- Case Manager i56 Release Notes
- What's New
- Known Issues
- Issues Fixed in Case Manager i56.5 (General Availability)
- Issues Fixed in Case Manager i56.6
- Issues Fixed in Case Manager i56.7
- Issues Fixed in Case Manager i56.8
- Issues Fixed in Case Manager i56.9
- Issues Fixed in Case Manager i56.10
- Issues Fixed in Case Manager i56.11
- Issues Fixed in Case Manager i56.12
- Get Started with Case Manager
- Configure Case Manager Settings
- Investigate a Security Incident
- Manually Create an Incident
- Edit an Incident
- Delete an Incident
- Manually Assign an Incident to a Queue, Assignee, Priority, or Status
- Manually Add an Entity
- Manually Add an Artifact
- Delete an Entity or Artifact
- Add Advanced Analytics Evidence to a Case Manager Incident
- Manage Tasks During an Investigation
- Send Messages from an Incident
- Filter Incidents
- Search for an Incident
- Sort Incidents
- Export Incidents
Incident Fields
Display information about security incidents using incident fields.
An incident field represents an attribute of a security incident, like its description or the time it was created.
Incident fields are specific to an incident type. For example, the Phishing incident type includes fields like subject, email body, and attachment name. There are also default incident fields that appear in every incident, like description, vendor, or source, under the Generic incident type.
You can create a custom incident field for a specific incident type. After you create a custom incident field, arrange how it appears in the incident type's layout.
Generic Incident Fields
Review out-of-the-box incident fields specific to the Generic incident type incident type.
You cannot remove the out-of-the-box fields from the Generic incident type. You can add custom incident fields to the Generic incident type to ensure they appear in every incident.
Incident type – The category the incident belongs under, usually representing a common security scenario. Incident types standardize incident fields, phases, and tasks.
Description – A short account of the incident; for example, what occurred and who was involved.
Vendor – The vendor that generated the log; for example, Exabeam
Source – The product that generated the log; for example, Exabeam AA.
Source severity – The severity of the third party security alert that created the Case Manager incident.
Source ID – The Advanced Analytics session ID, if the incident was created from a notable Advanced Analytics session.
Source URL – A link to the notable session in Advanced Analytics , if the incident was created from a notable Advanced Analytics session.
Event start time – When the notable session first started, if the incident was created from a notable Advanced Analytics session.
Event end time – When the notable session ended, if the incident was created from a notable Advanced Analytics session.
Source info – The raw log of the third party security alert that created the Case Manager incident.
Created by – The person who created the incident in Case Manager.
Creation time – When the incident was created in Case Manager.
Updated by – The person who updated the incident in Case Manager.
Updated – When the incident was last updated in Case Manager.
Resolved time – When the incident's status was changed to Resolved.
Closed time – When the incident's status was changed to Closed or Closed - False Positive
Closed reason – Why the incident's status was changed to Closed or Closed - False Positive. To close the incident, you must enter a value for this field.
Create a Custom Incident Field
Create incident fields to standardize the information displayed in an incident type.
You can't create custom incident fields for the Generic incident type.
In the navigation bar, click the menu
, select Settings, then select Analytics.Under Case Management, select Incident Configuration.
Select the FIELDS tab.
Click ADD FIELDS.
Enter information about your field. The information required varies based on field type.
To list multiple values, select List predefined options. If people can enter or select multiple values from this list, select Can enter or select multiple values.
Click SAVE.
Edit a Custom Incident Field
When you edit an incident field, the changes only apply to new incidents. If an existing incident has this field, it doesn't change.
In the navigation bar, click the menu
, select Settings, then select Analytics.Under Case Management, select Incident Configuration.
Select the FIELDS tab.
Hover over an incident type, click the More
menu, then select Edit.Edit the field inputs.
Click SAVE.
Delete a Custom Incident Field
When you delete an incident field, the field still appears in incidents that already have it but you can't add it to a new incident layout.
In the navigation bar, click the menu
, select Settings, then select Analytics.Under Case Management, select Incident Configuration.
Select the FIELDS tab.
Hover over an incident field, click the More
menu, then select Delete.