Cloud-delivered Case ManagerCase Manager

Table of Contents

Investigate a Security Incident

Use Case Manager to investigate incidents. Edit incidents and add evidence as your investigation progresses. Complete tasks and follow a defined incident response plan. Communicate directly with stakeholders using case notes and email. Filter, search, and sort incidents to find a specific one.

  • Manually Create an IncidentManually Create an Incident

    Instead of ingesting incidents from a service as they cross a risk threshold, manually create an incident if you need one immediately.

  • Edit an IncidentEdit an Incident

    Change an incident's details, and reassign the incident to a different person, priority, or status.

  • Manually Add an EntityManually Add an Entity

    Add the primary objects you're investigating to the incident. You can create three types of entities: file, device, and user.

  • Manually Add an ArtifactManually Add an Artifact

    Provide external evidence to your investigation. You can create five types of artifacts: file, IP, process, URL, or email address.

  • Add Advanced Analytics Evidence to a Case Manager Incident

    If an Advanced Analytics-generated incident doesn't include all the entities or artifacts you need, add them to the incident directly from Advanced Analytics.

  • Send Messages from an Incident

    Send messages, collaborate, and track information right from within an incident.

  • Filter IncidentsFilter Incidents

    Filter the list of incidents to find those that fit a certain criteria. If you frequently use certain criteria, create your own custom filter.

  • Search for an IncidentSearch for an Incident

    Jump to a specific incident based on keyword using the search bar.

  • Sort Incidents

    Sort the list of incidents using the Sort By menu. Use this with filters and search to find the incident you need.

  • Export IncidentsExport Incidents

    To audit incidents, give details about incidents to people outside of your SOC, or archive and back up incident data to your local environment, export a list of incidents to a CSV file.

Manually Create an Incident

Instead of ingesting incidents from a service as they cross a risk threshold, manually create an incident if you need one immediately.

  1. In the sidebar, click CASE MANAGERA grey triangle outline with a grey exclamation point in the middle..

  2. Select + NEW INCIDENT.

  3. Enter information about the incident:

    • Incident name – Enter an incident name.

    • Incident type – Select an incident type.

    • Event start time – Indicate when the incident started.

    • Event end time – Indicate when the incident ended, if known.

    • Queue – Assign the incident to a queue. If not, the incident is assigned to the default Unassigned queue.

    • Assignee – Assign the incident to someone on your team. If not, it is assigned to "unassigned" by default.

    • Priority – Low, medium, high, or critical.

    • Status – Select the status of the incident: New, In Progress, Pending, Resolved, or Closed. Feel free to use these statuses according to your organization's workflow and needs.

    • Restrict to – Restrict who can access this incident. Only these people, groups, or roles can access this incident. Open tasks assigned to people restricted from the incident are reassigned to Unassigned. Keep in mind that anyone with View Restricted Incidents permissions can always view the incident.

    • Description – Provide context about the incident.

  4. Click CREATE.

Edit an Incident

Change an incident's details, and reassign the incident to a different person, priority, or status.

You can also quickly reassign an incident a different queue, assignee, priority, or status without editing it.

  1. In an incident, click edit A dark blue pencil..

  2. Change the incident details:

    • Incident name – Enter an incident name.

    • Incident type – Select an incident type.

    • Event start time – Indicate when the incident started.

    • Event end time – Indicate when the incident ended, if known.

    • Queue – Assign the incident to a queue. If not, the incident is assigned to the default Unassigned queue.

    • Assignee – Assign the incident to someone on your team. If not, it is assigned to "unassigned" by default.

    • Priority – Low, medium, high, or critical.

    • Status – Select the status of the incident: New, In Progress, Pending, Resolved, or Closed. Feel free to use these statuses according to your organization's workflow and needs.

      If the incident has open required tasks or empty required incident fields, you can't change the status to Closed. You must complete all required tasks and populate all required incident fields, then change the status to Closed.

    • Restrict to – Restrict who can access this incident. Only these people, groups, or roles can access this incident. Open tasks assigned to people restricted from the incident are reassigned to Unassigned. Keep in mind that anyone with View Restricted Incidents permissions can always view the incident.

    • Description – Provide context about the incident.

  3. Click SAVE.

Delete an Incident

If you created an incident by mistake or as a test, or something is wrong with your system, consider deleting an incident. When you delete an incident, you increase database storage and the incident isn't evaluated in metrics. Case Manager Metrics

  1. In CASE MANAGER, select the checkbox for the incidents you're deleting or select a specific incident.

  2. Select the trash A dark blue trash can..

  3. A warning appears. Select DELETE.

Manually Add an Entity

Add the primary objects you're investigating to the incident. You can create three types of entities: file, device, and user.

Add a File Entity

If you're investigating a file, like a Word or Excel document, add a file entity. A file entity contains specific data, including file path, size, and hash.

  1. Navigate to an incident or its workbench.

  2. Click Add a new entityA dark blue computer and a dark blue circle with a white plus sign in the top right..

    In an incident, you may also locate the Entities panel, then click Add a new entityA dark blue plus sign..

  3. Under Entity type, select File.

  4. To extract a file's name, hash, and size, select Upload file. To manually fill all fields, select Manually enter file details.

    • If you selected Upload file:

      1. Click UPLOAD FILE, then select a file from your system.

      2. Under File path, enter where the file is located in your file system.

    • If you selected Manually enter file details, fill in the fields:

      • File name – Enter the name used to uniquely identify the file in the file system.

      • Hash type – Enter at least one hash value from a MD5, SHA256, SHA1, or SHA512 function.

  5. Click SAVE. The entity appears in the incident under the ENTITIES panel.

Add a Device Entity

If you're investigating a device, add a device entity. A device entity contains specific data, including IP address, zone, and top user.

  1. Navigate to an incident or its workbench.

  2. Click Add a new entityA dark blue computer and a dark blue circle with a white plus sign in the top right..

    In an incident, you may also locate the Entities panel, then click Add a new entityA dark blue plus sign..

  3. Under Entity type, select Device.

  4. To extract data from an existing host, IP or URL asset in Advanced Analytics, select Select from AA. To manually enter all details, select Custom.

    • If you selected Select from AA, start typing to search for a host or IP, select a result, then enter an associated URL. Fill in the fields:

      • Type – Select an operating system, Windows, Linux, or Mac.

      • Zone – Enter the internal network location the device last connected from. This may be a city, business unit, building, or room.

      • Location – Enter the city, U.S. state (if applicable), and country the device last connected from.

    • If you selected Custom, enter at least one Host, IP, or URL, then fill in the fields:

      • Type – Select an operating system, Windows, Linux, or Mac.

      • Zone – Enter the internal network location the device last connected from. This may be a city, business unit, building, or room.

      • Location – Enter the city, U.S. state (if applicable), and country the device last connected from.

  5. Click SAVE. The entity appears in the incident under the ENTITIES panel.

Add a User Entity

If you're investigating a person, add a user entity. A user entity contains specific data, including data about employment, contact information, and manager.

  1. Navigate to an incident or its workbench.

  2. Click Add a new entityA dark blue computer and a dark blue circle with a white plus sign in the top right..

    In an incident, you may also locate the Entities panel, then click Add a new entityA dark blue plus sign..

  3. Under the Entity type, select User.

  4. To extract data from an existing user in Advanced Analytics, select Select from AA. To manually enter all details, select Custom.

    • If you selected Select from AA, start typing to search for a user, then select from the results. Case Manager extracts all data available in Advanced Analytics.

    • If you selected Custom, enter the user's Full Name or Username, then fill in the fields:

      • Account ID – Enter the account ID associated with the user's login credentials.

      • User email – Enter the user's work email address

      • User title – Enter the user's job title.

      • User department – Enter the corporate department the user works in.

      • Employee type – Indicate the user's employee type; for example, full-time, part-time, or contractor.

      • Zone – Enter the internal network zone within your organization the user last connected from. This may be a city, business unit, building, or room.

      • User office phone – Enter the phone number the user uses at their office location.

      • User cell phone – Enter the user's personal cell phone number.

      • Manager name – Enter the full name of the user's manager.

      • Manager email – Enter the manager's work email address/

      • Manager title – Enter the manager's job title.

      • Manager office phone – Enter the phone number the manager uses at their office location.

      • Manager cell phone – Enter the manager's personal cell phone number.

  5. Click SAVE. The entity appears in the incident under the ENTITIES panel.

Manually Add an Artifact

Provide external evidence to your investigation. You can create five types of artifacts: file, IP, process, URL, or email address.

Add a File Artifact

If you find a file associated with an incident, add a file artifact. A file artifact contains specific data, including file path, size, and hash.

  1. Navigate to an incident or its workbench.

  2. Click Add a new artifactA dark blue fingerprint and a dark blue circle with a white plus sign in the top right..

    In an incident, you may also locate the Artifacts tab, then click Add a new artifactA dark blue plus sign..

  3. Under Artifact type, select File.

  4. To extract a file's name, hash value, and size, select Upload file. To manually enter all details, select Manually enter file details.

    • If you selected Upload file, click UPLOAD FILE, then select a file from your file system. Fill in the fields:

      • File path – Enter where in the file system this file is located.

      • Threat status – Indicate if the artifact is a malicious, benign, or unknown threat, or a false positive.

      • Role – Specify if the artifact describes a victim, attacker, or unknown.

      • Related entity – Indicate which entity the artifact is related to.

    • If you selected Manually enter file details, fill in the fields:

      • File name – Enter the name used to uniquely identify the file in the file system.

      • Hash type – Enter at least one hash value from a MD5, SHA256, SHA1, or SHA512 function.

      • Threat status – Indicate if the artifact is a malicious, benign, or unknown threat, or a false positive.

      • Role – Specify if the artifact describes a victim, attacker, or unknown.

      • Related entity – Indicate which entity the artifact is related to.

  5. Click SAVE. The artifact appears in the incident under the Artifact tab.

Add an IP Artifact

If you find an IP address associated with an incident, add an IP artifact. An IP artifact contains specific data, including geolocation, role, and threat status.

  1. Navigate to an incident or its workbench.

  2. Click Add a new artifactA dark blue fingerprint and a dark blue circle with a white plus sign in the top right..

    In an incident, you may also locate the Artifacts tab, then click Add a new artifactA dark blue plus sign..

  3. Under Artifact type, select IP.

  4. Fill in the fields:

    • IP – Enter the IP address this artifact describes.

    • Location – Enter the city, U.S. state (if applicable), and country this IP last connected from.

    • Threat status – Indicate if the artifact is a malicious, benign, or unknown threat, or a false positive.

    • Role – Specify if the artifact describes a victim, attacker, or unknown.

    • Related entity – Indicate which entity the artifact is related to.

  5. Click SAVE. The artifact appears in the incident under the Artifact tab.

Add a Process Artifact

If you find a process associated with an incident, add a process artifact. A process artifact contains specific data, including run time, ID, and parent process.

  1. Navigate to an incident or its workbench.

  2. Select the fingerprint A grey circle with a white finger print, and a blue circle with a white + in the top right. button.

  3. Under Artifact type, select Process.

  4. Fill in the fields:

    • Process name – Enter the file name of the program that executed the process.

    • Process path – Enter where in the file system the program file was located.

    • Process ID – Enter the ID of the process the artifact describes.

    • UID – Enter process's user ID, available in Unix-like operating systems.

    • Start time – Enter the date and time the process started running. You may also select the calendar and clock icons to enter a date and time.

    • End time – Enter the date and time the process stopped running. You may also select the calendar and clock icons to enter a date and time.

    • Threat status – Indicate if the artifact is a malicious, benign, or unknown threat, or a false positive.

    • Role – Specify if the artifact describes a victim, attacker, or unknown.

    • Related entity – Indicate which entity the artifact is related to.

  5. Click SAVE. The artifact appears in the incident under the Artifacts tab.

Add a URL Artifact

If you find a URL associated with an incident, add a URL artifact. A URL artifact contains specific data, including geolocation, IP, and role.

  1. Navigate to an incident or its workbench.

  2. Click Add a new artifactA dark blue fingerprint and a dark blue circle with a white plus sign in the top right..

    In an incident, you may also locate the Artifacts tab, then click Add a new artifactA dark blue plus sign..

  3. Under Artifact type, select URL.

  4. Fill in the fields:

    • URL – Enter the URL the artifact describes.

    • IP – Enter the the URL's corresponding IP address.

    • Location – Enter the city, U.S. state (if applicable), and country the URL was last accessed from.

    • Threat status – Indicate if the artifact is a malicious, benign, or unknown threat, or a false positive.

    • Role – Specify if the artifact describes a victim, attacker, or unknown.

    • Related entity – Indicate which entity the artifact is related to.

  5. Click SAVE. The artifact appears in the incident under the Artifacts tab.

Add an Email Address Artifact

If you find an email address associated with an incident, add an email address artifact. An email address artifact contains specific data, including role and threat status.

  1. Navigate to an incident or its workbench.

  2. Click Add a new artifactA dark blue fingerprint and a dark blue circle with a white plus sign in the top right..

    In an incident, you may also locate the Artifacts tab, then click Add a new artifactA dark blue plus sign..

  3. Under Artifact type, select Email Address.

  4. Fill in the fields:

    • Email address – Enter the email address the artifact describes.

    • Threat status – Indicate if the artifact is a malicious, benign, or unknown threat, or a false positive.

    • Role – Specify if the artifact describes a victim, attacker, or unknown.

    • Related entity – Indicate which entity the artifact is related to.

  5. Click SAVE. The artifact appears in the incident under the Artifacts tab.

Add Advanced Analytics Evidence to a Case Manager Incident

If an Advanced Analytics-generated incident doesn't include all the entities or artifacts you need, add them to the incident directly from Advanced Analytics.

When an Advanced Analytics user or asset session crosses a configured risk threshold, Case Manager automatically creates an incident. By default, Advanced Analytics adds some evidence from notable events to the incident as entities or artifacts. If it misses any entities and artifact you need, or if you discover more relevant entities or artifacts as you investigate the timeline, add these entities or artifacts to the incident directly from the notable session.

When you update an incident with the relevant entities and artifacts, you can use them in playbooks to effectively triage, investigate, and respond to incidents.

You can only add Advanced Analytics evidence to an existing incident. You can't create a new incident directly from a notable session.

  1. Navigate to an Advanced Analytics asset or user Smart Timeline:

    • To navigate from a Case Manager incident: navigate to the incident, find the Timeline Page incident field, then select Go to page.

    • To navigate to an asset Smart Timeline in Advanced Analytics: On the HOME page, find the NOTABLE ASSETS watchlist or other watchlist you created, then select an asset's risk score. Or, from a watchlist, select the asset's name, then under RISK REASONS click GO TO TIMELINE.

    • To navigate to a user Smart Timeline in Advanced Analytics: On the HOME page, find the NOTABLE USERS, Account Lockouts, Executive Users, or other watchlist you created, then select a user's risk score. Or, from a watchlist, select the user's name, then under RISK REASONS click GO TO TIMELINE.

    • Search for a user or asset, select from the results, then under RISK REASONS click GO TO TIMELINE.

  2. Select an event in the Smart Timeline. The event expands to review further details.

  3. Click the More The more menu; three vertical grey dots on a white background. menu, then click Add to Incident.

  4. Select a Case Manager incident from your list of most recent assigned incidents, or to search for a specific incident, start typing. If you navigated directly from a Case Manager incident, this field is automatically populated.

  5. Select the entities and/or artifacts. To create all the entities or artifacts, select the first checkbox.

  6. Select ADD TO INCIDENT.

Manage Tasks During an Investigation

Follow a defined response plan using tasks. As you progress through your investigation, create, re-assign, change due dates, and close tasks.

Create a Task for a Specific Incident

Create a task that only appears under a specific incident to ensure that your team doesn't miss something when they respond to it.

Under each phase, create tasks to ensure your team complete certain duties. Assign the tasks to specific people so they know exactly what they should do to work in parallel. After they complete the task, they mark it as done.

You can create a task that always appears under a phase or for all incidents of a specific type. To automatically create a task depending on the conditions of an incident, set up a playbook.Create a Playbook

  1. In an incident, select the Tasks tab.

  2. In a phase, click ADD TASK

  3. Enter information about the task:

    • Name – Enter a name for the task.

    • Instructions – Enter instructions, details, or other information about the task.

    • Assignee – Assign the task to a person. If someone is restricted from the incident, you can't assign the task to them.

    • Due Date – Select a date that this task should be closed by.

  4. Click SAVE.

Re-assign a Task in an Incident

Reassign a task to another person in one specific incident.

  1. In an incident, select the Tasks tab.

  2. Select a phase to expand it and view associated tasks, assignee(s), and due date. Hover over the task to view further details.

  3. Click the task assignee, then select another person from the list. If someone is restricted from the incident, you can't assign the task to them.

Change a Task Due Date in an Incident

Change when a task is due in one specific incident.

  1. In an incident, select the Tasks tab.Get to Know an Incident

  2. Select a phase to expand it and view associated tasks, assignee(s), and due date. Hover over the task to view further details.

  3. Click the task due date, then select another date on the calendar. If a task is not closed before the due date, the due date appears in red text with a warning icon.

Close a Task in an Incident

Close and mark a task as complete in one specific incident.

  1. In an incident, select the Tasks tab.Get to Know an Incident

  2. Select a phase to expand it and view associated tasks, assignee(s), and due date. Hover over the task to view further details.

  3. To close a task, select the task name to view additional details, then click MARK AS DONE

    OR

    On the Task tab, select the checkbox.

Send Messages from an Incident

Send messages, collaborate, and track information right from within an incident.

In an incident, under the Messages tab, send messages and securely distribute information about an incident to your team members or those outside your SOC.

There are two types of messages:

  • Case notes - Comments added directly to and contained within an incident. Case notes are enabled by default.

  • Incident emails - Messages to those in your organization who can't access Case Manager or are external to your Security Operations Center (SOC). You send, receive, and track emails directly from an incident. You can add an email attachment to an incident as an artifact.

You can sort, filter, and restrict views to both types of messages.

Case Notes

Add findings or data to your investigation and communicate with people from directly within an incident using case notes.

A case note is free-form text you use to add descriptions, observations, and artifacts to your incident. Use case notes when your findings or data points are relevant to your investigation but do not fit in the generic incident fields and categories, or Case Manager can't measure or filter them.

Case notes are one way you message people directly from an incident. You can view an incident's case notes if you can access Case Manager and the incident. To collaborate with people who can't access Case Manager and still track the conversation within the incident, send an email.

Add a Case Note to an Incident

Add descriptions, observations, and artifacts to your incident using case notes.

  1. In an incident, navigate to the Messages tab, then click NEW CASE NOTE.Get to Know an Incident

  2. Enter the case findings, like descriptions, observations, and artifacts.

  3. Click ADD CASE NOTE.

Incident Email Communication

To collaborate with people who can't access Case Manager, send an email directly from an incident.

Email people who can't access Case Manager, like non-SOC staff in your organization, to exchange questions, instructions, and feedback about an investigation.

Case Manager transports emails using your organization's email servers. Your email server or service policies may restrict your email size or who you can send emails to.

Send an Email from an Incident

Send emails directly from an incident to communicate with people who can't access Case Manager.

  1. In an incident, navigate to the Messages tab, then click NEW EMAIL MESSAGE.Get to Know an Incident

  2. Compose the email and attach evidence.

  3. Click SEND.

Attach a File to an Incident Email

To add evidence to an incident, attach files to emails you send and receive directly in an incident. When you receive an attachment, safely preview it, view its details, and download it.

Your internal mailbox and email policies may limit and restrict what files you can attach, like how large or what file type they can be.

  1. When you create an email, click INSERT ATTACHMENT. The attachment appears as an icon in the email body.

  2. To send the email, click SEND. The attachment is added to the incident.

    After 60 days, the attachment is purged, but the email text is not. To add the attachment to the incident indefinitely so you can run actions and playbooks on it, convert it into an artifact.

Convert an Email Attachment to an Artifact

When you receive an email attachment, convert it to an artifact to investigate it further.

  1. In the incident, ensure the artifact doesn't already exist. You may duplicate an existing artifact you already created.Get to Know an Incident

  2. In the Messages tab, locate the email that contains the attachment.

  3. On the attachment, click the More The more options menu; three vertical dark grey dots on an off-white background. menu, then select Add to Artifacts List.

Download an Email Attachment

Download an attachment you received in an incident email.

  1. In an incident's Messages tab, find the email that contains the attachment.Get to Know an Incident

  2. On the attachment, click the More The more options menu; three vertical dark grey dots on an off-white background. menu, then select Download.

Filter Incidents

Filter the list of incidents to find those that fit a certain criteria. If you frequently use certain criteria, create your own custom filter.

In the CASE MANAGER filter panel, filter your incidents by:

There are four out-of-the-box filters.Out-of-the-Box Incident Filters

If you frequently use certain filter inputs, create a custom filter. For example, if you frequently filter for incidents that were false positive and happened in the past 24 hours, you can save how you've configured the filter inputs so you quickly apply it when you need it.Create a Custom Incident Filter

Search for an Incident

Jump to a specific incident based on keyword using the search bar.

In CASE MANAGER, use search to jump to a specific set of incidents without using filters. You must enter at least three characters.

You search across incident names, incident fields, entity names, artifact names, incident message content. You can't search file content, the activity log, or playbook results.

  1. In the navigation bar, click the search aa-search-ULE.png.

  2. Enter a keyword. A list of matching incidents appears.

  3. If you see the incident you're looking for, select it. If you don't see the incident, select View all incidents with the keyword "[keyword]" to view a full list in the INCIDENTS page.

Sort Incidents

Sort the list of incidents using the Sort By menu. Use this with filters and search to find the incident you need.

In CASE MANAGER, sort incidents by:

  • Date created

  • Date updated

  • Assignee

  • Priority

  • Status

  • Type

Export Incidents

To audit incidents, give details about incidents to people outside of your SOC, or archive and back up incident data to your local environment, export a list of incidents to a CSV file.

The CSV file contains one incident per row and all relevant incident fields. It only includes an incident's ten most recent case notes. You can export a maximum of 10,000 incidents at a time. If you have no incidents, exporting is disabled.

  1. In CASE MANAGER, click EXPORT.

  2. Specify the incident fields you want exported.

    • To include specific fields, click + next to the field. To find a specific field, start typing in the search.

    • To include all fields, click CLICK ALL.

    • To export fields predefined in a template, click ALL TEMPLATES, then select a template.

  3. Click EXPORT.

  4. Download the CSV file.

Create a Template for Exporting Incidents

To save time when you export incidents, create a template with the incident fields you export most often.

  1. In CASE MANAGER, click EXPORT. Ensure that ALL TEMPLATES is selected.

  2. Specify the incident fields you want exported. To include specific fields in the template, click + next to the field. To find a specific field, start typing in the search. To include all fields, click ADD ALL.

  3. Select Save As.

  4. Name the template, then press Enter or return on your keyboard. The template is created.

  5. To use the template you created to export incidents, click EXPORT.

Edit a Template for Exporting Incidents

Make changes to an existing template you created.

  1. In CASE MANAGER, click EXPORT.

  2. Click ALL TEMPLATES, then select the template you want to edit.

  3. Add or remove incident fields from the template.

  4. Click Save. The template is updated.

  5. To use the template you edited to export incidents, click EXPORT.

Delete a Template for Exporting Incidents

If you created a template for exporting incidents, you can also delete it.

  1. In CASE MANAGER, click EXPORT.

  2. Click ALL TEMPLATES, then select the template you want deleted.

  3. Click the down arrow, then select Delete.

  4. Click DELETE.