Cloud-delivered Case ManagerCase Manager

Table of Contents

Configure Case Manager Settings

Ingest data, create rules to triage incidents, customize incidents, create or edit queues, and configure a proxy in Case Manager settings.

In the sidebar, click SETTINGSA grey gear icon. Depending on your permissions, select Core or Analytics.

  • If you have Core Manage Users and Context Sources permissions, you can only access Core settings.

  • If you have Advanced AnalyticsAll Admin Ops permissions, you can access both Core and Analytics settings. In Analytics settings, you can configure and customize more settings than in Core settings.

Core Settings

In Core settings, view all settings under ALL APPS or click the INCIDENT RESPONDER tab to view Case Manager and Incident Responder settings.

Incident Responder tab in Core settings.

Under SERVICE INTEGRATIONS, select Proxy to configure a proxy connection.

Under QUEUES, create, edit, and delete a queue.

Under INCIDENT INGESTION:

  • Select Incident Source to add sources that feed data into Case Manger.

  • Select Incident Feeds to specify which type of log to ingest from your incident source.

  • Select Email Ingest to configure email ingest.

  • Select 2-Way Email to configure an email account and start sending emails directly from an incident.

Analytics Settings

In Analytics settings, navigate to Case Management.

Analytics settings with Case Management settings highlighted.

In Email Notification, configure email notifications about Case Manager activity, like when someone creates, changes, or comments on an incident, create templates for these email notifications, and create templates for emails sent using the Send Email Exabeam action.Create an Email Template for the Notify by Email ActionIncident Responder Actions

In Incident Ingestion, add sources that feed data into Case Manager, specify which type of log to ingest from your incident source, configure email ingest, or configure an email to send emails directly from an incident.

In Incident Rules, create rules to automatically triage incidents after they're created. You can also edit and delete these rules.

In Incident Configuration, create incident types, incident fields, tasks, and phases.

In Queues, create, edit, or delete a queue.

In Proxy, configure a proxy connection.

Configure a Proxy

If your environment has a proxy configured, you must configure a proxy for Case Manager and Incident Responder. Some Case Manager and Incident Responder features use your proxy to function correctly, including services, email ingest and incident email.Incident Responder Services

  1. In the sidebar, click SETTINGSA grey gear icon, then select Core.

  2. Under SERVICE INTEGRATIONS, select Proxy.

  3. To enable the proxy you're configuring, click the Enable Proxy toggle.

  4. Enter information about your proxy connection:

    • Hostname/server – Enter the name of the host or server for the proxy server.

    • Protocol – Enter the protocol the proxy server uses: HTTP or SOCKS.

    • Port – Enter the port number for the proxy server.

    • (Optional) Username – If the proxy is protected by a password, enter your proxy account username.

    • (Optional) Password – If the proxy is protected by a password, enter your proxy account password.

    • (Optional) Whitelist – whitelist hostnames and/or domains, like wildcards (for example, 192.168.*) or IP ranges (for example, 192.168.0.0/24). The Incident Responder docker is already whitelisted by default.

  5. To validate the connection to your proxy, enter a URL, then select TEST CONNECTIVITY. If you see an error, verify the information you entered then retest the connection.

  6. Click SAVE.

Prerequisites for Configuring Microsoft Exchange Online with OAuth2.0 Authentication

If your Microsoft Exchange Online account uses OAuth2.0 modern authentication, ensure you complete certain tasks before you configure email ingest and incident email communication.

To integrate Exabeam with Microsoft Azure Active Directory, register an application on the Microsoft identity platform. Since you can't use the same email account for email ingest and incident email, you must create a separate application for each account. Under Supported account types, ensure that you select Accounts in this organizational directory only.

  • Save the client ID for the application you created. You use this client ID later.

  • Add a client secret and save it. You use this client secret later.

  • Restrict the application to the emails you use for email ingest and incident email in your Azure AD tenant. Ensure that you also enable Visible to users? settings.

  • Configure specific Microsoft Graph permissions for your application with the Delegated permission type:

    • For your email ingest application, configure Mail.Read permissions.

    • For your incident email application, configure Mail.Send and Mail.ReadWrite permissions.

  • Configure the Office 365 Exchange Online EWS.AccessAsUser.All permission for your application.

    Follow the same steps to configure Microsoft Graph permissions, but instead of selecting Microsoft Graft, click the APIs my organization uses tab, select Application permissions, then select Office 365 Exchange Online. Select the EWS.AccessAsUser.All permission, then click Add permissions.

  • Grant administration consent to the permissions you configured for your application.

  • Add specific redirect URIs:

    • For your email ingest application, add https://<domain>/ir/injector/api/injector/listener/provider/init

    • For your incident email application, add https://<domain>/ir/server/api/email/oauth/token

Ingest Data into Case Manager

To use Case Manager, you must ingest data from an incident source and pull a specific type of data using an incident feed. After Case Manager has this data, it creates incidents for you to investigate.

An incident source is the server from which Case Manager ingests data, like:

  • Advanced Analytics. Case Manager automatically creates an incident when a user or asset crosses a risk threshold and becomes notable.

  • A security product, like a SIEM or an endpoint solution.

  • Microsoft Office 365 or Outlook, ingested using email ingest.

An incident feed pulls a specific type of data; for example, Carbon Black or FireEye. You must configure an incident server before you configure an incident feed.

You can add, edit, or delete an incident source. You can also add, edit, or delete incident feeds.Add an Incident SourceAdd an Incident SourceAdd an Incident FeedAdd an Incident Feed

After you add an incident source and incident feed, add incident rules to automatically assign, prioritize, and restrict new incidents.

Add an Incident Source

Add an incident source, like ServiceNow, Splunk, or IBM QRadar, to ingest logs from those servers into Case Manager. You must add an incident source before specifying which logs to ingest.

  • IP address or hostname of the server

  • TCP port

  • Username and password

To add ServiceNow, you must complete specific prerequisites.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Core.

  2. Under INCIDENT INGESTION, select Incident Sources.

  3. Click Add a new incident source A blue circle with a white plus sign..

  4. Enter information about the incident source:

    • Server Type – Select the source you wish to ingest data from.

    • IP Address or Hostname – Enter the IP address or hostname of the server.

    • TCP Port – Enter the TCP port number of the server.

    • Username – Enter your username for the server.

    • Password – Enter your password for the server.

  5. To validate your connection to the source, click TEST CONNECTIVITY. If you see an error, verify the information you entered, then retest the connection.

  6. Click SAVE.

    To specify the type of data to query from the source, add an incident feed.

Add an Incident Feed

If you've added an incident source, specify the type of data to query from the source.

  1. Ensure that you added an incident source.

  2. In the sidebar, click SETTINGSA grey gear icon, then select Core.

  3. Under INCIDENT INGESTION, select Incident Feeds.

  4. Click Add a new incident feed A blue circle with a white plus sign..

  5. Fill in the fields, then click SAVE.

  6. Click RESTART LOG INGESTION ENGINE.

  7. Choose to restart the log engine immediately or specify a date, then click RESTART.

Email Ingest

Ingest suspicious emails and investigate phishing incidents using Email Ingest.

Case Manager Email Ingest creates incidents from potential phishing emails. It ingests suspicious emails from a designated phishing mailbox, parses relevant fields, creates an incident, then deletes the email from the inbox. Configure Email Ingest in your settings.Configure Email IngestConfigure Email Ingest

Configure Email Ingest

Link Case Manager to your phishing inbox to forward suspicious emails to Case Manager and ingest suspicious emails.

  • A dedicated phishing inbox that Case Manager has access to. No one should delete, move, or otherwise touch the emails in this inbox. The mailbox cannot be a shared mailbox or subfolder. You can't use the same email account you use for incident email communications.

  • Credentials for the phishing inbox. The account and credentials must have read and write access to the entire mailbox.

  • Connection to IMAP, POP3, or Exchange. For cloud-delivered deployments, only port 443 is open. To open other ports, contact your Technical Account Manager.

    Protocol

    Port

    IMAP

    143

    IMAP + SSL

    993

    POP3

    110

    POP3 + SSL

    995

    Exchange

    443

  • If you use Microsoft Exchange Online with OAuth2.0 modern authentication, ensure that you complete specific prerequisites.

  1. Ensure that emails aren't encrypted and attachments are in EML format. MSG files are not yet supported.

  2. In the sidebar, click SETTINGSA grey gear icon, then select Core.

  3. Under INCIDENT INGESTION, select Email Ingest.

  4. Enter information about your email connection:

    • Host/Server – A mail server or host; for example, outlook.office365.com

    • Username – An assigned username. For IMAP, enter the email address. For Exchange, enter [domain]\[username]

    • Email address – The email address where emails are sent. This can't be a shared email.

    • Password – The password for the username you previously entered.

    • Protocol – The email protocol used to connect to your mail server: IMAP, POP3, Exchange. Select the box if your email provider supports Secure Sockets Layer (SSL). If you select Exchange:

      • Exchange version – Select your version of Microsoft Exchange:

        • Microsoft Exchange 2007, Service Pack 1

        • Microsoft Exchange 2010

        • Microsoft Exchange 2010, Service Pack 1

        • Microsoft Exchange 2010, Service Pack 2

        • Other Exchange Version

      • Authentication type – Select the protocol used to authenticate to your Exchange host: BASIC, NTLM, or OAUTH2.0.

      If you select OAUTH2.0:

      • Client ID – Enter your Exabeam Microsoft Application (client) ID.

      • Client secret – Enter your Exabeam Microsoft Application client secret.

      • Tenant ID – Enter your Microsoft Azure AD tenant ID.

      • National cloud – If you have a national cloud deployment of Microsoft Azure, select your national cloud: China, Germany, or USGovernment. If you don't have a national cloud deployment, select Global.

    • Port – The port number your mail host or server uses.

    • Log level – Case Manager generates logs about your system activity that Customer Success uses to debug problems in your system. Select how detailed these log are: low or verbose. To conserve disk space, it's best to select low. If you have problems with your system, Customer Success may direct you to change log level to verbose.

    • Folder – Which account folder you're pulling emails from. The default folder is Inbox.

  5. Click SAVE.

  6. Log in to the Microsoft account you use for email ingest. When asked whether to Stay signed in? it doesn't matter whether you select yes or no. The credentials aren't saved in your cache, and you are asked every time you configure email ingest.

  7. To start ingesting emails, click START.

    By default, Case Manager ingests emails starting from today. To ingest emails starting from a different date, click Select a different date, then select a date in the calendar.

Restart Email Ingest

If email ingest isn't working, restart it to troubleshoot the issue.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the EMAIL INGEST tab.

  4. Hover over an email server, then click edit A grey pencil..

  5. Click Start.

    If email ingest starts successfully, the server appears in the list of email feeds with a Running status.

Incident Rules

Assign, prioritize, and restrict new incidents with incident rules.

When Case Manager creates an incident, an incident rule evaluates it against one or many conditions that you define, then assigns it to a queue or priority, or restricts access to it. For example, you can create an incident rule that assigns an incident to a Tier 3 queue if an email's to field is phishing@mycompany.com.

Case Manager evaluates an incident against each rule in the list from top to bottom. Once the incident reaches the first rule for which it matches the conditions, Case Manager stops evaluating and ignores the remaining rules in the list.

You can create, reorder, edit, and delete an incident rule.Create an Incident RuleCreate an Incident RuleReorder Incident RulesReorder Incident RulesEdit an Incident RuleEdit an Incident RuleDelete an Incident RuleDelete an Incident Rule

Create an Incident Rule

Create an incident rule to assign, prioritize, and restrict new incidents.

Case Manager evaluates an incident against each rule in the list from top to bottom. Once the incident reaches the first rule for which it matches the conditions, Case Manager stops evaluating and ignores the remaining rules in the list.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Incident Rules

  3. Click Add new triage rulesA dark blue plus sign..

  4. Enter information about the rule:

    • Rule Title – Give the incident rule a unique name.

    • Conditions – Assign a condition that evaluates the incident. To add more than one condition, click +ADD.

      The conditions are case sensitive. For example, if the "to" field is JohnSmith@company.com, the rule won't trigger if the "to" field is johnsmith@company.com.

    • Assign to Queue – Assign the incident to a queue. Otherwise, assign the incident to the default Unassigned Queue.

    • Priority – Assign the incident to low, medium, high, or critical priority.

    • Restrict To – Restrict who can access, see, or search for this incident. You can restrict access to one person or a group. These are groups you named when you configured LDAP.

  5. Click SAVE.

Edit an Incident Rule

Change the title, conditions, and details of an incident rule.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Incident Rules.

  3. Hover over an incident rule, then select Edit RuleA dark blue pencil..

  4. Change the rule title, conditions, the queue or priority an incident is assigned to, or who it is restricted from.

  5. Click SAVE.

Reorder Incident Rules

An incident is evaluated against each rule in the list from top to bottom. It stops evaluating once it reaches the first rule that matches the condition and ignores the remaining rules in the list.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Incident Rules.

  3. To move a rule up or down in the list, select the up A dark blue arrow pointing up. or down A dark blue arrow pointing down. arrows next to the rule.

Delete an Incident Rule

When Case Manager ingests an incident, it evaluates it against an incident rule. If you don't want to evaluate an incident against a certain rule, delete the rule.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Incident Rules

  3. Hover over an incident rule, then select Delete RuleA dark blue trash can..

  4. A warning appears. Click DELETE.

Configure Incident Email Communication

Link Case Manager to an email account to send incident emails directly from an incident.

You can't use the same account you configured for email ingest.

  • An email account from which users send and receive Case Manager-related messages (for example, casemanagement@mycompany.com). The mailbox cannot be a shared mailbox or a subfolder. You can't use the same email account you use for email ingest.

  • Credentials for the email inbox. The account credentials must have read and write access to the entire mailbox.

  • IMAP connectivity.

    Protocol

    Port Number

    IMAP

    143

    IMAP + SSL

    993

  • If you use Microsoft Exchange Online with OAuth2.0 modern authentication, ensure that you complete specific prerequisites.

  1. Ensure that emails aren't encrypted and attachments are in EML format. MSG files are not yet supported.

  2. In the sidebar, click SETTINGSA grey gear icon, then select Core.

  3. Under INCIDENT INGESTION, select 2-Way Email.

  4. Enter information about your email account, inbound connection, and outbound connection:

    • Username – Enter the username for the mail server. This may be an email address.

    • Password – Enter the password for the mail server.

    • Email address – Enter the email address on the mail server.

    • Folder – Enter the name of the folder from which emails are ingested.

    Inbound

    • Inbound host/server – Enter the name of the inbound mail server.

    • Inbound protocol – Select the mail protocol used to receive emails.

    • Inbound port – Enter the inbound protocol port number.

    Outbound

    • Outbound host/server – Enter the name of the outbound mail server.

    • Outbound protocol – Select the mail protocol used to send emails.

    • Outbound port – Enter the outbound protocol port number.

    • Exchange protocol – Select the box if you use Microsoft Exchange Online.

  5. If you selected the Exchange Protocol box, enter additional information about your Microsoft Exchange Online account and connection:

    • Exchange host – Enter the host name of your Microsoft Exchange server.

    • SSL – Select the box if you installed a Secure Sockets Layer (SSL) certificate on your Microsoft Exchange server.

    • Exchange port – Enter the port number your Microsoft Exchange host uses.

    • Authentication type – Select the protocol used to authenticate to your Exchange host: BASIC, NTLM, or OAUTH2.0.

    • Exchange version – Select your version of Microsoft Exchange:

      • Microsoft Exchange 2007, Service Pack 1

      • Microsoft Exchange 2010

      • Microsoft Exchange 2010, Service Pack 1

      • Microsoft Exchange 2010, Service Pack 2

      • Other Exchange Version

    • Log level – Case Manager generates logs about your system activity that Customer Success uses to debug problems in your system. Select how detailed these log are: low or verbose. To conserve disk space, it's best to select low. If you have problems with your system, Customer Success may direct you to change log level to verbose.

  6. If you selected OAUTH2.0 as your Authentication type, enter additional information about the application you registered on Microsoft:

    • Client ID – Enter your Exabeam Microsoft Application (client) ID.

    • Client secret – Enter your Exabeam Microsoft Application client secret.

    • Tenant ID – Enter your Microsoft Azure AD tenant ID.

    • National cloud – If you have a national cloud deployment of Microsoft Azure, select your national cloud: China, Germany, or USGovernment. If you don't have a national cloud deployment, select Global.

  7. To validate the inbound and outbound connection to your mail server, click TEST INBOUND and TEST OUTBOUND. If you see Failed to test Service connectivity, verify that you entered the correct email account, inbound connection, and outbound connection information.

  8. Click SAVE.

  9. Log in to the Microsoft account you use for email ingest. When asked whether to Stay signed in? it doesn't matter whether you select yes or no. The credentials aren't saved in your cache, and you are asked every time you configure email ingest.

  10. To enable the email route, click START.

    The email route appears in the EMAIL FEEDS list with a RUNNING status.

Customize Incidents

Customize incident types, fields, and layouts to better align Case Manager with your existing or other internal ticketing systems.

Depending on your organization and your industry, consider customizing incidents to tailor Case Manager to your needs. For example, a hospital Security Operations Center (SOC) may create a HIPAA field to review the percentage of historical incidents in which HIPAA data was breached, or view all active incidents that contain HIPAA data.

Start by creating an incident type. Then, create custom fields for that type and organize them into a layout that works best for you. For each incident type, create phases and tasks to standardize your team's response to that type of incident and enforce them to take certain steps.Create an Incident TypeCreate a Custom Incident FieldCustomize the Layout of an Incident TypeCreate a Task for a Phase or Incident Type

If you don't want to start from scratch, you can also edit out-of-the-box incident types, fields, phases, and tasks to better suit your needs.

Incident Types

Standardize information, actions, and evidence for common security incidents using incident types.

An incident type is a category that represents a security scenario. Incident types standardize incident fields, phases, tasks, and playbooks, and ensure you have the information and tools you need to resolve an incident based on attack vector or case context.Playbooks

For example: In your organization, a phishing campaign targets multiple users, and each user automatically triggers and creates an incident. Since all these incidents are of a specific type—phishing—you need a specific set of information, actions, and evidence to resolve them, like sender, recipient, or email subject. The phishing incident type ensures they are all included in a phishing incident, and you have everything you need to research and resolve it.

There are 22 out-of-the-box incident types: one for each Exabeam Threat Detection, Investigation, and Response (TDIR) Use Case Package, one automatically assigned to all incidents, and one specifically for incidents created from notable Advanced Analytics sessions.

You can modify these out-of-the-box incident types to better suit your needs or create your own incident type from scratch.

Generic Incident Type

The Generic incident type standardizes incident fields for every incident created, manually or automatically.

Every incident created, manually or automatically, is automatically assigned the Generic incident type. You can't unassign the Generic incident type from an incident; every incident must be assigned the Generic incident type.

The Generic incident type comes with specific incident fields. You can't remove these incident fields from the incident type, but you can add custom incident fields for information you want to appear in every incident. You can also customize the incident type's layout and rearrange how these fields appear in an incident.Customize the Layout of an Incident Type

Behavior Analytics Incident Type

The out-of-the-box Behavior Analytics incident type standardizes incident fields, phases, and tasks for incidents created from a notable Advanced Analytics session or sequence.

When an Advanced Analytics user session or asset sequence becomes notable and creates a Case Manager incident, the incident is automatically assigned the Behavior Analytics incident type.

The Behavior Analytics incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

You can assign additional incident types on top of the Behavior Analytics type to keep the Behaviour Analytics incident fields, or reassign the incident to a more accurate incident type. To quickly and accurately reassign the incident to the correct type, consider using the Automated Incident Classification turnkey playbook.Automated Incident Classification Turnkey Playbook

Out-of-the-Box Incident Types for Compromised Insiders Use Cases

Standardize information, actions, and evidence for Compromised Insiders incidents using seven related out-of-the-box incident types.

There are seven out-of-the-box incident types for each Compromised Insiders use case:

Compromised Credentials Incident Type

Use the out-of-the-box Compromised Credentials incident type to standardize incident fields, phases, and tasks for incidents in which an external actor steals credentials to access your system.

The Compromised Credentials use case describes when an attacker disguises as a valid user with legitimate access and uses stolen credentials to access your system. Assign the Compromised Credentials incident type to incidents in which someone has stolen credentials, authenticated anomalously, or done something else to indicate they are compromising your system externally.

The Compromised Credentials incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Lateral Movement Incident Type

Use the out-of-the-box Lateral Movement incident type to standardize incident fields, phases, and tasks for incidents in which an external actor moves through your network and jumps between devices to search for sensitive data.

The Lateral Movement use case describes when an attacker moves through a network and jumps between devices to search for sensitive data and other high-value assets. Assign the Lateral Movement incident type to incidents in which a privileged account or asset does something unusual, or a non-privileged user does something that typically requires privileged access.

The Lateral Movement incident type comes with specific, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Privilege Escalation Incident Type

Use the out-of-the-box Privilege Escalation incident type to standardize incident fields phases, and tasks for incidents in which an external actor steals credentials to access your system.

The Privilege Escalation use case describes when an attacker increases the privileges of an account they compromised or switches accounts to increase their access. Assign the Privilege Escalation incident type to incidents in which a host or person uses brute-force techniques to find valid credentials, executes BloodHound, or switches accounts.

The Privilege Escalation incident type comes with specific incident fields,and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Privileged Activity Incident Type

Use the out-of-the-box Privileged Activity incident type to standardize incident fields, phases, and tasks for incidents in which there's unusual behavior around privileged accounts, assets, or other activity.

The Privileged Activity use case describes when a privileged account or asset does something unusual, or a non-privileged user does something that typically requires privileged access. Assign the Privileged Activity incident type to an incident in which a disabled or deactivated user account become active, a non-privileged user accesses privileged assets, an account anomalously access domain controllers, or an administrative account triggers a security alert.

The Privilege Activity incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Account Manipulation Incident Type

Use the out-of-the-box Account Manipulation incident type to standardize incident fields, phases, and tasks for incidents in which an attacker uses persistence techniques to maintain their access to your network.

The Account Manipulation use case describes when an attacker uses persistence techniques to maintain access to your network even if you try to interrupt or cut off their access. Persistence techniques include creating or manipulating user accounts, or modifying credentials or permissions to groups. If an incident involves any of these behaviors, assign it the Account Manipulation incident type.

The Account Manipulation incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Data Exfiltration Incident Type

Use the out-of-the-box Data Exfiltration incident type to standardize incident fields, phases, and tasks for incidents in which an attacker compromises an account in your organization to exfiltrate data.

The Data Exfiltration use case describes when an attacker illicitly transfers data outside your organization. Assign the Data Exfiltration incident type to incidents in which an account triggers Data Loss Prevention (DLP) alerts, uploads large amounts of data, or use other techniques to exfiltrate data from your network.

The Data Exfiltration incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Evasion Incident Type

Use the out-of-the-box Evasion incident type to standardize incident fields, phases, and tasks for incidents in which an attacker uses techniques to avoid being detected.

The Evasion use case describes when an attacker uses techniques to avoid being detected as they compromise your system. Assign the Evasion incident type to an incident in which someone disables or uninstalls security software, obfuscates or encrypts data, or otherwise abuse trusted processes to hide malware.

The Evasion incident type comes with specific, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Out-of-the-Box Incident Types for Malicious Insiders Use Cases

Standardize information, actions, and evidence for Malicious Insiders incidents using eight related out-of-the-box incident types.

There are eight out-of-the-box incident types for each Malicious Insiders use case:

Data Leak Incident Type

Use the out-of-the-box Data Leak incident type to standardize incident fields, phases, and tasks for incidents in which someone in your organization transfers or steals data.

The Data Leak use case describes when an employee, partner, or contractor illicitly transfers data outside your organization. Assign the Data Leak incident type to an incident in which someone in your organization sends email to personal accounts, uploads a lot of data, triggers Data Loss Prevention (DLP) alerts, or use other techniques to exfiltrate data from your network.

The Data Leak incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Privilege Abuse Incident Type

Use the out-of-the-box Privilege Abuse incident type to standardize incident fields, phases, and tasks for incidents in which someone takes over a privileged account and uses it to access, exploit, or damage confidential business entities.

The Privilege Abuse use case describes when a privileged account does something unusual, or a non-privileged user does something that typically requires privileged access. Assign the Privileged Abuse incident type to an incident in which a non-privileged, privileged, service, executive, or disabled account anomalously accesses assets, creates accounts, or triggers security alerts.

The Privilege Abuse incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Data Access Abuse Incident Type

Use the out-of-the-box Data Access Abuse incident type to standardize incident fields, phases, and tasks for incidents in which someone in your organization anomalously accesses and collects data.

The Data Access Abuse incident type describes when someone in your organization anomalously accesses sensitive corporate data and resources, which is usually a precursor to a data leak. Assign the Data Access incident type to an incident in which someone in your organization accesses certain applications or database for the first time, accesses data from risky geographical locations, or use other techniques to collect data.

The Data Access Abuse incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Audit Tampering Incident Type

Use the out-of-the-box Audit Tampering incident type to standardize incident fields, phases, and tasks for incidents in which someone clears logs or other data to destroy an audit trail.

The Audit Tampering use case describes when someone in your organization audits logs to destroy an incriminating audit trail and evade detection. Assign the Audit Tampering incident type to an incident in which clears audit or event logs, or use other techniques to manipulate, interrupt, or destroy data and avoid being detected.

The Audit Tampering incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Destruction of Data Incident Type

Use the out-of-the-box Destruction of Data incident type to standardize incident fields, phases, and tasks for incidents in which someone in your organization destroys or manipulates data to sabotage your organization.

The Destruction of Data use case describes when someone in your organization deletes data to harm your organization and disrupt critical business operations. Assign the Destruction of Data incident type to incidents in which someone starts deleting accounts, anomalously manipulates files, or use other techniques to manipulate, interrupt, or destroy your data.

The Destruction of Data incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Physical Security Incident Type

Use the out-of-the-box Physical Security incident type to standardize incident fields, phases, and tasks for incidents in which someone in your organization anomalously accesses a physical space.

The Physical Security use case describes when someone in your organization anomalously accesses physical spaces. Assign the Physical Security incident type to incidents in which someone fails to badge in somewhere they've never been, uses disabled account to try accessing a physical space, or otherwise anomalously badges into a building or location.

The Physical Security incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Workforce Protection Incident Type

Use the out-of-the-box Workforce Protection incident type to standardize incident fields, phases, and tasks for incidents in which

The Workforce Protection use case describes when someone in your organization shows signs of leaving your organization, communicates with a competitor, or anomalously attends a web conference. Assign the Workforce Protection incident type to incidents in which someone in your organization searches for a job, or badges into a physical space at an unusual time, or triggers a Data Loss Prevention (DLP) alert.

The Workforce Protection incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Abnormal Authentication and Access Incident Type

Use the out-of-the-box Abnormal Authentication and Access incident type to standardize phases and tasks for incidents in which someone in your organization does something unusual, outside their typical behavior patterns.

The Abnormal Authentication and Access use case describes when someone in your organization anomalously does things that aren't typical of them, like accessing or authenticating into unusual applications, critical servers, or browsers. Assign the Abnormal Authentication and Access incident type to incidents in which someone uses a user-agent string for the first time, connects to your network on an unusual day of the week, does something from an unusual geographical location, accesses an application using an unusual operating system or browser, or consecutively fails to log in to their account an excessive number of times.

The Abnormal Authentication and Access incident type doesn't come with specific incident fields, but it does prescribe specific phases and tasks for investigating, containing, and remediating the incident. You can create your own incident fields and customize the phases and tasks to better suit your needs.

Out-of-the-Box Incident Types for External Threats Use Cases

Standardize information, actions, and evidence for External Threats incidents using five related out-of-the-box incident types.

There are five out-of-the-box incident types for each External Threat use case:

Phishing Incident Type

Use the out-of-the-box Phishing incident type to standardize incident fields, phases, and tasks for incidents in which an attacker sends fraudulent messages and uses social engineering techniques to trick someone in your organization.

The Phishing use case describes when an attacker uses social engineering techniques in emails or other messaging services to deceive their victims into assisting them. Assign the Phishing incident type to an incident in which someone in your organization receives an email from an unknown domain, sends more emails than usual, receives an email with malicious links or attachments; or if the incident includes other signs of phishing.

The Phishing incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Malware Incident Type

Use the out-of-the-box Malware incident type to standardize incident fields, phases, and tasks for incidents in which someone becomes a target of malicious program or code that accesses or damages your system.

The Malware use case describes when an attacker develops malicious programs or code to access your system without authorization, or damage your data or system. Assign the Malware incident type to incidents in which someone accesses a domain generated by a domain generation algorithm (DGA, or triggers an antivirus or endpoint detection and response (EDR) security alert.

The Malware incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Ransomware Incident Type

Use the out-of-the-box Ransomware incident type to standardize incident fields, phases, and tasks for incidents in which an attacker uses malicious software to encrypt data on your system and extract monetary compensation.

The Ransomware use case describes when an attacker encrypts critical corporate assets and monetarily extorts your organization in exchange for unlocking the assets. Assign the Ransomware incident type to incidents in which an attacker encrypts data on your systems so no one can access files or data, from common user files like PDFs, images, audio or text to critical system files, disk partitions, or a Master Boot Record (MBR).

The Ransomware incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Brute Force Attack Incident Type

Use the out-of-the-box Brute Force Attack incident type to standardize incident fields, phases, and tasks for incidents in which an automated bot exploits weak passwords and generates numerous fake credentials to access a valid account.

The Brute Force Attack use case describes when automated bots generate numerous combinations of usernames and passwords and use trial-and-error to guess a valid account's credentials. Assign the Brute Force Attack incident type to an incident in which someone has failed to log in to an account multiple times.

The Brute Force Attack incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Cryptomining Incident Type

Use the out-of-the-box Cryptomining incident type to standardize incident fields, phases, and tasks for incidents in which an attacker maliciously mines for cryptocurrencies using your corporate computing systems.

The Cryptomining use case describes when an attacker exploits high-performance corporate computing systems to maliciously mine for cryptocurrencies. Assign the Cryptomining incident type to incidents in which someone in your organization accesses cryptocurrency websites, accesses websites that mine for cryptocurrency in the browser's background, or runs cryptomining processes on their workstation or host.

The Cryptomining incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.

Create a Custom Incident Type

Create a custom incident type from scratch to represent a common security scenario and standardize information, actions, and evidence.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. In the Types tab, click ADD TYPE.

  4. In the CREATE INCIDENT TYPE menu, enter a name and description for the incident type.

  5. Click SAVE. The new incident type appears in the list of incident types with a Custom status.

    For your new incident type, create custom incident fields or design a custom layout.

Delete a Custom Incident Type

When you delete an incident type you created, you can no longer apply the type to any incidents. You won't delete an existing incident that was assigned the type or any of its data.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. In the TYPES tab, hover over an incident type, select the More The more menu; three vertical grey dots on a white background. menu, then select Delete.

  4. A warning appears. Click DELETE.

Incident Fields

Display information about security incidents using incident fields.

An incident field represents an attribute of a security incident, like its description or the time it was created.

Incident fields are specific to an incident type. For example, the Phishing incident type includes fields like subject, email body, and attachment name. There are also default incident fields that appear in every incident, like description, vendor, or source, under the Generic incident type.Incident Types

You can create a custom incident field for a specific incident type. After you create a custom incident field, arrange how it appears in the incident type's layout.Create a Custom Incident FieldCreate a Custom Incident FieldCustomize the Layout of an Incident Type

Generic Incident Fields

Review out-of-the-box incident fields specific to the Generic incident type.

You cannot remove the out-of-the-box fields from the Generic incident type. You can add custom incident fields to the Generic incident type to ensure they appear in every incident.Customize the Layout of an Incident Type

  • Incident type – The category the incident belongs under, usually representing a common security scenario. Incident types standardize incident fields, phases, and tasks.

  • Description – A short account of the incident; for example, what occurred and who was involved.

  • Vendor – The vendor that generated the log; for example, Exabeam

  • Source – The product that generated the log; for example, Exabeam AA.

  • Source severity – The severity of the third party security alert that created the Case Manager incident.

  • Source ID – The Advanced Analytics session ID, if the incident was created from a notable Advanced Analytics session.

  • Source URL – A link to the notable session in Advanced Analytics , if the incident was created from a notable Advanced Analytics session.

  • Event start time – When the notable session first started, if the incident was created from a notable Advanced Analytics session.

  • Event end time – When the notable session ended, if the incident was created from a notable Advanced Analytics session.

  • Source info – The raw log of the third party security alert that created the Case Manager incident.

  • Created by – The person who created the incident in Case Manager.

  • Creation time – When the incident was created in Case Manager.

  • Updated by – The person who updated the incident in Case Manager.

  • Updated – When the incident was last updated in Case Manager.

  • Resolved time – When the incident's status was changed to Resolved.

  • Closed time – When the incident's status was changed to Closed or Closed - False Positive

  • Closed reason – Why the incident's status was changed to Closed or Closed - False Positive. To close the incident, you must enter a value for this field.

Behavior Analytics Incident Fields

Review out-of-the-box incident fields specific to the Behavior Analytics incident type.

Incident field

Description

Data type

Alert count

The number of security alerts triggered during the notable session.

Integer

Asset count

The number of assets affected in the notable session.

Integer

Asset ID

The notable asset's ID.

String

Event count

The number of events in the notable session.

Integer

Exabeam risk score

The risk score for the notable session.

Integer

Location count

The number of geographical locations involved in the notable session.

Integer

Risk reasons

All rules that triggered during the notable session.

Multi-line text

Rule count

The number of rules that triggered during the notable session.

Integer

Sequence ID

The notable session or sequence's ID.

String

Sequence type

Whether a notable user session or asset sequence created the incident. If a notable user session created the incident, the value is Session. If a notable asset sequence created the incident, the value is Asset.

String

Timeline page

Link to the notable session or sequence in the Smart Timeline™.

URL

User ID

The notable user's username.

String

User page

Link to the notable user's profile.

URL

Zones count

The number of zones involved in the notable session.

Integer

Out-of-the-Box Incident Fields for Compromised Insiders Incident Types

Each incident type has a unique set of incident fields. Review the incident fields for each Compromised Insiders incident type.

There are seven out-of-the-box incident types, one for each Compromised Insiders use case. Each incident type contains a specific set of incident fields out of the box:

You can edit certain incident fields and rearrange how they appear in the incident type's layout to better suit your needs.

Compromised Credentials Incident Fields

Review out-of-the-box incident fields specific to the Compromised Credentials incident type.

Incident field

Description

Data type

User status

The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated.

String

Access level

The level of access granted to the account; for example, non-privileged, executive, or administrative.

String

Account type

The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system.

String

Asset count

The number of assets affected in the notable session.

Integer

Asset type

The type of asset accessed in the incident; for example, workstation, domain, controller, or critical system.

String

Compliance governed

The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO.

String

Compromised credentials knowledge base article

Link to an Exabeam Community article describing the Compromised Credentials use case.

URL

Data accessed

The type of data that was accessed; for example, files or database records.

Multi-line text

Data classification level

How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property.

String

Data type identification

The type of data that was accessed, exfiltrated, manipulated, or destroyed; for example, file, email, database, records, or application data.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

Outcome

The result of the activity; for example, failed, denied, approved, or successful.

String

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

User type

The type of employee involved in the incident; for example, contractor, partner, or employee.

String

Lateral Movement Incident Fields

Review out-of-the-box incident fields specific to the Lateral Movement incident type.

Incident field

Description

Data type

Asset count

The number of assets affected in the notable session.

Integer

Asset type

The type of asset accessed in the incident; for example, workstation, domain, controller, or critical system.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

Destination port

The port accessed at the destination host or IP.

Integer

Firewall rule

The firewall rule that allowed or denied the network traffic.

String

Lateral movement knowledge base article

Link to an Exabeam Community article describing the Lateral Movement use case.

URL

Outcome

The result of the activity; for example, failed, denied, approved, or successful.

String

Source country

The country or geolocation where the source is located.

String

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

Privilege Escalation Incident Fields

Review out-of-the-box incident fields specific to the Privilege Escalation incident type.

Incident field

Description

Data type

User

The names of the people involved in the incident.

String

Target account

The name of the account targeted in the incident.

String

Account type

The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system.

String

Access level

The level of access granted to the account; for example, non-privileged, executive, or administrative.

String

Asset count

The number of assets affected in the notable session.

Integer

Asset type

The type of asset accessed in the incident; for example, workstation, domain, controller, or critical system.

String

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

Process name

The name of the executed process; for example, powershell.exe

String

PID

The process identifier of the executed process.

Integer

Process path

The file path of where the executed process is located.

Multi-line text

Privilege escalation knowledge base article

Link to an Exabeam Community article describing the Privilege Escalation use case.

URL

Privileged Activity Incident Fields

Review out-of-the-box incident fields specific to the Privileged Activity incident type.

Incident field

Description

Data type

User status

The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated.

String

Access level

The level of access granted to the account; for example, non-privileged, executive, or administrative.

String

Activity type

What was done in an application or on an object; for example, create, delete, download, upload, backup, or change object.

String

Compliance governed

The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO.

String

Data accessed

The type of data that was accessed; for example, files or database records.

Multi-line text

Data classification level

How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property.

String

Data type identification

The type of data that was accessed, exfiltrated, manipulated, or destroyed; for example, file, email, database, records, or application data.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

Failure reason

A description of why the activity failed.

String

Outcome

The result of the activity; for example, failed, denied, approved, or successful.

String

Privileged activity knowledge base article

Link to an Exabeam community article describing the Privilege Activity use case.

URL

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

User type

The type of employee involved in the incident; for example, contractor, partner, or employee.

String

Account type

The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system.

String

Account Manipulation Incident Fields

Review out-of-the-box incident fields specific to the Account Manipulation incident type.

Incident field

Description

Data type

Account manipulation action

How the target user account was manipulated; for example, user created, password changed, or permissions removed.

String

Access level

The level of access granted to the account; for example, non-privileged, executive, or administrative.

String

User

The names of the people involved in the incident.

String

Target account

The name of the account targeted in the incident.

String

Account type

The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system.

String

Group name

The name of the group on which an account operated.

String

Group domain

The domain of the group on which an account operated.

String

Asset count

The number of assets affected in the notable session.

Integer

Asset type

The type of asset accessed in the incident; for example, workstation, domain, controller, or critical system.

String

Account manipulation knowledge base article

Link to an Exabeam Community article describing the Account Manipulation use case.

URL

Data Exfiltration Incident Fields

Review out-of-the-box incident fields specific to the Data Exfiltration incident type.

Incident field

Description

Data type

Account type

The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system.

String

User status

The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated.

String

Access level

The level of access granted to the account; for example, non-privileged, executive, or administrative.

String

Asset count

The number of assets affected in the notable session.

Integer

Compliance governed

The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO.

String

Data accessed

The type of data that was accessed; for example, files or database records.

Multi-line text

Data classification level

How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property.

String

Data exfiltration knowledge base article

Link to an Exabeam Community article describing the Data Exfiltration use case.

URL

Data type identification

The type of data that was accessed, exfiltrated, manipulated, or destroyed; for example, file, email, database, records, or application data.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

DLP policy

The violated Data Loss Prevention (DLP) policy.

String

Exfiltration amount

The volume of exfiltrated data.

Integer

Exfiltration channel

The channel used to exfiltrate data; for example, email, web upload, removable device (like a USB or CD), printer, or domain name system (DNS).

String

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

User type

The type of employee involved in the incident; for example, contractor, partner, or employee.

String

Evasion Incident Fields

Review out-of-the-box incident fields specific to the Evasion incident type.

Incident field

Description

Data type

Activity type

What was done in an application or on an object; for example, create, delete, download, upload, backup, or change object.

String

Audit category

The Windows audit policy category of the changed audit policy; for example, audit account logon events, audit logon events, audit account management, audit directory service access, or audit object access.

String

Audit policy

The name of the changed audit policy.

String

Audit subcategory

The Windows audit policy subcategory of the changed audit policy; for example, logon, process creation, user account management, or directory service access.

String

Compliance governed

The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO.

String

Data accessed

The type of data that was accessed; for example, files or database records.

Multi-line text

Data classification level

How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property.

String

Data type identification

The type of data that was accessed, exfiltrated, manipulated, or destroyed; for example, file, email, database, records, or application data.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

Evasion knowledge base article

Link to an Exabeam community article describing the Evasion use case.

URL

PID

The process identifier of the executed process.

Integer

Process name

The name of the executed process; for example, powershell.exe

String

Process path

The file path of where the executed process is located.

Multi-line text

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

Out-of-the-Box Incident Fields for Malicious Insiders Incident Types

Each incident type has a unique set of incident fields. Review the incident fields for each Malicious Insiders incident type.

There are eight out-of-the-box incident types, one for each Malicious Insiders use case. Most Malicious Insiders incident types contain a specific set of incident fields out of the box:

The Abnormal Authentication and Access incident type does not include specific incident fields out of the box.

You can edit certain incident fields and rearrange how they appear in the incident type's layout to better suit your needs.Customize the Layout of an Incident Type

Data Leak Incident Fields

Review out-of-the-box incident fields specific to the Data Leak incident type.

Incident field

Description

Data type

User status

The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated.

String

Access level

The level of access granted to the account; for example, non-privileged, executive, or administrative.

String

Account type

The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system.

String

Compliance governed

The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO.

String

Data accessed

The type of data that was accessed; for example, files or database records.

Multi-line text

Data classification level

How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property.

String

Data leak knowledge base article

Link to an Exabeam Community article describing the Data Leak use case.

URL

Data type identification

The type of data that was accessed, exfiltrated, manipulated, or destroyed; for example, file, email, database, records, or application data.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

DLP policy

The violated Data Loss Prevention (DLP) policy.

String

Exfiltration amount

The volume of exfiltrated data.

Integer

Exfiltration channel

The channel used to exfiltrate data; for example, email, web upload, removable device (like a USB or CD), printer, or domain name system (DNS).

String

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

User type

The type of employee involved in the incident; for example, contractor, partner, or employee.

String

Privilege Abuse Incident Fields

Review out-of-the-box incident fields specific to the Privilege Abuse incident type.

Incident field

Description

Data type

User status

The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated.

String

Account type

The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system.

String

Access level

The level of access granted to the account; for example, non-privileged, executive, or administrative.

String

Activity type

What was done in an application or on an object; for example, create, delete, download, upload, backup, or change object.

String

Compliance governed

The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO.

String

Data accessed

The type of data that was accessed; for example, files or database records.

Multi-line text

Data classification level

How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property.

String

Data type identification

The type of data that was accessed, exfiltrated, manipulated, or destroyed; for example, file, email, database, records, or application data.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

Outcome

The result of the activity; for example, failed, denied, approved, or successful.

String

Privilege abuse knowledge base article

Link to an Exabeam Community article describing the Privilege Abuse use case

URL

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

User type

The type of employee involved in the incident; for example, contractor, partner, or employee.

String

Data Access Abuse Incident Fields

Review out-of-the-box incident fields specific to the Data Access Abuse incident type.

Incident field

Description

Data type

User status

The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated.

String

Account type

The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system.

String

Access level

The level of access granted to the account; for example, non-privileged, executive, or administrative.

String

Compliance governed

The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO.

String

Data access abuse knowledge base article

Link to an Exabeam Community article describing the Data Access Abuse use case.

URL

Data accessed

The type of data that was accessed; for example, files or database records.

Multi-line text

Data classification level

How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property.

String

Data type identification

The type of data that was accessed, exfiltrated, manipulated, or destroyed; for example, file, email, database, records, or application data.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

Outcome

The result of the activity; for example, failed, denied, approved, or successful.

String

PID

The process identifier of the executed process.

Integer

Process name

The name of the executed process; for example, powershell.exe

String

Process path

The file path of where the executed process is located.

Multi-line text

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

User type

The type of employee involved in the incident; for example, contractor, partner, or employee.

String

Audit Tampering Incident Fields

Review out-of-the-box incident fields specific to the Audit Tampering incident type.

Incident field

Description

Data type

Audit category

The Windows audit policy category of the changed audit policy; for example, audit account logon events, audit logon events, audit account management, audit directory service access, or audit object access.

String

Audit policy

The name of the changed audit policy.

String

Audit subcategory

The Windows audit policy subcategory of the changed audit policy; for example, logon, process creation, user account management, or directory service access.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

PID

The process identifier of the executed process.

Integer

Process name

The name of the executed process; for example, powershell.exe

String

Process path

The file path of where the executed process is located.

Multi-line text

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

User status

The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated.

String

User type

The type of employee involved in the incident; for example, contractor, partner, or employee.

String

Destruction of Data Incident Fields

Review out-of-the-box incident fields specific to the Destruction of Data incident type.

Incident field

Description

Data type

User status

The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated.

String

Access level

The level of access granted to the account; for example, non-privileged, executive, or administrative.

String

Activity type

What was done in an application or on an object; for example, create, delete, download, upload, backup, or change object.

String

Compliance governed

The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO.

String

Data classification level

How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

Destruction of data knowledge base article

Link to an Exabeam Community article describing the Destruction of Data use case.

URL

File name

The name of the accessed, exfiltrated, manipulated, or destroyed file.

String

File owner

The person who owns the file.

String

File path

The file path of where the file is located; for example, C:\Windows32\myfile.txt

Multi-line text

File type

The format of the file; for example, file, folder, or link.

String

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

User type

The type of employee involved in the incident; for example, contractor, partner, or employee.

String

Account type

The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system.

String

Physical Security Incident Fields

Review out-of-the-box incident fields specific to the Physical Security incident type.

Incident field

Description

Data type

Badge ID

The ID of the badge used to access a physical space.

String

Building

The name or ID of the building someone attempted to access.

String

City

The name or code of the city where someone entered a physical space.

String

Door

The door someone attempted to used to access a physical space.

String

Outcome

The result of the activity; for example, failed, denied, approved, or successful.

String

Physical security knowledge base article

Link to an Exabeam Community article describing the Physical Security use case.

URL

Workforce Protection Incident Fields

Review out-of-the-box incident fields specific to the Workforce Protection incident type.

Incident field

Description

Data type

User status

The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated.

String

Access level

The level of access granted to the account; for example, non-privileged, executive, or administrative.

String

Assigned assets

Corporate assets the employee has access to.

String

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

Employee ID

The employee's ID.

String

Employee name

The employee's name.

String

Employee tenure

How long the employee has been with your organization.

Integer

Recipient (To)

The email address the email was sent to.

Email address

Risk factors

Factors that increase risk or further indicate someone's intent.

String

Sender

The email address that sent the email.

Email address

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

URL

An entire URL string including the host, fully qualified domain name (FQDN), and path. For example, www.exabeam.com/info?user=abc

URL

User type

The type of employee involved in the incident; for example, contractor, partner, or employee.

String

Web domain

The host the employee accessed; for example, gmail.google.com.

URL

Workforce protection knowledge base article

Link to an Exabeam Community article describing the Workforce Protection use case.

URL

Out-of-the-Box Incident Fields for External Threats Incident Types

Each incident type has a unique set of incident fields. Review the incident fields for each External Threats incident type.

There are five out-of-the-box incident types, one for each External Threats use case. Each incident type contains a specific set of incident fields out of the box:

You can edit certain incident fields and rearrange how they appear in the incident type's layout to better suit your needs.

Phishing Incident Fields

Review out-of-the-box incident fields specific to the Phishing incident type.

Incident field

Description

Data type

Attachment name

The file name of an email attachment.

String

CC

The email addresses CC'd in an email.

Email address

Email body

The content of an email.

Multi-line text

Message ID

An email's unique identifier.

String

Payload type

The method used to deliver the payload in a phishing attack; for example, attachment, hyperlink, client vulnerability, or business email compromise (BEC).

String

Phishing knowledge base article

Link to an Exabeam Community article describing the Phishing use case.

URL

Received date

The date the email was received.

URL

Recipient (To)

The email address the email was sent to.

Email address

Sender

The email address that sent the email.

Email address

Source country

The geographical location from where the sender sent the email.

String

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

Subject

An email's subject line.

String

User agent

The browser's user agent.

String

Malware Incident Fields

Review out-of-the-box incident fields specific to the Malware incident type.

Incident field

Description

Data type

Alert ID

The alert's unique identifier.

String

Alert name

The name of the alert; for example, Oracle Database User Authentication Brute Force Attempt.

Alert severity

How critical the alert is, according to the vendor.

String

Alert type

The type of alert, which usually describes the threat the alert detected; for example, trojan, vulnerability, or unauthorized access.

String

Alert URL

The alert's URL.

URL

Attacker file

The file the malicious entity used to deliver the malware payload

String

Attacker IP

The malicious entity's IP identifier.

IP

Attacker URL

The malicious entity's URL identifier.

URL

Malware category

The malware type, which usually describes what the malware does on your computer; for example, ransomware, spyware, adware, trojan, or worm.

String

Malware knowledge base article

Link to an Exabeam Community article describing the Malware use case.

URL

Malware name

The name of the malware, typically in the Computer Antivirus Research Organization (CARO) malware naming scheme; for example, Ransom.Win32.Locky.A.dldl or Backdoor:Win32/Caphaw.D!Ink.

String

Method of intrusion

The method used to deliver the malware or ransomware; for example, malvertisement, phishing email, or USB.

String

PID

The process identifier of the executed process.

Integer

Process name

The name of the executed process; for example, powershell.exe

String

Process path

The file path of where the executed process is located.

Multi-line text

Victim host

The name of the machine targeted for the malware.

String

Ransomware Incident Fields

Review out-of-the-box incident fields specific to the Ransomware incident type.

Incident field

Description

Data type

Alert ID

The alert's unique identifier.

String

Alert name

The name of the alert; for example, Oracle Database User Authentication Brute Force Attempt.

Alert severity

How critical the alert is, according to the vendor.

String

Alert type

The type of alert, which usually describes the threat the alert detected; for example, trojan, vulnerability, or unauthorized access.

String

Alert URL

The alert's URL.

URL

Attacker file

The file the malicious entity used to deliver the malware payload

String

Attacker IP

The malicious entity's IP identifier.

IP

Attacker URL

The malicious entity's URL identifier.

URL

Malware category

The malware type, which usually describes what the malware does on your computer; for example, ransomware, spyware, adware, trojan, or worm.

String

Ransomware knowledge base article

Link to an Exabeam Community article describing the Ransomware use case

URL

Malware name

The name of the malware, typically in the Computer Antivirus Research Organization (CARO) malware naming scheme; for example, Ransom.Win32.Locky.A.dldl or Backdoor:Win32/Caphaw.D!Ink.

String

Method of intrusion

The method used to deliver the malware or ransomware; for example, malvertisement, phishing email, or USB.

String

PID

The process identifier of the executed process.

Integer

Process name

The name of the executed process; for example, powershell.exe

String

Process path

The file path of where the executed process is located.

Multi-line text

Victim host

The name of the machine targeted for the malware.

String

Brute Force Attack Incident Fields

Review out-of-the-box incident fields specific to the Brute Force Attack incident type.

Incident field

Description

Data type

Brute force attack knowledge base article

Link to an Exabeam Community article describing the Brute Force Attack use case.

URL

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

Failure reason

A description of why the activity failed.

String

Logon type

The methods used to log on to a system; for example, through the system’s local console (interactive) or through a task scheduler (batch).

String

Outcome

The result of the activity; for example, failed, denied, approved, or successful.

String

PID

The process identifier of the executed process.

Integer

Process name

The name of the executed process; for example, powershell.exe

String

Process path

The file path of where the executed process is located.

Multi-line text

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

Cryptomining Incident Fields

Review out-of-the-box incident fields specific to the Cryptomining incident type.

Incident field

Description

Data type

Cryptomining knowledge base article

Link to an Exabeam Community article describing the Cryptomining use case.

URL

Destination host/IP

The host name or IP address of the machine where the activity occurred.

String

Source post

The port used by the source IP or host.

Integer

Failure reason

A description of why the activity failed.

String

Firewall rule

The firewall rule that allowed or denied network traffic.

String

Outcome

The result of the activity; for example, failed, denied, approved, or successful.

String

PID

The process identifier of the executed process.

Integer

Process name

The name of the executed process; for example, powershell.exe

String

Process path

The file path of where the executed process is located.

Multi-line text

Source host/IP

The host name or IP address of the machine from where the activity originated.

String

User agent

The browser's user agent.

String

Create a Custom Incident Field

Create incident fields to standardize the information displayed in an incident type.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the FIELDS tab.

  4. Click ADD FIELDS.

  5. Enter information about your field. The information required varies based on field type.

    • To list multiple values, select List predefined options.

    • If people can enter a value for the incident field in the incident, select Editable Field.

    • If people can enter or select multiple values from a list in the incident, select Can enter or select multiple values.

    • If the field must have a value for the incident to close, select Required Field. If a required field doesn't have a value, you can't change the incident's status to Closed.

  6. Click SAVE.

Edit a Custom Incident Field

When you edit an incident field, the changes only apply to new incidents. If an existing incident has this field, it doesn't change.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the FIELDS tab.

  4. Hover over an incident type, click the More The more menu; three vertical grey dots on a white background. menu, then select Edit.

  5. Edit the information about your field. The information required varies based on field type.

    • To list multiple values, select List predefined options.

    • If people can enter a value for the incident field in the incident, select Editable Field.

    • If people can enter or select multiple values from a list in the incident, select Can enter or select multiple values.

    • If the field must have a value for the incident to close, select Required Field. If a required field doesn't have a value, you can't change the incident's status to Closed.

  6. Click SAVE.

Delete a Custom Incident Field

When you delete an incident field, the field still appears in incidents that already have it but you can't add it to a new incident layout.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the FIELDS tab.

  4. Hover over an incident field, click the More The more menu; three vertical grey dots on a white background. menu, then select Delete.

Manage Your Team

Organize your team and ensure they investigate incidents consistently. Create queues, phases, and tasks.

  • Case Manager Queues

    Effectively manage a shared workload and organize your team with queues.

  • Case Manager Phases

    Organize your investigations and ensure everyone responds consistently using phases.

  • Case Manager Tasks

    Assign specific responsibilities and ensure everyone responds consistently using tasks.

Case Manager Queues

Effectively manage a shared workload and organize your team with queues.

A queue is a designated group responsible for investigating an incident. Every incident is assigned a queue. If you're in a queue assigned to an incident, you're responsible for working on the incident. Track the incidents your queue is assigned to with the Incidents in My Queues watchlist. The incident remains assigned to your queue until someone closes the incident or assigns it to another queue.

By default, everyone is in the Unassigned Queue. Create new queues that better fit your needs. You might create queues based on SOC tiers (tier 1, tier 2, and tier 3) or a 24-7 service model. You can also edit or delete a queue you create.Create a QueueEdit a QueueDelete a Queue

Keep in mind that assigning an incident to a queue only indicates who is responsible for investigating the incident; it doesn't restrict access to the incident to that queue only. To restrict who can access an incident, edit an incident's Restrict To settings.Edit an Incident

Create a Queue

To assign incidents to a group of people, create a queue.

 
  1. In the sidebar, click SETTINGSA grey gear icon, then select Core.

  2. Under QUEUES, click Queues.

  3. Click Add a new queueA dark blue plus sign..

  4. Enter a name for the queue.

  5. (Optional) Describe the queue.

  6. Add people to the queue:

    • To add specific people, click + next to the person's name. To quickly find and add a person, start typing in the search.

    • To add everyone in the system, click ADD ALL.

  7. Click CREATE QUEUE.

Edit a Queue

Change the name, description, or people in a queue you created.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Core.

  2. Under QUEUES, click Queues.

  3. Hover over a queue, then click Edit QueueA dark blue pencil..

  4. Edit the name, description or people in the queue.

  5. Click SAVE QUEUE.

Delete a Queue

If you created a queue, you can delete it. Any people and incidents assigned to the queue are reassigned to the default Unassigned queue.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Core.

  2. Under QUEUES, click Queues.

  3. Hover over a queue, then select Delete QueueA dark blue trash can..

  4. Click DELETE.

Case Manager Phases

Organize your investigations and ensure everyone responds consistently using phases.

A phase is a general stage of your investigating process. It contains tasks that an analyst must complete in each phase.

Phases and tasks ensure everyone across your organization responds to different security scenarios consistently. A manager builds a set of standard scenarios and creates processes for each one. When analysts investigate an incident, they follow this process, working on separate items in parallel so their efforts don't overlap.

Exabeam provides five phases out of the box:

  • Detection

  • Containment

  • Eradication & Mitigation

  • Recovery

  • Post-Incident Activity

Rename phases or create your own phase according to your needs. You can also delete and reorder phases.Rename a PhaseCreate a PhaseDelete a PhaseReorder Phases

Create a Phase

To standardize how you respond to incidents, break out your investigating process into phases and assign tasks to each one.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Click ADD PHASE.

  5. Enter a unique phase name, then click SAVE.

  6. Click PUBLISH. The phase appears only in new incidents. It doesn't appear in existing incidents, open or closed.

Rename a Phase

Rename any phase to change how they appear in incidents.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the TASKS & PHASES tab.

  4. Hover over a phase, then select edit A dark blue pencil..

  5. Change the phase name.

  6. Click SAVE.

  7. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.

Reorder Phases

Reorder a phase to change the order that they appear in incidents.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Hover over a phase, then select the up A dark blue arrow pointing up. or down A dark blue arrow pointing down. arrows to move the phase up or down.

  5. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.

Delete a Phase

Remove a phase from any new incidents you create.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. You can only delete a phase that does not have tasks assigned to it. If the phase you're deleting has any tasks assigned to it, reassign them to a new or existing phase.

  5. Hover over the phase, then select the trash A dark blue trash can..

  6. Click DELETE.

  7. Click PUBLISH. The phase doesn't appear in new incidents. It still appears in existing incidents, open or closed.

Case Manager Tasks

Assign specific responsibilities and ensure everyone responds consistently using tasks.

A task is an action an analyst must complete when they investigate; for example, confirm incident is contained, capture volatile data from systems as evidence, determine root cause. Tasks are organized into phases of an investigation.

Phases and tasks ensure everyone across your organization responds to different security scenarios consistently. A manager builds a set of standard scenarios and creates processes for each one. When analysts investigate an incident, they follow this process, working on separate items in parallel so their efforts don't overlap.

Create a Task for a Phase or Incident Type

Create a task that always appears under a specific phase or incidents of a certain type.

You can create a task just for one specific incident. To automatically create a task depending on the conditions of an incident, set up a playbook.Create a Playbook

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Click ADD A TASK.

  5. Enter information about the task:

    • Name – Enter a name for the task.

    • Instructions – Enter instructions, details, or other information about the task.

    • Phase – Select the phase that the task appears under.

    • (Optional) Incident type – Select the incident type that the task appears under.

    • Due date – If there is no due date, select None. If there is a due date, select how many days after the task is initiated.

    • (Optional) Required task – If the task must be completed, select this box. If the task is incomplete, you can't change the incident status to Closed.

  6. Click SAVE.

  7. Click PUBLISH.

Edit a Task for a Phase or Incident Type

Edit a task that appears under a phase or for all incidents of a certain type.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Hover over a task, then select edit A dark blue pencil..

  5. Change the task details:

    • Name – Enter a name for the task.

    • Instructions – Enter instructions, details, or other information about the task.

    • Phase – Select the phase that the task appears under.

    • (Optional) Incident type – Select the incident type that the task appears under.

    • Due date – If there is no due date, select None. If there is a due date, select how many days after the task is initiated.

    • (Optional) Required task – If the task must be completed, select this box. If the task is incomplete, you can't change the incident status to Closed.

  6. Click SAVE.

  7. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.

Reorder Tasks in a Phase

Reorder tasks to change the order they appear in a phase.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Hover over a task, then select the up A dark blue arrow pointing up. or down A dark blue arrow pointing down. arrows to move the task up or down.

  5. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.

Delete a Task for a Phase or Incident Type

Delete a task that appears under a phase or for all incidents of a certain type.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Hover over a task, then select the trash A dark blue trash can.. A warning appears.

  5. Click DELETE.

  6. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.

Customize the Layout of an Incident Type

For an incident type, organize the incident fields based on what's relevant to the type. For example, for a phishing incident type, design a layout that includes incident fields like subject, sender, and email body.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. To create an incident type or edit an existing type, hover over the incident type, select the More The more menu; three vertical blue dots on a grey background. menu, then select Edit.

  4. Design the layout:

    • To add a field to the layout, select a field, then click and drag the field from the left-side column to the editor on the right.

      To find a field, select the search A dark blue magnifying glass. then enter a search term, or select Sort by: to sort them.

      To create a custom field, click + ADD FIELD.

    • To rearrange fields in the editor, click and drag the fields to where they should be positioned.

    • To remove a field from the layout, hover over the field, then click REMOVE.

  5. Click SAVE.

Case Manager Email Notifications

Keep your team updated with information and reminders about what's happening in Case Manager incidents.

Configure Case Manager to automatically send emails notifying you about important Case Manager activity, including:

  • Incident created

  • Incident assigned

  • Incident deleted

  • Incident updated

  • Incident priority changed

  • Incident status changed

  • Task assigned

  • Case note comment created

  • Email comment created

  • Received reply for an email comment

Before you configure Case Manager email notifications, you must configure Advanced Analytics email notifications. The Case Manager email notifications use the same SMTP IP or hostname, and port, as Advanced Analytics email notifications.

First, create an email template to customize the subject line and email body Then, configure the notification and indicate the email template to use, event type and other conditions you want to be notified about, and the recipients of the notification.

Create a Template for Case Manager Email Notifications

Customize email notifications about Case Manager activity using templates.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Email Notifications, then select the EMAIL TEMPLATES tab.

  3. Click Add Email TemplateA dark blue plus sign..

  4. Configure the template settings:

    • Template Type – Select Case Manager Notification

    • Template Name – Name the email template. You use this name to identify the template when you configure email notifications.

    • Subject – Enter the subject line for the email notification.

    • In the text box, create the email body using Scalate's Mustache HTML template language.

      Under Variable Fields, view all the template variables you can use in the email body. For the Case Manager Notification template type, you can only use the variables under Case Manager Incident Fields.

      You can create a more elaborate email with CSS formatting; for example:

      <!DOCTYPE html>
      <html lang="en">
          <head>
              <title>Exabeam Case Manager</title>
                  <style type=\"text/css\">
                      body {
                          background:#F4F6F8;
                          font: 15px arial, sans-serif;
                      }
                      #sides{
                          display: flex;
                      }
                      #sides_left{
                          flex-grow: 1;
                          padding-left: 10px;
                      }
                      #header {
                          -webkit-box-shadow: 2px 2px 2px 0px rgba(71,79,88,1);
                          -moz-box-shadow: 2px 2px 2px 0px rgba(71,79,88,1);
                          box-shadow: 2px 2px 2px 0px rgba(71,79,88,1);
                          background:#6ABA4F;
                          color: #FFFFFF;
                          font: 20px arial, sans-serif;
                          width: 800px;
                          padding: 10px;
                          margin-top: 30px;
                          margin-left: auto ;
                          margin-right: auto ;
                      }
                      #block {
                          -webkit-box-shadow: 2px 2px 2px 0px rgba(71,79,88,1);
                          -moz-box-shadow: 2p2 2px 2px 0px rgba(71,79,88,1);
                          box-shadow: 2px 2px 2px 0px rgba(71,79,88,1);
                          background:#FFFFFF;
                          color: #000000;
                          font: 16px arial, sans-serif;
                          width: 820px;
                          margin-top: 15px;
                          margin-left: auto ;
                          margin-right: auto ;
                      }
                      #block_header {
                          width: 800px;
                          padding: 10px;
                          background: #E9ECF0;
                          color: #2B2C34;
                          margin-left: auto ;
                          margin-right: auto ;
                      }
                      #block_body {
                          width: 800px;
                          background: #FFFFFF;
                          color: #2B2C34;
                          padding: auto;
                          padding-top: 20px;
                          padding-bottom: 20px;
                          margin-left: auto ;
                          margin-right: auto ;
                      }
                  </style>
          </head>
          <body>
              <div id=\"header\">Exabeam Case Manager</div>
              <div id=\"block\">
              <div id=\"sides\">
              <div id=\"sides_left\">
              <div id=\"block_body\">
              <h2>Email boilerplate</h2>
                  <p><b>{{currentUser}}</b> edited <a href="{{incidentUrl}}">{{incidentId}}</a>.</p>
              </div>
              </div>
              </div>
              </div>
          </body>
      </html>

      You can also create something more simple; for example:

      <html>
          <head>
          </head>
              <body>
                  <b>{{currentUser}}</b> edited <a href="{{incidentUrl}}">{{incidentId}}</a>.
              </body>
      </html>
  5. Click SAVE. Now, you can select this template when you configure Case Manager email notifications.

Create a Case Manager Email Notification

Configure Case Manager to automatically send emails notifying you about important Case Manager activity, like when someone creates, changes, or comments on an incident, or assigns a task.

  1. Ensure that you configuredAdvanced Analytics email notifications. You must configure Advanced Analytics email notifications before configuring Case Manager email notifications.Configure Advanced Analytics System Activity Notifications

  2. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  3. Under Case Management, select Email Notifications, then select the CASE MANAGER NOTIFICATIONS tab.

  4. Click Add Case Manager NotificationA dark blue plus sign..

  5. Configure the email notification settings. These settings use the same SMTP IP/Hostname and Port as your Advanced Analytics email notifications.

    • Notification name – Name the notification. This name is only used to identify the notification in Case Manager settings.

    • Email template – Select an email template you created.

    • Event type – Select the event you want to be notified about:

      • Incident created

      • Incident assigned

      • Incident deleted

      • Incident updated

      • Incident priority changed

      • Incident status changed

      • Task assigned

      • Case note comment created

      • Email comment created

      • Received reply for an email comment

    • (Optional) Condition – Enter a condition that must be true for Case Manager to send the email notification. This condition uses incident fields, default or custom.

    • Recipients – Enter an email address or select an Exabeam user from the list.

  6. Click SAVE.