG INGESTION ENGINE.

  7. Choose to restart the log engine immediately or specify a date, then click RESTART.

Email Ingest

Ingest suspicious emails and investigate phishing incidents using Email Ingest.

Case Manager Email Ingest creates incidents from potential phishing emails. It ingests suspicious emails from a designated phishing mailbox, parses relevant fields, creates an incident, then deletes the email from the inbox.

Configure Email Ingest

Link Case Manager to your phishing inbox to forward suspicious emails to Case Manager and ingest suspicious emails.

  • A dedicated phishing inbox that Case Manager has access to. No one should delete, move, or otherwise touch the emails in this inbox. The mailbox cannot be a shared mailbox or subfolder. You can't use the same email account you use for incident email.Incident Emails

  • Credentials for the phishing inbox. The account and credentials must have read and write access to the entire mailbox.

  • Connection to IMAP, POP3, or Exchange.

    Protocol

    Port

    IMAP

    143

    IMAP + SSL

    993

    POP3

    110

    POP3 + SSL

    995

    Exchange

    443

  • If you use Microsoft Exchange Online with OAuth2.0 modern authentication, ensure that you complete specific prerequisites.

Note

For SaaS Cloud deployments, only port 443 is open. To open other ports, contact your Technical Account Manager.

  1. Ensure that emails aren't encrypted and attachments are in EML format. MSG files are not yet supported.

  2. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  3. Under INCIDENT INGESTION, select Email Ingest.

  4. Enter information about your email connection:

  5. Click SAVE.

  6. To start ingesting emails, click START.

    By default, Case Manager ingests emails starting from today. To ingest emails starting from a different date, click Select a different date, then select a date in the calendar.