Case ManagerCase Manager

Table of Contents

Case Manager i56 Release Notes

Case Manager i56 includes features that support customizing email notifications using templates and clearing playbook and action outputs in an incident's workbench.

What's New

Customize Your Case Manager Email Notifications

Use templates to customize email notifications about important Case Manager activity.

Previously, you couldn't customize the email notifications you received from Case Manager.

Now, you can create email notifications directly in Case Manager settings, and customize them using templates for each scenario you want to be notified about.

Exabeam Documentation: Create a Case Manager Email Notification

Exabeam Documentation: Create a Template for Case Manager Email Notifications

View Only the Latest Playbook and Action Outputs

Clean up your incident's workbench and clear existing playbook and action outputs

When you ran an action or playbook on a specific incident, the outputs accumulated in the incident's workbench, which cluttered the workbench with your entire history. It was difficult to identify the outputs of the latest playbook you just ran.

Now, you can clear all past playbook and action outputs in the workbench and the incident itself so it displays only the latest ones. In the incident's activity log, view who cleared the outputs and when.

Exabeam Documentation: Clear an Incident's Playbook and Action OutputsClear an Incident's Playbook and Action Outputs

Known Issues

SOAR-12695

If you upgrade from Case Manager i53.5 or earlier, custom parsers don't work correctly and you can't ingest data from your incident feeds.

Starting with parsers in i53.5, all hyphens, colons, or semicolons in incident type names were replaced with underscores. If your custom parser refers to a custom incident type with hyphens, colons, or semicolons, the Case Manager Parsing Engine can't parse logs for that incident type.

To resolve this issue:

  1. Before you upgrade Case Manager, navigate to /opt/exabeam/config/custom/soar-lemon/soar_parsers.conf, then identify parsers where IncidentType includes hyphens, colons, or semicolons.

  2. After you upgrade Case Manager, navigate to /opt/exabeam/config/custom/soar-lemon/soar_parsers.conf, search for the parsers you previously identified, then for IncidentType, manually replace all hyphens, colons, and semicolons with underscores.

SOAR-12718

When you manually run the Send Template Email action from an incident's workbench, you encounter a Failed to send email error because the action was incorrectly deprecated. To resolve this issue, use the Notify by Email action instead.

Issues Fixed in Case Manager i56.5 (General Availability)

The i56.5 release does not include fixed issues for Case Manager. The following sections describe issues fixed in patch releases.

Issues Fixed in Case Manager i56.6

SOAR-12718

When you manually ran the Send Template Email action from an incident's workbench, you encountered a Failed to send email error because the action was incorrectly deprecated. This issue has been resolved. Now, you can manually run the Send Template Email action from an incident's workbench.

Issues Fixed in Case Manager i56.7

ACTN-3787

You couldn't configure or use Email Ingest and received an error: Unable to reach Incident Response server. Related services and features are temporarily unavailable. Please refresh the application later to try again. The Email Ingest server ran out of memory because a health check executed too frequently. To resolve this issue, the health check was disabled.

EXA-34694

In rare cases, when an Advanced Analytics notable user session created a Case Manager incident, the Risk Reason incident field was empty. The Risk Reason incident field didn't account for risk transferred from a previous session. This issue has been resolved.

Issues Fixed in Case Manager i56.8

SOAR-13138

A critical vulnerability in software using Apache Log4j affected Elasticsearch in Case Manager. This vulnerability has been patched. Learn more about Exabeam's response to the vulnerability on the Exabeam Community.

Issues Fixed in Case Manager i56.9

This release does not include fixed issues for Case Manager.

Issues Fixed in Case Manager i56.10

Issue ID

Description

SOAR-12827

Fixed an issue with custom roles where you could not view Case Manager Metrics even if you had the View Metrics permission. In addition, the View Metrics permission was duplicated under both Core and Analytics. If you had the Core View Metrics permission, you couldn't view Case Manager Metrics. Now, the View Metrics permission is under Analytics only.

PLT-12642

Fixed an issue where if you assigned incidents, you saw multiple values for the same person. In addition, if you logged in to Exabeam and varied the letter case of your username, like Barbara_salazar or barbara_Salazar, Exabeam created a different user for each variation.

Issues Fixed in Case Manager i56.11

This release does not include fixed issues for Case Manager.