Case ManagerConfigure Case Manager

Download PDF

Table of Contents

Customize Incidents

Customize incident types, fields, and layouts to better align Case Manager with your existing or other internal ticketing systems.

Depending on your organization and your industry, consider customizing incidents to tailor Case Manager to your needs. For example, a hospital SOC may create a HIPAA field to review the percentage of historical incidents in which HIPAA data was breached, or view all active incidents that contain HIPAA data.

Start by creating an incident type. Then, create custom fields for that type and organize them into a layout that works best for you.

For each incident type, create phases and tasks to standardize your team's response to that type of incident and enforce them to take certain steps.Create a Task for a Specific Incident

Incident Types

Standardize information, actions, and evidence for common security incidents using incident types.

An incident type is a category that represents a security scenario. When you create an incident type, you standardize incident fields, phases, tasks, and playbooks, and ensure you have the information and tools you need to resolve an incident based on attack vector or case context.Playbooks

For example: In your organization, a phishing campaign targets multiple users, and each user automatically triggers and creates an incident. Since all these incidents are of a specific type—phishing—you need a specific set of information, actions, and evidence to resolve them, like sender, recipient, or email subject. The phishing incident type makes sure those are all included in a phishing incident so you have everything you need to research and resolve it.

Create an Incident Type

Create an incident type to represent a common security scenario and standardize information, actions, and evidence.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. In the Types tab, click ADD TYPE.

  4. In the CREATE INCIDENT TYPE menu, enter a name and description for the incident type.

  5. Click SAVE. The new incident type appears in the list of incident types with a Custom status.

    For your new incident type, create custom incident fields or design a custom layout.

Delete an Incident Type

When you delete an incident type, you can no longer apply the type to any incidents. You won't delete an existing incident that was assigned the type or any of its data.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. In the TYPES tab, hover over an incident type, select the More The more options menu; three vertical grey dots on a white background. menu, then select Delete.

  4. A warning appears. Click DELETE.

Customize the Layout of an Incident Type

If you created an incident type, organize the incident fields based on what's relevant to the type. For example, for a phishing incident type, design a layout that includes incident fields like subject, sender, and email body.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. To create an incident type or edit an existing type, hover over the incident type, select the More The more options menu; three vertical grey dots on a white background. menu, then select Edit.

  4. Design the layout:

    • To add a field to the layout, select a field, then click and drag the field from the left-side column to the editor on the right.

      To find a field, select the search A blue magnifying glass. then enter a search term, or select Sort by: to sort them.

      To create a custom field, click + ADD FIELD.

    • To rearrange fields in the editor, click and drag the fields to where they should be positioned.

    • To remove a field from the layout, hover over the field, then click REMOVE.

  5. Click SAVE.

Create a Custom Incident Field

If you created an incident type, create specific incident fields for that type to standardize the information you need.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the FIELDS tab.

  4. Click ADD FIELDS.

  5. Enter information about your field. The information required varies based on field type.

    To list multiple values, select List predefined options. If people can enter or select multiple values from this list, select Can enter or select multiple values.

  6. Click SAVE.

Edit a Custom Incident Field

When you edit an incident field, the changes only apply to new incidents. If an existing incident has this field, it doesn't change.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the FIELDS tab.

  4. Hover over an incident type, click the More The more options menu; three vertical grey dots on a white background. menu, then select Edit.

  5. Edit the field inputs.

  6. Click SAVE.

Delete a Custom Incident Field

When you delete an incident field, the field still appears in incidents that already have it but you can't add it to a new incident layout.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the FIELDS tab.

  4. Hover over an incident field, click the More The more options menu; three vertical grey dots on a white background. menu, then select Delete.

Exabeam Phases

Organize your investigations and ensure everyone responds consistently using phases.

A phase is a general stage of your investigating process. It contains tasks that an analyst must complete in each phase.

Phases and tasks ensure everyone across your organization responds to different security scenarios consistently. A manager builds a set of standard scenarios and creates processes for each one. When analysts investigate an incident, they follow this process, working on separate items in parallel so their efforts don't overlap.

Exabeam provides five phases out of the box:

  • Detection

  • Containment

  • Eradication & Mitigation

  • Recovery

  • Post-Incident Activity

Rename phases or create your own phase according to your needs. You can also delete and reorder phases.

Create a Phase

To standardize how you respond to incidents, break out your investigating process into phases and assign tasks to each one.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Click ADD PHASE.

  5. Enter a unique phase name, then click SAVE.

  6. Click PUBLISH. The phase appears only in new incidents. It doesn't appear in existing incidents, open or closed.

Rename a Phase

Rename any phase to change how they appear in incidents.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the TASKS & PHASES tab.

  4. Hover over a phase, then select edit A grey pencil..

  5. Change the phase name.

  6. Click SAVE.

  7. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.

Exabeam Tasks

Assign specific responsibilities and ensure everyone responds consistently using tasks.

A task is an action an analyst must complete when they investigate; for example, confirm incident is contained, capture volatile data from systems as evidence, determine root cause. Tasks are organized into phases of an investigation.

Phases and tasks ensure everyone across your organization responds to different security scenarios consistently. A manager builds a set of standard scenarios and creates processes for each one. When analysts investigate an incident, they follow this process, working on separate items in parallel so their efforts don't overlap.

Create a Task for a Phase or Incident Type

Create a task that always appears under a specific phase or incidents of a certain type.

You can create a task just for one specific incident. To automatically create a task depending on the conditions of an incident, set up a playbook.Create a Task for a Specific IncidentCreate a Playbook

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Click ADD A TASK.

  5. Enter information about the task:

    • Name – Enter a name for the task.

    • Instructions – Enter instructions, details, or other information about the task.

    • Phase – Select the phase that the task appears under.

    • (Optional) Incident type – Select the incident type that the task appears under.

    • Due date – If there is no due date, select None. If there is a due date, select how many days after the task is initiated.

    • (Optional) Required task – If the task is required, select this box.

  6. Click SAVE.

  7. Click PUBLISH.

Reorder Tasks in a Phase

Reorder tasks to change the order they appear in a phase.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Hover over a task, then select the up An arrow pointing up. or down An arrow pointing down. arrows to move the task up or down.

  5. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.

Delete a Task for a Phase or Incident Type

Delete a task that appears under a phase or for all incidents of a certain type.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Hover over a task, then select the trash A grey trash can.. A warning appears.

  5. Click DELETE.

  6. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.