- Case Manager i56 Release Notes
- What's New
- Known Issues
- Issues Fixed in Case Manager i56.5 (General Availability)
- Issues Fixed in Case Manager i56.6
- Issues Fixed in Case Manager i56.7
- Issues Fixed in Case Manager i56.8
- Issues Fixed in Case Manager i56.9
- Issues Fixed in Case Manager i56.10
- Issues Fixed in Case Manager i56.11
- Issues Fixed in Case Manager i56.12
- Get Started with Case Manager
- Configure Case Manager Settings
- Investigate a Security Incident
- Manually Create an Incident
- Edit an Incident
- Delete an Incident
- Manually Assign an Incident to a Queue, Assignee, Priority, or Status
- Manually Add an Entity
- Manually Add an Artifact
- Delete an Entity or Artifact
- Add Advanced Analytics Evidence to a Case Manager Incident
- Manage Tasks During an Investigation
- Send Messages from an Incident
- Filter Incidents
- Search for an Incident
- Sort Incidents
- Export Incidents
Entity Types
When you add an entity to an incident, it falls under three types. Each type contains a unique set of data, which you can input to action nodes in Incident Responder playbooks.
File – Any electronic file; for example, Word and Excel documents, Windows or Linux executables. A file entity contains specific data, including file path, size, and hash.
Device – A computer, either on an internal network or the internet. A device entity contains specific data, including IP address, zone, and top user.
User – A person identified by a corporate directory account ID, email address, or other means (app login ID, full name, etc.). A user entity contains specific data, including data about employment, contact information, and manager.
File Entity Data
Every entity type contains a unique set of data fields. The file entity contains data like file path, size, and hash. In Incident Responder, you can input this data to a playbook action node.
If you turned on data masking in Advanced Analytics settings and you click on a link that redirects you from Case Manager to Advanced Analytics, you must have View Unmasked Data (PII) privileges to view the data in Advanced Analytics.
Glossary
- File created time
Date and time this file was created.
Example: 2019-05-06 15:56
- File name
Name used to uniquely identify the file in the file system.
Example: barbarian.jar
- File path
Where in the file system this file was located. If you add a hash, the entity will not contain this information.
Example: c:\user\windows\XXX
- File size
How much space the file takes up in storage, in MB. If you add a hash, the entity will not contain this information.
Example: 1.7 MB
- MD5
MD5 hash value.
Example: b1d64dfbc73158114f20dee14b994755
- SHA1
SHA1 hash value.
Example: aed420a76e730364ca8d804873a7f3c6ca2ff4f4
- SHA256
SHA256 hash value.
Example: ee424b6d4657808c1c634fcaa7fc52e2ec9f30b1cb8ed457178559d5f840b40b
- SHA512
SHA512 hash value.
Example: 20a5ab43c7106846e4954adec2c2c1348d157beb686fbbb0f23a5efcf89cb49c4ab6c6c369869e05da7661d1386b5f439dfad9e6d60b11cac599be83b0146200
- Source
Link to the file asset's Advanced Analytics notable session timeline. If you manually uploaded the file, there is no link.
Device Entity Data
Every entity type contains a unique set of data. The device entity contains data like the device's host, IP address, and top user. In Incident Responder, you can input this data to a playbook action node.
If you turned on data masking in Advanced Analytics settings and you click on a link that redirects you from Case Manager to Advanced Analytics, you must have View Unmasked Data (PII) privileges to view the data in Advanced Analytics.
Glossary
- Alerts
Number of third-party security alerts this device has triggered.
Example: 2
- City
City the device last connected from.
Example: San Francisco
- Country
Country the device last connected from.
Example: United States
- Data insights
Link to the device's Data Insights page in Advanced Analytics.
- Entity frequency
Number of incidents that contain this entity. Click to view a list of all these incidents.
Example: 2
- First seen
Date Advanced Analytics first detected the device in the network.
Example: 1 Apr 2018
- IP
IP address assigned to the device.
Example: 10.78.121.42
- Last seen
Date of the most recent sequence that involved this device.
Example: 4 May 2018
- Risk score
The device's Advanced Analytics risk score at the time Case Manager created the incident. The risk score doesn't update as the notable session continues or when it closes. Click to return to the session and view the final risk score.
Example: 299
- Source
Link to the device asset's Advanced Analytics notable session timeline.
- State
U.S. state the device last connected from. If the device connected from outside the U.S., the artifact will not contain this information.
Example: California
- Top user
Full name of the Advanced Analytics user that logs into this device most frequently. Click to view the user's profile in Advanced Analytics.
Example: Barbara Salazar
- Type
Operating system; Windows, Linux, or Mac.
- URL
URL associated with the IP address.
Example: www.ddddd.com
- Watchlists
Number of watchlists the device appears on in the home page.
Example: 2
- Zone
Internal network zone within your organization the device last connected from. This may be a city, business unit, building, or room.
Example: Atlanta office
User Entity Data
Every entity type contains a unique set of data. The user entity type contains data like the user's employment, contact information, and manager. In Incident Responder, you can input this data to a playbook action node.
If you turned on data masking in Advanced Analytics settings and you click on a link that redirects you from Case Manager to Advanced Analytics, you must have View Unmasked Data (PII) privileges to view the data in Advanced Analytics.
Glossary
- Account ID
Corporate directory account ID, typically corresponds to a set of login credentials.
Example: bsalazar
- Alerts
Number of third-party security alerts this user has triggered.
Example: 3
- Data insights
Link to the user's Data Insights page in Advanced Analytics.
- Employee type
Type of employee, as defined in the Advanced Analytics user_employee_type context table; for example, full-time, part-time, or contractor.
Example: full-time
- Entity frequency
Number of incidents that contain this entity. Click to view a list of all these incidents.
Example: 2
- First seen
Date when Exabeam first detected the the user in the IT environment.
Example: 1 April 2018
- Full name
First name and last name. Click to navigate to the user's profile in Advanced Analytics.
Example: Barbara Salazar
- Last seen
Date the user last logged in to a device or network; the user's most recent Advanced Analytics login event.
Example: 4 May 2018
- Manager cell phone
Manager's personal cell phone number.
Example: 212-408-5108
- Manager email
Manager's work email address. Click to start writing an incident email to the manager.
Example: [email protected]
- Manager name
Full name of the user's manager. Click to navigate to the manager's user profile in Advanced Analytics.
Example: Tu Peterson
- Manager office phone
Phone number the manager uses at their office location.
Example: 494-512-5019
- Manager title
Manager's job title.
Example: VP of Human Resources
- Photo
User's display picture in Advanced Analytics.
- Risk score
The device's Advanced Analytics risk score at the time Case Manager created the incident. The risk score doesn't update as the notable session continues or when it closes. Click to return to the session and view the final risk score.
Example: 299
- Source
Link to the user's Advanced Analytics notable session timeline.
- Top device
Device the user logs into most frequently.
Example: srv_143lm_us
- User cell phone
A private cell phone number.
Example: 274-557-3374
- User department
Corporate department the user works in.
Example: HR
- User email
User's work email address. Click to start writing an incident email to the user.
Example: [email protected]
- Username
Username in Advanced Analytics.
Example: Barb S.
- User office phone
Phone number they use at their office location.
Example: 212-408-8076
- User title
User's job title.
Example: Human Resources Coordinator
- Watchlist
Number of watchlists the user appears on in the home page.
Example: 2
- Zone
Internal network zone within your organization the user last connected from. This may be a city, business unit, building, or room.
Example: Chicago