Cloud-delivered Case ManagerCase Manager

Table of Contents

Get Started with Case Manager

Welcome to Case Manager, the customizable case management solution that helps you organize and track investigations with ticketing, messaging, and key performance indicator (KPI) dashboards.

To understand what Case Manager is and how to use it, here are some key concepts that might help you.

  • Case Manager

    Organize, track, and streamline your investigation with Case Manager.

  • Case Manager Terminology

    Before you use Case Manager, understand terms you see throughout the product and in Exabeam documentation.

  • Get to Know an IncidentGet to Know an Incident

    Break down an incident into its components, and learn about the information and functionality available in an incident.

  • Case Manager MetricsCase Manager Metrics

    View graphs, charts, and diagrams about how Case Manager is performing in Metrics.

Case Manager

Organize, track, and streamline your investigation with Case Manager.

Exabeam Case Manager is a customizable case management solution with ticketing, messaging, and Key Performance Indicator (KPI) dashboards. It organizes and tracks investigations so you are more efficient and productive.

If you're an analyst, Case Manager helps you streamline your workflow and close out more cases. Case Manager is directly embedded in both Advanced Analytics and Incident Responder, so you quickly pivot between detecting and responding to threats. Case Manager also enriches cases with risk scores and reasons, so you know which incidents to prioritize and allocate the appropriate resources.

If you're a SOC manager, you use Case Manager to standardize analysts' response and quickly track progress using tasks. You also view important KPIs like cost savings, mean time to resolve, and mean dwell time, to measure how productive your SOC is.Case Manager Metrics

Case Manager extends Advanced Analytics and requires a separate license. You can also add Incident Responder to Case Manager with a separate license. To learn more, contact your technical account manager or watch product videos on the Exabeam Community.Incident Responder

Case Manager Terminology

Before you use Case Manager, understand terms you see throughout the product and in Exabeam documentation.

Artifact

An object you collect during your investigation; a piece of evidence. The default artifact types are file, IP address, log, and process.

Entity

The principal object you investigate. It can be a person, an internal or external machine, or critical data like a file. The default entity types are file, device, and user.

Incident

An unusual occurrence that indicates a threat to your organization; what a security analyst investigates. You can create an incident manually or automatically using Incident Responder.

Incident field

An attribute of an incident, like its description or the time it was created.

Incident type

The nature of an incident (e.g. malware, phishing attempt, data leakage, departed employee). Based on the incident type, Incident Responder displays certain incident fields and tasks.

Queue

A group assigned to handle and investigate an incident.

Queue member

Someone who has been added to a queue.

Case Manager Entities

A Case Manager entity describes the primary object or user involved in an incident.

An entity is the primary object you are investigating. You may pivot on entities, and add or edit its information. There are three entity types: device, user, and file.Manually Add an Entity

While entities and artifacts are both objects, they are different when you look at them in context and the different roles they play in your investigation. An artifact is an object you collect when you investigate an incident, like evidence the police find when investigating a crime. An entity is the crime itself. An artifact enriches an entity.

An item can't be both an entity and an artifact. However, in specific cases, something might appear under both the Artifact and Entities sections in an incident. For example: a malicious file is an entity, but its contents are artifacts.

Entity Types

When you add an entity to an incident, it falls under three types. Each type contains a unique set of data, which you can input to action nodes in Incident Responder playbooks.Manually Add an EntityAdd an Action NodeAdd an Action NodePlaybooks

File – Any electronic file; for example, Word and Excel documents, Windows or Linux executables. A file entity contains specific data, including file path, size, and hash.

Device – A computer, either on an internal network or the internet. A device entity contains specific data, including IP address, zone, and top user.

User – A person identified by a corporate directory account ID, email address, or other means (app login ID, full name, etc.). A user entity contains specific data, including data about employment, contact information, and manager.

File Entity Data

Every entity type contains a unique set of data fields. The file entity contains data like file path, size, and hash. In Incident Responder, you can input this data to a playbook action node.

If you turned on data masking in Advanced Analytics settings and you click on a link that redirects you from Case Manager to Advanced Analytics, you must have View Unmasked Data (PII) privileges to view the data in Advanced Analytics.

Glossary
File created time

Date and time this file was created.

Example: 2019-05-06 15:56

File name

Name used to uniquely identify the file in the file system.

Example: barbarian.jar

File path

Where in the file system this file was located. If you add a hash, the entity will not contain this information.

Example: c:\user\windows\XXX

File size

How much space the file takes up in storage, in MB. If you add a hash, the entity will not contain this information.

Example: 1.7 MB

MD5

MD5 hash value.

Example: b1d64dfbc73158114f20dee14b994755

SHA1

SHA1 hash value.

Example: aed420a76e730364ca8d804873a7f3c6ca2ff4f4

SHA256

SHA256 hash value.

Example: ee424b6d4657808c1c634fcaa7fc52e2ec9f30b1cb8ed457178559d5f840b40b

SHA512

SHA512 hash value.

Example: 20a5ab43c7106846e4954adec2c2c1348d157beb686fbbb0f23a5efcf89cb49c4ab6c6c369869e05da7661d1386b5f439dfad9e6d60b11cac599be83b0146200

Source

Link to the file asset's Advanced Analytics notable session timeline. If you manually uploaded the file, there is no link.

User Entity Data

Every entity type contains a unique set of data. The user entity type contains data like the user's employment, contact information, and manager. In Incident Responder, you can input this data to a playbook action node.

If you turned on data masking in Advanced Analytics settings and you click on a link that redirects you from Case Manager to Advanced Analytics, you must have View Unmasked Data (PII) privileges to view the data in Advanced Analytics.

Glossary
Account ID

Corporate directory account ID, typically corresponds to a set of login credentials.

Example: bsalazar

Alerts

Number of third-party security alerts this user has triggered.

Example: 3

Data insights

Link to the user's Data Insights page in Advanced Analytics.

Employee type

Type of employee, as defined in the Advanced Analytics user_employee_type context table; for example, full-time, part-time, or contractor.

Example: full-time

Entity frequency

Number of incidents that contain this entity. Click to view a list of all these incidents.

Example: 2

First seen

Date when Exabeam first detected the the user in the IT environment.

Example: 1 April 2018

Full name

First name and last name. Click to navigate to the user's profile in Advanced Analytics.

Example: Barbara Salazar

Last seen

Date the user last logged in to a device or network; the user's most recent Advanced Analytics login event.

Example: 4 May 2018

Manager cell phone

Manager's personal cell phone number.

Example: 212-408-5108

Manager email

Manager's work email address. Click to start writing an incident email to the manager.

Example: tu.peterson@example.com

Manager name

Full name of the user's manager. Click to navigate to the manager's user profile in Advanced Analytics.

Example: Tu Peterson

Manager office phone

Phone number the manager uses at their office location.

Example: 494-512-5019

Manager title

Manager's job title.

Example: VP of Human Resources

Photo

User's display picture in Advanced Analytics.

Risk score

The device's Advanced Analytics risk score at the time Case Manager created the incident. The risk score doesn't update as the notable session continues or when it closes. Click to return to the session and view the final risk score.

Example: 299

Source

Link to the user's Advanced Analytics notable session timeline.

Top device

Device the user logs into most frequently.

Example: srv_143lm_us

User cell phone

A private cell phone number.

Example: 274-557-3374

User department

Corporate department the user works in.

Example: HR

User email

User's work email address. Click to start writing an incident email to the user.

Example: barbara.salazar@example.com

Username

Username in Advanced Analytics.

Example: Barb S.

User office phone

Phone number they use at their office location.

Example: 212-408-8076

User title

User's job title.

Example: Human Resources Coordinator

Watchlist

Number of watchlists the user appears on in the home page.

Example: 2

Zone

Internal network zone within your organization the user last connected from. This may be a city, business unit, building, or room.

Example: Chicago

Case Manager Artifacts

A Case Manager artifact is evidence you collect as you investigate an incident to describe and enrich a Case Manager entity.

An artifact is the additional evidence you discover as you investigate. There are five artifact types: email address, file, IP, process, and URL. Artifacts are timestamped. You create an artifact manually, or automatically through an action. Although not all artifacts are important to your investigation, you add it to the incident to record it just in case.

While entities and artifacts are both objects, they are different when you look at them in context and the different roles they play in your investigation. An artifact is an object you collect when you investigate an incident, like evidence the police find when investigating a crime. An entity is what the artifact supports or describes; it is the crime the police investigates. An artifact enriches an entity.

An item can't be both an entity and an artifact. However, in specific cases, something might appear under both the Artifact and Entities sections in an incident. For example: a malicious file is an entity, but its contents are artifacts.

Artifact Types

When you add an artifact to an incident, it falls under five types. Each type contains its own unique set of data, which you can input to action nodes in Incident Responder playbooks.Manually Add an ArtifactAdd an Action NodeAdd an Action NodePlaybooks

Email Address – An email address observed on an email client or server. An email address artifact contains specific data, including role and threat status.

File - A file observed on a device. It may or may not have a payload. You may retrieve the file, but not download, display, or execute it because it may be malicious. A file artifact contains specific data, including file path, size, and hash

IP - An IP address in IPv4 or IPv6 format. An IP artifact contains specific data, including geolocation, role, and threat status.

Process - A process executed by a program observed on an operating system. A process artifact contains specific data, including run time, ID, and parent process.

URL – A URL associated with an IP address. A URL artifact contains specific data, including geolocation, IP, and role.

Email Address Artifact Data

Every artifact type contains a unique set of data. The email address artifact contains data like the email address's role and threat status. In Incident Responder, you can input this data to a playbook action node.

If you turned on data masking in Advanced Analytics settings and you click on a link that redirects you from Case Manager to Advanced Analytics, you must have View Unmasked Data (PII) privileges to view the data in Advanced Analytics.

Glossary
Artifact frequency

Number of open incidents that contain this artifact. Click to view a list of these incidents.

Example: 2

Email address

Email address the artifact describes.

Example: alerts@microsft.com

Related entity

The entity this artifact is related to.

Example: fweber

Role

Whether the email is a victim, was attacked, or unknown.

Source

Link to the email asset's Advanced Analytics notable session timeline.

Threat status

Whether the email is a malicious, benign, or unknown threat, or a false positive.

File Artifact Data

Every artifact type contains a unique set of data. The file artifact contains data like path, size, and hash. In Incident Responder, you can input this data to a playbook action node.

If you turned on data masking in Advanced Analytics settings and you click on a link that redirects you from Case Manager to Advanced Analytics, you must have View Unmasked Data (PII) privileges to view the data in Advanced Analytics.

Glossary
Artifact frequency

Number of open incidents that contain this artifact. Click to view a list of these incidents.

Example: 2

File created time

Date and time this file was created.

Example: 2019-05-06 15:56

File name

Name used to uniquely identify the file in the file system.

Example: barbarian.jar

File path

Where in the file system the file was located. If you add a hash, the artifact will not contain this information.

Example: c:\user\windows\XXX

File size

How much space the file takes up in storage, in MB. If you add a hash, the artifact will not contain this information.

Example: 1.7 MB

MD5

MD5 hash value.

Example: b1d64dfbc73158114f20dee14b994755

Role

Whether the file is a victim, was attacked, or unknown.

SHA1

SHA1 hash value.

Example: aed420a76e730364ca8d804873a7f3c6ca2ff4f4

SHA256

SHA256 hash value.

Example: ee424b6d4657808c1c634fcaa7fc52e2ec9f30b1cb8ed457178559d5f840b40b

SHA512

SHA512 hash value.

Example: 20a5ab43c7106846e4954adec2c2c1348d157beb686fbbb0f23a5efcf89cb49c4ab6c6c369869e05da7661d1386b5f439dfad9e6d60b11cac599be83b0146200

Source

Link to the file asset's Advanced Analytics notable session time. If you manually uploaded the file, there is no link.

Threat status

Whether the file is a malicious, benign, or unknown threat, or a false positive.

IP Artifact Data

Every artifact type contains a unique set of data. The IP artifact contains data like geolocation, role, and threat status. In Incident Responder, you can input this data to a playbook action node.

If you turned on data masking in Advanced Analytics settings and you click on a link that redirects you from Case Manager to Advanced Analytics, you must have View Unmasked Data (PII) privileges to view the data in Advanced Analytics.

Glossary
Artifact frequency

Number of open incidents that contain this artifact. Click to view a list of these incidents.

Example: 2

City

City this IP address last connected from.

Example: San Francisco

Country

Country this IP address last connected from.

Example: United States

IP

IP address the artifact describes.

Example: 8.8.8.8

Related entity

The entity this artifact is related to.

Example: fweber

Role

Whether the IP address is a victim, was attacked, or unknown.

Source

Link to the IP asset's Advanced Analytics notable session timeline.

State

U.S. state this IP address last connected from. If the IP address connected from outside the U.S., the artifact doesn't contain this information.

Example: California

Threat status

Whether the IP address is malicious, benign, or unknown threat.

Process Artifact Data

Every artifact type contains a unique set of data. The process artifact contains data like run time, ID, and parent process. In Incident Responder, you can input this data to a playbook action node.

If you turned on data masking in Advanced Analytics settings and you click on a link that redirects you from Case Manager to Advanced Analytics, you must have View Unmasked Data (PII) privileges to view the data in Advanced Analytics.

Glossary
Artifact frequency

Number of open incidents that contain this artifact. Click to view a list of these incidents.

Example: 2

End time

Date and time the process stopped running.

Example: 2019-05-06 18:56

Parent PID

Parent process ID.

Example: 2130

Parent process name

Program filename of the parent process.

Example: explorer.exe

Process ID

ID of the process the artifact describes.

Example: 4109

Process name

File name of the program that executed the process.

Example: a.exe

Process path

Where in the file system the program file was located.

Example: C:\Users\Developer\Exabeam\Test\...

Process UID

Process's user ID, available in Unix-like operating systems.

Example: 39569

Related entity

The entity this artifact is related to.

Example: fweber

Role

Whether the process is a victim, was attacked, or unknown.

Source

Link to the process asset's Advanced Analytics notable session timeline.

Start time

Date and time the process started running.

Example: 2019-05-06 15:56

Threat status

Whether the process is a malicious, benign, or unknown threat, or a false positive.

URL Artifact Data

Every artifact type contains a unique set of data. The URL artifact type contains data like geolocation, IP, and role. You can input this data to a playbook action node.

If you turned on data masking in Advanced Analytics settings and you click on a link that redirects you from Case Manager to Advanced Analytics, you must have View Unmasked Data (PII) privileges to view the data in Advanced Analytics.

Glossary
Artifact frequency

Number of open incidents that contain this artifact. Click to view a list of these incidents.

Example: 2

City

City this URL was last accessed from.

Example: San Francisco

Country

Country this URL was last accessed from.

Example: United States

IP

URL's corresponding IP address.

Example: 8.8.8.8

Related entity

The entity this artifact is related to.

Example: fweber

Role

Whether the URL is a victim, was attacked, or unknown.

Source

Link to the URL asset's Advanced Analytics notable session timeline.

State

U.S. state this URL was last accessed from. If the URL was accessed outside the U.S., the entity doesn't contain this information.

Example: California

Threat status

Whether the URL is a malicious, benign, or unknown threat, or a false positive.

URL

URL the artifact describes.

Example: https://www.exabeam.com

Case Manager Incidents

View, create, manage, and find incidents in Case Manager.

After you determine which incidents might be threats on the HOME page, navigate to CASE MANAGER to begin investigating and gathering further information.

In the sidebar, click CASE MANAGERA grey triangle outline with a grey exclamation point in the middle.. View all the incidents you have access to.

The Incidents page; there are a list of incidents, filters on the left, a sort by menu, and a blue button to manually add new incidents.

Use filters to find incidents that match frequently used criteria, or adjust each filter input. To further narrow the list of incidents, you can also sort them or search for a keyword.

To view the details of an incident, select an incident from the list.

You can also manually create an incident.

Get to Know an Incident

Break down an incident into its components, and learn about the information and functionality available in an incident.

In CASE MANAGER, select an incident to view its information and take steps to review and manage it.

The elements of an incident highlighted in red and numbered with callout boxes.

1Edit the incident; change its name, type, start and end time, restrict who can access the incident, and reassign the incident to a different priority, status, queue, or assignee.

2Delete the incident.

3 Create an entity or artifact.

4 Reassign the incident to a different priority, status, queue, or assignee.

5 Access the workbench to run actions and playbooks, and view the results.Manually Run an ActionManually Run a Playbook

6 View information about the incident. Some fields vary based on the type of incident and from where it was ingested. You can customize these fields and how they're organized in the incident.

7 View entities associated with the incident and manually add an entity.

8 View the results of actions and playbooks you've run on the incident.

9 View the tasks that must be completed for this incident.

10 View artifacts associated with the incident and manually add an artifact.

11Send messages, like case notes and emails, directly from the incident.

12 View the incident's history.

The Workbench

View all Incident Responder actions and playbooks you've run on a Case Manager incident and their outputs, and run more actions and playbooks at an incident's workbench.

To navigate to an incident's workbench, navigate to CASE MANAGER, select an incident to view its details, then click the View Workbench button.

View all Incident Responder actions and playbooks you ran on the incident and what the outputs are. The number on each action or playbook indicates how many input parameters it processed. To view the output for an input, select the menu.

The workbench of an incident displaying the results of the Get Geolocation – IP-API action.

To manually run a single action or playbook, select RUN ACTION or RUN PLAYBOOK.Manually Run an ActionManually Run a Playbook

To clear the playbook and action results, select RESET CARDS.Clear an Incident's Playbook and Action Outputs

Case Manager Metrics

View graphs, charts, and diagrams about how Case Manager is performing in Metrics.

The Metrics page is a dashboard of graphs, charts, diagrams, and other visualizations that reflect Case Manager's current state and environment. It measures and assesses how security operations and events are performing. To navigate to Metrics, in the sidebar, select METRICS ir-metrics-i60_.png.

The Metrics page displaying visualizations and statistics.

Filter the Metrics dashboard by incident assignee and time period. If you select a time period, it is applied across all charts.

Every time you refresh the page, the metrics also refresh. If you delete an incident, it is no longer calculated in the metrics.

View visualizations about:

  • Open Incidents - The number of incidents for which the status is not Closed or Closed-False Positive.

  • Mean Time to Resolution - The current mean (average) time to resolve all closed incidents in your environment.

  • Mean Time To Close - The current mean (average) time taken to close all of the currently closed incidents in your environment.

  • Mean Dwell Time - The current mean (average) dwell time for all incidents. Measured by incident start date to incident create date.

  • False Positives - The percentage of false positive incidents found in Incident Responder.

  • Hours Saved - Approximates how much Incident Responder worked equivalent to manual people hours based on the type of incident, average response time, and number of incidents processed.

  • New vs Closed Incidents - A timeline view of how many incidents were created vs closed on a given day.

  • Incidents by Type - A grid that breaks down incidents by their type. Hover over a date to view data specific to that date.Incident Types

  • Work Distribution - Total incidents assigned to each team member, reflects how incidents and workload are allocated across the SOC team.

  • Incidents by Status - A percentage pie chart that breaks down the total incidents by their current status - New, In Progress, Pending, Resolved, Closed.

  • Mean Time to Resolution Table - Mean time to resolution based on incident type, as measured from the time an incident is marked In Progress to when it is marked Resolved.

  • Incident Breakdown - The number of open incidents, created incidents, closed incidents, and the average time that an incident remains unassigned to a user.

To download the current dashboard as a PDF, click download A blue circle with an arrow pointing down to an appliance.. The PDF contains data for all visualizations.

Case Manager on the Home Page

On the home page, get a snapshot of the most pressing and important Case Manager incidents.

The Home page alerts you to incidents, users, or entities you might want to investigate and organizes them into watchlists:

My Incidents – View new and active incidents you're assigned to.

Notable Users – View risky, increasingly suspicious users that have become threats.

Incidents In My Queues – Manage incidents your queue is assigned to.

My Incidents Watchlist

On the HOME page, the My Incidents watchlist displays your new and active incidents. Sort the incidents, navigate to their profiles or timelines, or view their details.

The My Incidents watchlist displays new and active incidents you're assigned to.

To sort incidents by the date it was created, priority, or status, click the Sort By menu.

To view the details of an incident, click the incident's name.

Incidents In My Queues Watchlist

On the HOME page, the Incidents In My Queues watchlist displays incidents assigned to a queue you're in. Sort the incidents, reassign the incidents, or view their details.

Use the Incidents In My Queues watchlist to manage incidents assigned to queues you're in.

To sort incidents by date created, priority or status, click the Sort By menu.

To reassign an incident to an assignee or queue, click the name of the queue, edit the Queue and Assignee fields, then click SAVE.

To view further details about an incident, click its name.

Notable Users Watchlist

On the HOME page, the Notable Users watchlist displays increasingly risky users that are potential threats.

If a user is involved in increasingly risky activities, they become a threat. Advanced Analytics marks them as a "notable user" once they cross a configured risk threshold. The default risk threshold is a risk score greater than or equal to 90 points. To modify this threshold, contact customer success.

When a user becomes notable, Case Manager creates an incident and lists it in the Notable Users watchlist.

If a user is associated with any open incidents, you see a folder aa-home-notableusers-foldericon.png and the number of open incidents. Click the folder to view the incidents and the priority, status, and assignee for each. To go to a specific incident, select the incident's name.

To filter notable users by when they became notable, select the time filter. When you select the folder aa-home-notableusers-foldericon.png for these filtered users, you see just the open incidents that were created within that time frame.

The Notable Users watchlist with the menu to sort by date highlighted with a red circle.

To view all incidents in Case Manager, select the folder aa-home-notableusers-foldericon.png, then click View all incidents.