Case ManagerCase Manager

Table of Contents

Configure Case Manager Settings

Ingest data, create rules to triage incidents, customize incidents, create or edit queues, and configure a proxy in Case Manager settings.

In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., then select Settings. Depending on your permissions, select Core or Analytics:

  • If you have Core Manage Users and Context Sources permissions, you can only access Core settings.

  • If you have Advanced AnalyticsAll Admin Ops permissions, you can access both Core and Analytics settings. In Analytics settings, you can configure and customize more settings than in Core settings.

Core Settings

In Core settings, view all settings under ALL APPS or click the INCIDENT RESPONDER tab to view Case Manager and Incident Responder settings.

Incident Responder tab in Core settings.

Under SERVICE INTEGRATIONS, select Proxy to configure a proxy connection.

Under QUEUES, create, edit, and delete a queue.

Under INCIDENT INGESTION:

  • Select Incident Source to add sources that feed data into Case Manger.

  • Select Incident Feeds to specify which type of log to ingest from your incident source.

  • Select Email Ingest to configure email ingest.

  • Select 2-Way Email to configure an email account and start sending emails directly from an incident.

Analytics Settings

In Analytics settings, navigate to Case Management.

Analytics settings with Case Management settings highlighted.

In Email Notification, configure email notifications about Case Manager activity, like when someone creates, changes, or comments on an incident, create templates for these email notifications, and create templates for emails sent using the Send Email Exabeam action.Create an Email Template for the Notify by Email ActionIncident Responder Actions

In Incident Ingestion, add sources that feed data into Case Manager, specify which type of log to ingest from your incident source, configure email ingest, or configure an email to send emails directly from an incident.

In Incident Rules, create rules to automatically triage incidents after they're created. You can also edit and delete these rules.

In Incident Configuration, create incident types, incident fields, tasks, and phases.

In Queues, create, edit, or delete a queue.

In Proxy, configure a proxy connection.

Configure a Proxy

If your environment has a proxy configured, you must configure a proxy for Case Manager and Incident Responder. Some Case Manager and Incident Responder features use your proxy to function correctly, including services, email ingest and incident email.Incident Responder Services

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Proxy.

  3. To enable the proxy you're configuring, click the Enable Proxy toggle.

  4. Enter information about your proxy connection:

    • Hostname/server – Enter the name of the host or server for the proxy server.

    • Protocol – Enter the protocol the proxy server uses: HTTP or SOCKS.

    • Port – Enter the port number for the proxy server.

    • (Optional) Username – If the proxy is protected by a password, enter your proxy account username.

    • (Optional) Password – If the proxy is protected by a password, enter your proxy account password.

    • (Optional) Whitelist – whitelist hostnames and/or domains, like wildcards (for example, 192.168.*) or IP ranges (for example, 192.168.0.0/24). The Incident Responder docker is already whitelisted by default.

  5. To validate the connection to your proxy, enter a URL, then select TEST CONNECTIVITY. If you see an error, verify the information you entered then retest the connection.

  6. Click SAVE.

Prerequisites for Configuring Microsoft Exchange Online with OAuth2.0 Authentication

If your Microsoft Exchange Online account uses OAuth2.0 modern authentication, ensure that you complete certain tasks before you configure email ingest and incident email communication.

To integrate Exabeam with Microsoft Azure Active Directory, register an application on the Microsoft identity platform. Since you can't use the same email account for email ingest and incident email, you must create a separate application for each account. Under Supported account types, ensure that you select Accounts in this organizational directory only.

  • Save the client ID for the application you created. You use this client ID later.

  • Add a client secret and save it. You use this client secret later.

  • Configure specific Microsoft Graph permissions for your application:

    • Mail.Read

    • Mail.Send

    • Mail.ReadWrite

  • Configure the Office 365 Exchange Online full_access_as_app permission for your application.

    Follow the same steps to configure Microsoft Graph permissions, but instead of selecting Microsoft Graft, click the APIs my organization uses tab, select Application permissions, then select Office 365 Exchange Online. Select the full_access_as_app permission, then click Add permissions.

  • Grant administration consent to the permissions you configured for your application.

Ingest Data into Case Manager

To use Case Manager, you must ingest data from an incident source and pull a specific type of data using an incident feed. After Case Manager has this data, it creates incidents for you to investigate.

An incident source is the server from which Case Manager ingests data, like:

  • Advanced Analytics. Case Manager automatically creates an incident when a user or asset crosses a risk threshold and becomes notable.

  • A security product, like a SIEM or an endpoint solution.

  • Microsoft Office 365 or Outlook, ingested using email ingest.

An incident feed pulls a specific type of data; for example, Carbon Black or FireEye. You must configure an incident server before you configure an incident feed.

You can add, edit, or delete an incident source. You can also add, edit, or delete incident feeds.Add an Incident SourceAdd an Incident SourceAdd an Incident FeedAdd an Incident Feed

After you add an incident source and incident feed, add incident rules to automatically assign, prioritize, and restrict new incidents.

Add an Incident Source

Add an incident source, like ServiceNow, Splunk, or IBM QRadar, to ingest logs from those servers into Case Manager. You must add an incident source before specifying which logs to ingest.

  • IP address or hostname of the server

  • TCP port

  • Username and password

To add ServiceNow, you must complete specific prerequisites.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under INCIDENT INGESTION, select Incident Sources.

  3. Click Add a new incident source A blue circle with a white plus sign..

  4. Enter information about the incident source:

    • Server Type – Select the source you wish to ingest data from.

    • IP Address or Hostname – Enter the IP address or hostname of the server.

    • TCP Port – Enter the TCP port number of the server.

    • Username – Enter your username for the server.

    • Password – Enter your password for the server.

  5. To validate your connection to the source, click TEST CONNECTIVITY. If you see an error, verify the information you entered, then retest the connection.

  6. Click SAVE.

    To specify the type of data to query from the source, add an incident feed.

Add an Incident Feed

If you've added an incident source, specify the type of data to query from the source.

  1. Ensure that you added an incident source.

  2. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  3. Under INCIDENT INGESTION, select Incident Feeds.

  4. Click Add a new incident feed A blue circle with a white plus sign..

  5. Fill in the fields, then click SAVE.

  6. Click RESTART LOG INGESTION ENGINE.

  7. Choose to restart the log engine immediately or specify a date, then click RESTART.

Email Ingest

Ingest suspicious emails and investigate phishing incidents using Email Ingest.

Case Manager Email Ingest creates incidents from potential phishing emails. It ingests suspicious emails from a designated phishing mailbox, parses relevant fields, creates an incident, then deletes the email from the inbox. Configure Email Ingest in your settings.Configure Email IngestConfigure Email Ingest

Configure Email Ingest

Link Case Manager to your phishing inbox to forward suspicious emails to Case Manager and ingest suspicious emails.

  • A dedicated phishing inbox that Case Manager has access to. No one should delete, move, or otherwise touch the emails in this inbox. The mailbox cannot be a shared mailbox or subfolder. You can't use the same email account you use for incident email.

  • Credentials for the phishing inbox. The account and credentials must have read and write access to the entire mailbox.

  • Connection to IMAP, POP3, or Exchange.

    Protocol

    Port

    IMAP

    143

    IMAP + SSL

    993

    POP3

    110

    POP3 + SSL

    995

    Exchange

    443

  • If you use Microsoft Exchange Online with OAuth2.0 modern authentication, ensure that you complete specific prerequisites.

Note

For cloud-delivered deployments, only port 443 is open. To open other ports, contact your Technical Account Manager.

  1. Ensure that emails aren't encrypted and attachments are in EML format. MSG files are not yet supported.

  2. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  3. Under INCIDENT INGESTION, select Email Ingest.

  4. Enter information about your email connection:

    • Host/Server – A mail server or host; for example, outlook.office365.com

    • Username – An assigned username. For IMAP, enter the email address. For Exchange, enter [domain]\[username]

    • Email address – The email address where emails are sent. This can't be a shared email.

    • Password – The password for the username you previously entered.

    • Protocol – The email protocol used to connect to your mail server: IMAP, POP3, Exchange. Select the box if your email provider supports Secure Sockets Layer (SSL). If you select Exchange:

      • Exchange version – Select your version of Microsoft Exchange:

        • Microsoft Exchange 2007, Service Pack 1

        • Microsoft Exchange 2010

        • Microsoft Exchange 2010, Service Pack 1

        • Microsoft Exchange 2010, Service Pack 2

        • Other Exchange Version

      • Authentication type – Select the protocol used to authenticate to your Exchange host: BASIC, NTLM, or OAUTH2.0.

      If you select OAUTH2.0:

      • Client ID – Enter your Exabeam Microsoft Application (client) ID.

      • Client secret – Enter your Exabeam Microsoft Application client secret.

      • Tenant ID – Enter your Microsoft Azure AD tenant ID.

      • National cloud – If you have a national cloud deployment of Microsoft Azure, select your national cloud: China, Germany, or USGovernment. If you don't have a national cloud deployment, select Global.

    • Port – The port number your mail host or server uses.

    • Log level – Case Manager generates logs about your system activity that Customer Success uses to debug problems in your system. Select how detailed these log are: low or verbose. To conserve disk space, it's best to select low. If you have problems with your system, Customer Success may direct you to change log level to verbose.

    • Folder – Which account folder you're pulling emails from. The default folder is Inbox.

  5. Click SAVE.

  6. To start ingesting emails, click START.

    By default, Case Manager ingests emails starting from today. To ingest emails starting from a different date, click Select a different date, then select a date in the calendar.

Restart Email Ingest

If email ingest isn't working, restart it to troubleshoot the issue.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the EMAIL INGEST tab.

  4. Hover over an email server, then click edit A grey pencil..

  5. Click Start.

    If email ingest starts successfully, the server appears in the list of email feeds with a Running status.

Incident Rules

Assign, prioritize, and restrict new incidents with incident rules.

When Case Manager creates an incident, an incident rule evaluates it against one or many conditions that you define, then assigns it to a queue or priority, or restricts access to it. For example, you can create an incident rule that assigns an incident to a Tier 3 queue if an email's to field is phishing@mycompany.com.

Case Manager evaluates an incident against each rule in the list from top to bottom. Once the incident reaches the first rule for which it matches the conditions, Case Manager stops evaluating and ignores the remaining rules in the list.

You can create, reorder, edit, and delete an incident rule.Create an Incident RuleCreate an Incident RuleReorder Incident RulesReorder Incident RulesEdit an Incident RuleEdit an Incident RuleDelete an Incident RuleDelete an Incident Rule

Create an Incident Rule

Create an incident rule to assign, prioritize, and restrict new incidents.

Case Manager evaluates an incident against each rule in the list from top to bottom. Once the incident reaches the first rule for which it matches the conditions, Case Manager stops evaluating and ignores the remaining rules in the list.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Rules

  3. Click Add new triage rules A blue circle with a white plus sign..

  4. Enter information about the rule:

    • Rule Title – Give the incident rule a unique name.

    • Conditions – Assign a condition that evaluates the incident. To add more than one condition, click +ADD.

      The conditions are case sensitive. For example, if the "to" field is JohnSmith@company.com, the rule won't trigger if the "to" field is johnsmith@company.com.

    • Assign to Queue – Assign the incident to a queue. Otherwise, assign the incident to the default Unassigned Queue.

    • Priority – Assign the incident to low, medium, high, or critical priority.

    • Restrict To – Restrict who can access, see, or search for this incident. You can restrict access to one person or a group. These are groups you named when you configured LDAP.

  5. Click SAVE.

Edit an Incident Rule

Change the title, conditions, and details of an incident rule.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Rules.

  3. Hover over an incident rule, then select Edit Rule A grey pencil..

  4. Change the rule title, conditions, the queue or priority an incident is assigned to, or who it is restricted from.

  5. Click SAVE.

Reorder Incident Rules

An incident is evaluated against each rule in the list from top to bottom. It stops evaluating once it reaches the first rule that matches the condition and ignores the remaining rules in the list.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Rules.

  3. To move a rule up or down in the list, select the up A grey arrow pointing up. or down A grey arrow pointing down. arrows next to the rule.

Delete an Incident Rule

When Case Manager ingests an incident, it evaluates it against an incident rule. If you don't want to evaluate an incident against a certain rule, delete the rule.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Rules

  3. Hover over an incident rule, then select Delete Rule A grey trash can with a white x in the body of the trash can..

  4. A warning appears. Click DELETE.

Configure Incident Email Communication

Link Case Manager to an email account to send incident emails directly from an incident.

You can't use the same account you configured for email ingest.

  • An email account from which users send and receive Case Manager-related messages (for example, casemanagement@mycompany.com). The mailbox cannot be a shared mailbox or a subfolder. You can't use the same email account you use for email ingest.

  • Credentials for the email inbox. The account credentials must have read and write access to the entire mailbox.

  • IMAP connectivity.

    Protocol

    Port Number

    IMAP

    143

    IMAP + SSL

    993

  • If you use Microsoft Exchange Online with OAuth2.0 modern authentication, ensure that you complete specific prerequisites.

  1. Ensure that emails aren't encrypted and attachments are in EML format. MSG files are not yet supported.

  2. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  3. Under INCIDENT INGESTION, select 2-Way Email.

  4. Enter information about your email account, inbound connection, and outbound connection:

    • Username – Enter the username for the mail server. This may be an email address.

    • Password – Enter the password for the mail server.

    • Email address – Enter the email address on the mail server.

    • Folder – Enter the name of the folder from which emails are ingested.

    Inbound

    • Inbound host/server – Enter the name of the inbound mail server.

    • Inbound protocol – Select the mail protocol used to receive emails.

    • Inbound port – Enter the inbound protocol port number.

    Outbound

    • Outbound host/server – Enter the name of the outbound mail server.

    • Outbound protocol – Select the mail protocol used to send emails.

    • Outbound port – Enter the outbound protocol port number.

    • Exchange protocol – Select the box if you use Microsoft Exchange Online.

  5. If you selected the Exchange Protocol box, enter additional information about your Microsoft Exchange Online account and connection:

    • Exchange host – Enter the hostname of your Microsoft Exchange server.

    • SSL – Select the box if you installed a Secure Sockets Layer (SSL) certificate on your Microsoft Exchange server.

    • Exchange port – Enter the port number your Microsoft Exchange host uses.

    • Authentication type – Select the protocol used to authenticate to your Exchange host: BASIC, NTLM, or OAUTH2.0.

    • Exchange version – Select your version of Microsoft Exchange:

      • Microsoft Exchange 2007, Service Pack 1

      • Microsoft Exchange 2010

      • Microsoft Exchange 2010, Service Pack 1

      • Microsoft Exchange 2010, Service Pack 2

      • Other Exchange Version

    • Log level – Case Manager generates logs about your system activity that Customer Success uses to debug problems in your system. Select how detailed these log are: low or verbose. To conserve disk space, it's best to select low. If you have problems with your system, Customer Success may direct you to change log level to verbose.

  6. If you selected OAUTH2.0 as your Authentication type, enter additional information about the application you registered on Microsoft:

    • Client ID – Enter your Exabeam Microsoft Application (client) ID.

    • Client secret – Enter your Exabeam Microsoft Application client secret.

    • Tenant ID – Enter your Microsoft Azure AD tenant ID.

    • National cloud – If you have a national cloud deployment of Microsoft Azure, select your national cloud: China, Germany, or USGovernment. If you don't have a national cloud deployment, select Global.

  7. To validate the inbound and outbound connection to your mail server, click TEST INBOUND and TEST OUTBOUND. If you see Failed to test Service connectivity, verify that you entered the correct email account, inbound connection, and outbound connection information.

  8. Click SAVE.

  9. To enable the email route, click START.

    The email route appears in the EMAIL FEEDS list with a RUNNING status.

Customize Incidents

Customize incident types, fields, and layouts to better align Case Manager with your existing or other internal ticketing systems.

Depending on your organization and your industry, consider customizing incidents to tailor Case Manager to your needs. For example, a hospital Security Operations Center (SOC) may create a HIPAA field to review the percentage of historical incidents in which HIPAA data was breached, or view all active incidents that contain HIPAA data.

Start by creating an incident type. Then, create custom fields for that type and organize them into a layout that works best for you.

For each incident type, create phases and tasks to standardize your team's response to that type of incident and enforce them to take certain steps.

Incident Types

Standardize information, actions, and evidence for common security incidents using incident types.

An incident type is a category that represents a security scenario. It standardizes incident fields, phases, tasks, and playbooks, and ensures you have the information and tools you need to resolve an incident based on attack vector or case context.Playbooks

For example: In your organization, a phishing campaign targets multiple users, and each user automatically triggers and creates an incident. Since all these incidents are of a specific type—phishing—you need a specific set of information, actions, and evidence to resolve them, like sender, recipient, or email subject. The Phishing incident type ensures those are all included in a phishing incident so you have everything you need to research and resolve it.

Generic Incident Type

The Generic incident type standardizes incident fields for every incident created, manually or automatically.

Case Manager automatically assigns the Generic incident type to every incident created, manually or automatically. You can't unassign the Generic incident type from an incident; every incident must be assigned the Generic incident type.

The Generic incident type comes with specific incident fields. You can't remove these incident fields from the incident type, add custom incident fields to the incident type, or otherwise customize the incident type's layout.

Create an Incident Type

Create an incident type to represent a common security scenario and standardize information, actions, and evidence.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. In the Types tab, click ADD TYPE.

  4. In the CREATE INCIDENT TYPE menu, enter a name and description for the incident type.

  5. Click SAVE. The new incident type appears in the list of incident types with a Custom status.

    For your new incident type, create custom incident fields or design a custom layout.

Delete an Incident Type

When you delete an incident type you created, you can no longer apply the type to any incidents. You won't delete an existing incident that was assigned the type or any of its data.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. In the TYPES tab, hover over an incident type, select the More The more menu; three vertical grey dots on a white background. menu, then select Delete.

  4. A warning appears. Click DELETE.

Incident Fields

Display information about security incidents using incident fields.

An incident field represents an attribute of a security incident, like its description or the time it was created.

Incident fields are specific to an incident type. For example, the Phishing incident type includes fields like subject, email body, and attachment name. There are also default incident fields that appear in every incident, like description, vendor, or source, under the Generic incident type.Incident TypesGeneric Incident Type

You can create a custom incident field for a specific incident type. After you create a custom incident field, arrange how it appears in the incident type's layout.Create a Custom Incident FieldCreate a Custom Incident FieldCustomize the Layout of an Incident Type

Generic Incident Fields

Review out-of-the-box incident fields specific to the Generic incident type incident type.Generic Incident Type

You cannot remove the out-of-the-box fields from the Generic incident type. You can add custom incident fields to the Generic incident type to ensure they appear in every incident.Customize the Layout of an Incident Type

  • Incident type – The category the incident belongs under, usually representing a common security scenario. Incident types standardize incident fields, phases, and tasks.

  • Description – A short account of the incident; for example, what occurred and who was involved.

  • Vendor – The vendor that generated the log; for example, Exabeam

  • Source – The product that generated the log; for example, Exabeam AA.

  • Source severity – The severity of the third party security alert that created the Case Manager incident.

  • Source ID – The Advanced Analytics session ID, if the incident was created from a notable Advanced Analytics session.

  • Source URL – A link to the notable session in Advanced Analytics , if the incident was created from a notable Advanced Analytics session.

  • Event start time – When the notable session first started, if the incident was created from a notable Advanced Analytics session.

  • Event end time – When the notable session ended, if the incident was created from a notable Advanced Analytics session.

  • Source info – The raw log of the third party security alert that created the Case Manager incident.

  • Created by – The person who created the incident in Case Manager.

  • Creation time – When the incident was created in Case Manager.

  • Updated by – The person who updated the incident in Case Manager.

  • Updated – When the incident was last updated in Case Manager.

  • Resolved time – When the incident's status was changed to Resolved.

  • Closed time – When the incident's status was changed to Closed or Closed - False Positive

  • Closed reason – Why the incident's status was changed to Closed or Closed - False Positive. To close the incident, you must enter a value for this field.

Create a Custom Incident Field

Create incident fields to standardize the information displayed in an incident type.

You can't create custom incident fields for the Generic incident type.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the FIELDS tab.

  4. Click ADD FIELDS.

  5. Enter information about your field. The information required varies based on field type.

    To list multiple values, select List predefined options. If people can enter or select multiple values from this list, select Can enter or select multiple values.

  6. Click SAVE.

Edit a Custom Incident Field

When you edit an incident field, the changes only apply to new incidents. If an existing incident has this field, it doesn't change.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the FIELDS tab.

  4. Hover over an incident type, click the More The more menu; three vertical grey dots on a white background. menu, then select Edit.

  5. Edit the field inputs.

  6. Click SAVE.

Delete a Custom Incident Field

When you delete an incident field, the field still appears in incidents that already have it but you can't add it to a new incident layout.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the FIELDS tab.

  4. Hover over an incident field, click the More The more menu; three vertical grey dots on a white background. menu, then select Delete.

Customize the Layout of an Incident Type

For an incident type, organize the incident fields based on what's relevant to the type. For example, for a phishing incident type, design a layout that includes incident fields like subject, sender, and email body.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. To create an incident type or edit an existing type, hover over the incident type, select the More The more menu; three vertical grey dots on a white background. menu, then select Edit.

  4. Design the layout:

    • To add a field to the layout, select a field, then click and drag the field from the left-side column to the editor on the right.

      To find a field, select the search A blue magnifying glass. then enter a search term, or select Sort by: to sort them.

      To create a custom field, click + ADD FIELD.

    • To rearrange fields in the editor, click and drag the fields to where they should be positioned.

    • To remove a field from the layout, hover over the field, then click REMOVE.

  5. Click SAVE.

Manage Your Team

Organize your team and ensure they investigate incidents consistently. Create queues, phases, and tasks.

  • Case Manager Queues

    Effectively manage a shared workload and organize your team with queues.

  • Case Manager Phases

    Organize your investigations and ensure everyone responds consistently using phases.

  • Case Manager Tasks

    Assign specific responsibilities and ensure everyone responds consistently using tasks.

Case Manager Queues

Effectively manage a shared workload and organize your team with queues.

A queue is a designated group responsible for investigating an incident. Every incident is assigned a queue. If you're in a queue assigned to an incident, you're responsible for working on the incident. Track the incidents your queue is assigned to with the Incidents in My Queues watchlist. The incident remains assigned to your queue until someone closes the incident or assigns it to another queue.

By default, everyone is in the Unassigned Queue. Create new queues that better fit your needs. You might create queues based on SOC tiers (tier 1, tier 2, and tier 3) or a 24-7 service model. You can also edit or delete a queue you create.Create a QueueEdit a QueueDelete a Queue

Keep in mind that assigning an incident to a queue only indicates who is responsible for investigating the incident; it doesn't restrict access to the incident to that queue only. To restrict who can access an incident, edit an incident's Restrict To settings.Edit an Incident

Create a Queue

To assign incidents to a group of people, create a queue.

 
  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under QUEUES, click Queues.

  3. Click Add a new queue A blue circle with a white plus sign..

  4. Enter a name for the queue.

  5. (Optional) Describe the queue.

  6. Add people to the queue:

    • To add specific people, click + next to the person's name. To quickly find and add a person, start typing in the search.

    • To add everyone in the system, click ADD ALL.

  7. Click CREATE QUEUE.

Edit a Queue

Change the name, description, or people in a queue you created.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under QUEUES, click Queues.

  3. Hover over a queue, then click Edit Queue A grey pencil..

  4. Edit the name, description or people in the queue.

  5. Click SAVE QUEUE.

Delete a Queue

If you created a queue, you can delete it. Any people and incidents assigned to the queue are reassigned to the default Unassigned queue.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under QUEUES, click Queues.

  3. Hover over a queue, then select Delete Queue A grey trash can with a white x in the body of the trash can..

  4. Click DELETE.

Case Manager Phases

Organize your investigations and ensure everyone responds consistently using phases.

A phase is a general stage of your investigating process. It contains tasks that an analyst must complete in each phase.

Phases and tasks ensure everyone across your organization responds to different security scenarios consistently. A manager builds a set of standard scenarios and creates processes for each one. When analysts investigate an incident, they follow this process, working on separate items in parallel so their efforts don't overlap.

Exabeam provides five phases out of the box:

  • Detection

  • Containment

  • Eradication & Mitigation

  • Recovery

  • Post-Incident Activity

Rename phases or create your own phase according to your needs. You can also delete and reorder phases.Rename a PhaseCreate a PhaseDelete a PhaseReorder Phases

Create a Phase

To standardize how you respond to incidents, break out your investigating process into phases and assign tasks to each one.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Click ADD PHASE.

  5. Enter a unique phase name, then click SAVE.

  6. Click PUBLISH. The phase appears only in new incidents. It doesn't appear in existing incidents, open or closed.

Rename a Phase

Rename any phase to change how they appear in incidents.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the TASKS & PHASES tab.

  4. Hover over a phase, then select edit A grey pencil..

  5. Change the phase name.

  6. Click SAVE.

  7. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.

Reorder Phases

Reorder a phase to change the order that they appear in incidents.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Hover over a phase, then select the up An arrow pointing up. or down An arrow pointing down. arrows to move the phase up or down.

  5. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.

Delete a Phase

Remove a phase from any new incidents you create.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. You can only delete a phase that does not have tasks assigned to it. If the phase you're deleting has any tasks assigned to it, reassign them to a new or existing phase.

  5. Hover over the phase, then select the trash A grey trash can..

  6. Click DELETE.

  7. Click PUBLISH. The phase doesn't appear in new incidents. It still appears in existing incidents, open or closed.

Case Manager Tasks

Assign specific responsibilities and ensure everyone responds consistently using tasks.

A task is an action an analyst must complete when they investigate; for example, confirm incident is contained, capture volatile data from systems as evidence, determine root cause. Tasks are organized into phases of an investigation.

Phases and tasks ensure everyone across your organization responds to different security scenarios consistently. A manager builds a set of standard scenarios and creates processes for each one. When analysts investigate an incident, they follow this process, working on separate items in parallel so their efforts don't overlap.

Create a Task for a Phase or Incident Type

Create a task that always appears under a specific phase or incidents of a certain type.

You can create a task just for one specific incident. To automatically create a task depending on the conditions of an incident, set up a playbook.Create a Playbook

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Click ADD A TASK.

  5. Enter information about the task:

    • Name – Enter a name for the task.

    • Instructions – Enter instructions, details, or other information about the task.

    • Phase – Select the phase that the task appears under.

    • (Optional) Incident type – Select the incident type that the task appears under.

    • Due date – If there is no due date, select None. If there is a due date, select how many days after the task is initiated.

    • (Optional) Required task – If the task is required, select this box.

  6. Click SAVE.

  7. Click PUBLISH.

Reorder Tasks in a Phase

Reorder tasks to change the order they appear in a phase.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Hover over a task, then select the up An arrow pointing up. or down An arrow pointing down. arrows to move the task up or down.

  5. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.

Edit a Task for a Phase or Incident Type

Edit a task that appears under a phase or for all incidents of a certain type.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Hover over a task, then select edit A grey pencil..

  5. Change the task details:

    • Name – Enter a name for the task.

    • Instructions – Enter instructions, details, or other information about the task.

    • Phase – Select the phase that the task appears under.

    • (Optional) Incident type – Select the incident type that the task appears under.

    • Due date – If there is no due date, select None. If there is a due date, select how many days after the task is initiated.

    • (Optional) Required task – If the task is required, select this box.

  6. Click SAVE.

  7. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.

Delete a Task for a Phase or Incident Type

Delete a task that appears under a phase or for all incidents of a certain type.Incident Types

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Hover over a task, then select the trash A grey trash can.. A warning appears.

  5. Click DELETE.

  6. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.

Case Manager Email Notifications

Keep your team updated with information and reminders about what's happening in Case Manager incidents.

Configure Case Manager to automatically send emails notifying you about important Case Manager activity, including:

  • Incident created

  • Incident assigned

  • Incident deleted

  • Incident updated

  • Incident priority changed

  • Incident status changed

  • Task assigned

  • Case note comment created

  • Email comment created

  • Received reply for an email comment

Before you configure Case Manager email notifications, you must configure Advanced Analytics email notifications. The Case Manager email notifications use the same SMTP IP or hostname, and port, as Advanced Analytics email notifications.

First, create an email template to customize the subject line and email body Then, configure the notification and indicate the email template to use, event type and other conditions you want to be notified about, and the recipients of the notification.Create a Template for Case Manager Email NotificationsCreate a Case Manager Email Notification

Create a Template for Case Manager Email Notifications

Customize email notifications about Case Manager activity using templates.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  2. Under Case Management, select Email Notifications, then select the EMAIL TEMPLATES tab.

  3. Click Add Email TemplateA dark blue plus sign..

  4. Configure the template settings:

    • Template Type – Select Case Manager Notification

    • Template Name – Name the email template. You use this name to identify the template when you configure email notifications.

    • Subject – Enter the subject line for the email notification.

    • In the text box, create the email body using Scalate's Mustache HTML template language.

      Under Variable Fields, view all the template variables you can use in the email body. For the Case Manager Notification template type, you can only use the variables under Case Manager Incident Fields.

      You can create a more elaborate email with CSS formatting; for example:

      <!DOCTYPE html>
      <html lang="en">
          <head>
              <title>Exabeam Case Manager</title>
                  <style type=\"text/css\">
                      body {
                          background:#F4F6F8;
                          font: 15px arial, sans-serif;
                      }
                      #sides{
                          display: flex;
                      }
                      #sides_left{
                          flex-grow: 1;
                          padding-left: 10px;
                      }
                      #header {
                          -webkit-box-shadow: 2px 2px 2px 0px rgba(71,79,88,1);
                          -moz-box-shadow: 2px 2px 2px 0px rgba(71,79,88,1);
                          box-shadow: 2px 2px 2px 0px rgba(71,79,88,1);
                          background:#6ABA4F;
                          color: #FFFFFF;
                          font: 20px arial, sans-serif;
                          width: 800px;
                          padding: 10px;
                          margin-top: 30px;
                          margin-left: auto ;
                          margin-right: auto ;
                      }
                      #block {
                          -webkit-box-shadow: 2px 2px 2px 0px rgba(71,79,88,1);
                          -moz-box-shadow: 2p2 2px 2px 0px rgba(71,79,88,1);
                          box-shadow: 2px 2px 2px 0px rgba(71,79,88,1);
                          background:#FFFFFF;
                          color: #000000;
                          font: 16px arial, sans-serif;
                          width: 820px;
                          margin-top: 15px;
                          margin-left: auto ;
                          margin-right: auto ;
                      }
                      #block_header {
                          width: 800px;
                          padding: 10px;
                          background: #E9ECF0;
                          color: #2B2C34;
                          margin-left: auto ;
                          margin-right: auto ;
                      }
                      #block_body {
                          width: 800px;
                          background: #FFFFFF;
                          color: #2B2C34;
                          padding: auto;
                          padding-top: 20px;
                          padding-bottom: 20px;
                          margin-left: auto ;
                          margin-right: auto ;
                      }
                  </style>
          </head>
          <body>
              <div id=\"header\">Exabeam Case Manager</div>
              <div id=\"block\">
              <div id=\"sides\">
              <div id=\"sides_left\">
              <div id=\"block_body\">
              <h2>Email boilerplate</h2>
                  <p><b>{{currentUser}}</b> edited <a href="{{incidentUrl}}">{{incidentId}}</a>.</p>
              </div>
              </div>
              </div>
              </div>
          </body>
      </html>

      You can also create something more simple; for example:

      <html>
          <head>
          </head>
              <body>
                  <b>{{currentUser}}</b> edited <a href="{{incidentUrl}}">{{incidentId}}</a>.
              </body>
      </html>
  5. Click SAVE. Now, you can select this template when you configure Case Manager email notifications.

Create a Case Manager Email Notification

Configure Case Manager to automatically send emails notifying you about important Case Manager activity, like when someone creates, changes, or comments on an incident, or assigns a task.

  1. Ensure that you configured Advanced Analytics email notifications. You must configure Advanced Analytics email notifications before configuring Case Manager email notifications.Configure Advanced Analytics System Activity Notifications

  2. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Analytics.

  3. Under Case Management, select Email Notifications, then select the CASE MANAGER NOTIFICATIONS tab.

  4. Click Add Case Manager Notification A blue circle with a white plus sign..

  5. Configure the email notification settings. These settings use the same SMTP IP/Hostname and Port as your Advanced Analytics email notifications.

    • Notification name – Name the notification. This name is only used to identify the notification in Case Manager settings.

    • Email template – Select an email template you created.

    • Event type – Select the event you want to be notified about:

      • Incident created

      • Incident assigned

      • Incident deleted

      • Incident updated

      • Incident priority changed

      • Incident status changed

      • Task assigned

      • Case note comment created

      • Email comment created

      • Received reply for an email comment

    • (Optional) Condition – Enter a condition that must be true for Case Manager to send the email notification. This condition uses incident fields, default or custom.

    • Recipients – Enter an email address or select an Exabeam user from the list.

  6. Click SAVE.