- Case Manager Release Notes
- Get Started with Case Manager
- Configure Case Manager Settings
- Investigate a Security Incident
- Manually Create an Incident
- Edit an Incident
- Delete an Incident
- Manually Add an Entity
- Manually Add an Artifact
- Delete an Entity or Artifact
- Add Advanced Analytics Evidence to a Case Manager Incident
- Manage Tasks During an Investigation
- Send Messages from an Incident
- Filter Incidents
- Search for an Incident
- Sort Incidents
- Export Incidents
Incident Fields
Display information about security incidents using incident fields.
An incident field represents an attribute of a security incident, like its description or the time it was created.
Incident fields are specific to an incident type. For example, the Phishing incident type includes fields like subject, email body, and attachment name. There are also default incident fields that appear in every incident, like description, vendor, or source, under the Generic incident type.
You can create a custom incident field for a specific incident type. After you create a custom incident field, arrange how it appears in the incident type's layout.
Generic Incident Fields
Review out-of-the-box incident fields specific to the Generic incident type.
You cannot remove the out-of-the-box fields from the Generic incident type. You can add custom incident fields to the Generic incident type to ensure they appear in every incident.
Incident type – The category the incident belongs under, usually representing a common security scenario. Incident types standardize incident fields, phases, and tasks.
Description – A short account of the incident; for example, what occurred and who was involved.
Vendor – The vendor that generated the log; for example, Exabeam
Source – The product that generated the log; for example, Exabeam AA.
Source severity – The severity of the third party security alert that created the Case Manager incident.
Source ID – The Advanced Analytics session ID, if the incident was created from a notable Advanced Analytics session.
Source URL – A link to the notable session in Advanced Analytics , if the incident was created from a notable Advanced Analytics session.
Event start time – When the notable session first started, if the incident was created from a notable Advanced Analytics session.
Event end time – When the notable session ended, if the incident was created from a notable Advanced Analytics session.
Source info – The raw log of the third party security alert that created the Case Manager incident.
Created by – The person who created the incident in Case Manager.
Creation time – When the incident was created in Case Manager.
Updated by – The person who updated the incident in Case Manager.
Updated – When the incident was last updated in Case Manager.
Resolved time – When the incident's status was changed to Resolved.
Closed time – When the incident's status was changed to Closed or Closed - False Positive
Closed reason – Why the incident's status was changed to Closed or Closed - False Positive. To close the incident, you must enter a value for this field.
Behavior Analytics Incident Fields
Review out-of-the-box incident fields specific to the Behavior Analytics incident type.
Incident field | Description | Data type |
|---|---|---|
Alert count | The number of security alerts triggered during the notable session. | Integer |
Asset count | The number of assets affected in the notable session. | Integer |
Asset ID | The notable asset's ID. | String |
Event count | The number of events in the notable session. | Integer |
Exabeam risk score | The risk score for the notable session. | Integer |
Location count | The number of geographical locations involved in the notable session. | Integer |
Risk reasons | All rules that triggered during the notable session. | Multi-line text |
Rule count | The number of rules that triggered during the notable session. | Integer |
Sequence ID | The notable session or sequence's ID. | String |
Sequence type | Whether a notable user session or asset sequence created the incident. If a notable user session created the incident, the value is Session. If a notable asset sequence created the incident, the value is Asset. | String |
Timeline page | Link to the notable session or sequence in the Smart Timeline™. | URL |
User ID | The notable user's username. | String |
User page | Link to the notable user's profile. | URL |
Zones count | The number of zones involved in the notable session. | Integer |
Out-of-the-Box Incident Fields for Compromised Insiders Incident Types
Each incident type has a unique set of incident fields. Review the incident fields for each Compromised Credentials incident type.
There are seven out-of-the-box incident types, one for each Compromised Insiders use case. Each incident type contains a specific set of incident fields out of the box:
You can edit certain incident fields and rearrange how they appear in the incident type's layout to better suit your needs.
Compromised Credentials Incident Fields
Review out-of-the-box incident fields specific to the Compromised Credentials incident type.
Incident field | Description | Data type |
|---|---|---|
User status | The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated. | String |
Access level | The level of access granted to the account; for example, non-privileged, executive, or administrative. | String |
Account type | The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system. | String |
Asset count | The number of assets affected in the notable session. | Integer |
Asset type | The type of asset accessed in the incident; for example, workstation, domain, controller, or critical system. | String |
Compliance governed | The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO. | String |
Compromised credentials knowledge base article | Link to an Exabeam Community article describing the Compromised Credentials use case. | URL |
Data accessed | The type of data that was accessed; for example, files or database records. | Multi-line text |
Data classification level | How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property. | String |
Data type identification | The type of data that was accessed, exfiltrated, manipulated, or destroyed; for example, file, email, database, records, or application data. | String |
Destination host/IP | The host name or IP address of the machine where the activity occurred. | String |
Outcome | The result of the activity; for example, failed, denied, approved, or successful. | String |
Source host/IP | The host name or IP address of the machine from where the activity originated. | String |
User type | The type of employee involved in the incident; for example, contractor, partner, or employee. | String |
Lateral Movement Incident Fields
Review out-of-the-box incident fields specific to the Lateral Movement incident type.
Incident field | Description | Data type |
|---|---|---|
Asset count | The number of assets affected in the notable session. | Integer |
Asset type | The type of asset accessed in the incident; for example, workstation, domain, controller, or critical system. | String |
Destination host/IP | The host name or IP address of the machine where the activity occurred. | String |
Destination port | The port accessed at the destination host or IP. | Integer |
Firewall rule | The firewall rule that allowed or denied the network traffic. | String |
Lateral movement knowledge base article | Link to an Exabeam Community article describing the Lateral Movement use case. | URL |
Outcome | The result of the activity; for example, failed, denied, approved, or successful. | String |
Source country | The country or geolocation where the source is located. | String |
Source host/IP | The host name or IP address of the machine from where the activity originated. | String |
Privilege Escalation Incident Fields
Review out-of-the-box incident fields specific to the Privilege Escalation incident type.
Incident field | Description | Data type |
|---|---|---|
User | The names of the people involved in the incident. | String |
Target account | The name of the account targeted in the incident. | String |
Account type | The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system. | String |
Access level | The level of access granted to the account; for example, non-privileged, executive, or administrative. | String |
Asset count | The number of assets affected in the notable session. | Integer |
Asset type | The type of asset accessed in the incident; for example, workstation, domain, controller, or critical system. | String |
Source host/IP | The host name or IP address of the machine from where the activity originated. | String |
Destination host/IP | The host name or IP address of the machine where the activity occurred. | String |
Process name | The name of the executed process; for example, | String |
PID | The process identifier of the executed process. | Integer |
Process path | The file path of where the executed process is located. | Multi-line text |
Privilege escalation knowledge base article | Link to an Exabeam Community article describing the Privilege Escalation use case. | URL |
Privileged Activity Incident Fields
Review out-of-the-box incident fields specific to the Privileged Activity incident type.
Incident field | Description | Data type |
|---|---|---|
User status | The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated. | String |
Access level | The level of access granted to the account; for example, non-privileged, executive, or administrative. | String |
Activity type | What was done in an application or on an object; for example, create, delete, download, upload, backup, or change object. | String |
Compliance governed | The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO. | String |
Data accessed | The type of data that was accessed; for example, files or database records. | Multi-line text |
Data classification level | How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property. | String |
Data type identification | The type of data that was accessed, exfiltrated, manipulated, or destroyed; for example, file, email, database, records, or application data. | String |
Destination host/IP | The host name or IP address of the machine where the activity occurred. | String |
Failure reason | A description of why the activity failed. | String |
Outcome | The result of the activity; for example, failed, denied, approved, or successful. | String |
Privileged activity knowledge base article | Link to an Exabeam community article describing the Privilege Activity use case. | URL |
Source host/IP | The host name or IP address of the machine from where the activity originated. | String |
User type | The type of employee involved in the incident; for example, contractor, partner, or employee. | String |
Account type | The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system. | String |
Account Manipulation Incident Fields
Review out-of-the-box incident fields specific to the Account Manipulation incident type.
Incident field | Description | Data type |
|---|---|---|
Account manipulation action | How the target user account was manipulated; for example, user created, password changed, or permissions removed. | String |
Access level | The level of access granted to the account; for example, non-privileged, executive, or administrative. | String |
User | The names of the people involved in the incident. | String |
Target account | The name of the account targeted in the incident. | String |
Account type | The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system. | String |
Group name | The name of the group on which an account operated. | String |
Group domain | The domain of the group on which an account operated. | String |
Asset count | The number of assets affected in the notable session. | Integer |
Asset type | The type of asset accessed in the incident; for example, workstation, domain, controller, or critical system. | String |
Account manipulation knowledge base article | Link to an Exabeam Community article describing the Account Manipulation use case. | URL |
Data Exfiltration Incident Fields
Review out-of-the-box incident fields specific to the Data Exfiltration incident type.
Incident field | Description | Data type |
|---|---|---|
Account type | The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system. | String |
User status | The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated. | String |
Access level | The level of access granted to the account; for example, non-privileged, executive, or administrative. | String |
Asset count | The number of assets affected in the notable session. | Integer |
Compliance governed | The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO. | String |
Data accessed | The type of data that was accessed; for example, files or database records. | Multi-line text |
Data classification level | How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property. | String |
Data exfiltration knowledge base article | Link to an Exabeam Community article describing the Data Exfiltration use case. | URL |
Data type identification | The type of data that was accessed, exfiltrated, manipulated, or destroyed; for example, file, email, database, records, or application data. | String |
Destination host/IP | The host name or IP address of the machine where the activity occurred. | String |
DLP policy | The violated Data Loss Prevention (DLP) policy. | String |
Exfiltration amount | The volume of exfiltrated data. | Integer |
Exfiltration channel | The channel used to exfiltrate data; for example, email, web upload, removable device (like a USB or CD), printer, or domain name system (DNS). | String |
Source host/IP | The host name or IP address of the machine from where the activity originated. | String |
User type | The type of employee involved in the incident; for example, contractor, partner, or employee. | String |
Evasion Incident Fields
Review out-of-the-box incident fields specific to the Evasion incident type.
Incident field | Description | Data type |
|---|---|---|
Activity type | What was done in an application or on an object; for example, create, delete, download, upload, backup, or change object. | String |
Audit category | The Windows audit policy category of the changed audit policy; for example, audit account logon events, audit logon events, audit account management, audit directory service access, or audit object access. | String |
Audit policy | The name of the changed audit policy. | String |
Audit subcategory | The Windows audit policy subcategory of the changed audit policy; for example, logon, process creation, user account management, or directory service access. | String |
Compliance governed | The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO. | String |
Data accessed | The type of data that was accessed; for example, files or database records. | Multi-line text |
Data classification level | How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property. | String |
Data type identification | The type of data that was accessed, exfiltrated, manipulated, or destroyed; for example, file, email, database, records, or application data. | String |
Destination host/IP | The host name or IP address of the machine where the activity occurred. | String |
Evasion knowledge base article | Link to an Exabeam community article describing the Evasion use case. | URL |
PID | The process identifier of the executed process. | Integer |
Process name | The name of the executed process; for example, | String |
Process path | The file path of where the executed process is located. | Multi-line text |
Source host/IP | The host name or IP address of the machine from where the activity originated. | String |
Out-of-the-Box Incident Fields for Malicious Insiders Incident Types
Each incident type has a unique set of incident fields. Review the incident fields for each Malicious Insiders incident type.
There are eight out-of-the-box incident types, one for each Malicious Insiders use case. Most Malicious Insiders incident types contain a specific set of incident fields out of the box:
The Abnormal Authentication and Access incident type does not include specific incident fields out of the box.
You can edit certain incident fields and rearrange how they appear in the incident type's layout to better suit your needs.
Data Leak Incident Fields
Review out-of-the-box incident fields specific to the Data Leak incident type.
Incident field | Description | Data type |
|---|---|---|
User status | The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated. | String |
Access level | The level of access granted to the account; for example, non-privileged, executive, or administrative. | String |
Account type | The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system. | String |
Compliance governed | The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO. | String |
Data accessed | The type of data that was accessed; for example, files or database records. | Multi-line text |
Data classification level | How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property. | String |
Data leak knowledge base article | Link to an Exabeam Community article describing the Data Leak use case. | URL |
Data type identification | The type of data that was accessed, exfiltrated, manipulated, or destroyed; for example, file, email, database, records, or application data. | String |
Destination host/IP | The host name or IP address of the machine where the activity occurred. | String |
DLP policy | The violated Data Loss Prevention (DLP) policy. | String |
Exfiltration amount | The volume of exfiltrated data. | Integer |
Exfiltration channel | The channel used to exfiltrate data; for example, email, web upload, removable device (like a USB or CD), printer, or domain name system (DNS). | String |
Source host/IP | The host name or IP address of the machine from where the activity originated. | String |
User type | The type of employee involved in the incident; for example, contractor, partner, or employee. | String |
Privilege Abuse Incident Fields
Review out-of-the-box incident fields specific to the Privilege Abuse incident type.
Incident field | Description | Data type |
|---|---|---|
User status | The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated. | String |
Account type | The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system. | String |
Access level | The level of access granted to the account; for example, non-privileged, executive, or administrative. | String |
Activity type | What was done in an application or on an object; for example, create, delete, download, upload, backup, or change object. | String |
Compliance governed | The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO. | String |
Data accessed | The type of data that was accessed; for example, files or database records. | Multi-line text |
Data classification level | How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property. | String |
Data type identification | The type of data that was accessed, exfiltrated, manipulated, or destroyed; for example, file, email, database, records, or application data. | String |
Destination host/IP | The host name or IP address of the machine where the activity occurred. | String |
Outcome | The result of the activity; for example, failed, denied, approved, or successful. | String |
Privilege abuse knowledge base article | Link to an Exabeam Community article describing the Privilege Abuse use case | URL |
Source host/IP | The host name or IP address of the machine from where the activity originated. | String |
User type | The type of employee involved in the incident; for example, contractor, partner, or employee. | String |
Data Access Abuse Incident Fields
Review out-of-the-box incident fields specific to the Data Access Abuse incident type.
Incident field | Description | Data type |
|---|---|---|
User status | The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated. | String |
Account type | The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system. | String |
Access level | The level of access granted to the account; for example, non-privileged, executive, or administrative. | String |
Compliance governed | The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO. | String |
Data access abuse knowledge base article | Link to an Exabeam Community article describing the Data Access Abuse use case. | URL |
Data accessed | The type of data that was accessed; for example, files or database records. | Multi-line text |
Data classification level | How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property. | String |
Data type identification | The type of data that was accessed, exfiltrated, manipulated, or destroyed; for example, file, email, database, records, or application data. | String |
Destination host/IP | The host name or IP address of the machine where the activity occurred. | String |
Outcome | The result of the activity; for example, failed, denied, approved, or successful. | String |
PID | The process identifier of the executed process. | Integer |
Process name | The name of the executed process; for example, | String |
Process path | The file path of where the executed process is located. | Multi-line text |
Source host/IP | The host name or IP address of the machine from where the activity originated. | String |
User type | The type of employee involved in the incident; for example, contractor, partner, or employee. | String |
Audit Tampering Incident Fields
Review out-of-the-box incident fields specific to the Audit Tampering incident type.
Incident field | Description | Data type |
|---|---|---|
Audit category | The Windows audit policy category of the changed audit policy; for example, audit account logon events, audit logon events, audit account management, audit directory service access, or audit object access. | String |
Audit policy | The name of the changed audit policy. | String |
Audit subcategory | The Windows audit policy subcategory of the changed audit policy; for example, logon, process creation, user account management, or directory service access. | String |
Destination host/IP | The host name or IP address of the machine where the activity occurred. | String |
PID | The process identifier of the executed process. | Integer |
Process name | The name of the executed process; for example, | String |
Process path | The file path of where the executed process is located. | Multi-line text |
Source host/IP | The host name or IP address of the machine from where the activity originated. | String |
User status | The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated. | String |
User type | The type of employee involved in the incident; for example, contractor, partner, or employee. | String |
Destruction of Data Incident Fields
Review out-of-the-box incident fields specific to the Destruction of Data incident type.
Incident field | Description | Data type |
|---|---|---|
User status | The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated. | String |
Access level | The level of access granted to the account; for example, non-privileged, executive, or administrative. | String |
Activity type | What was done in an application or on an object; for example, create, delete, download, upload, backup, or change object. | String |
Compliance governed | The compliance frameworks governing the data that was accessed, exfiltrated or destroyed; for example, PCI, SOX2, HIPAA, or ISO. | String |
Data classification level | How sensitive the accessed data is; for example, public, internal, confidential, or restricted (personally identifiable information or intellectual property. | String |
Destination host/IP | The host name or IP address of the machine where the activity occurred. | String |
Destruction of data knowledge base article | Link to an Exabeam Community article describing the Destruction of Data use case. | URL |
File name | The name of the accessed, exfiltrated, manipulated, or destroyed file. | String |
File owner | The person who owns the file. | String |
File path | The file path of where the file is located; for example, | Multi-line text |
File type | The format of the file; for example, file, folder, or link. | String |
Source host/IP | The host name or IP address of the machine from where the activity originated. | String |
User type | The type of employee involved in the incident; for example, contractor, partner, or employee. | String |
Account type | The type of account targeted in the incident, according to role or where it's stored; for example, domain, local, service, or system. | String |
Physical Security Incident Fields
Review out-of-the-box incident fields specific to the Physical Security incident type.
Incident field | Description | Data type |
|---|---|---|
Badge ID | The ID of the badge used to access a physical space. | String |
Building | The name or ID of the building someone attempted to access. | String |
City | The name or code of the city where someone entered a physical space. | String |
Door | The door someone attempted to used to access a physical space. | String |
Outcome | The result of the activity; for example, failed, denied, approved, or successful. | String |
Physical security knowledge base article | Link to an Exabeam Community article describing the Physical Security use case. | URL |
Workforce Protection Incident Fields
Review out-of-the-box incident fields specific to the Workforce Protection incident type.
Incident field | Description | Data type |
|---|---|---|
User status | The employee's current employment status; for example, employed, newly hired, on notice, suspended, or terminated. | String |
Access level | The level of access granted to the account; for example, non-privileged, executive, or administrative. | String |
Assigned assets | Corporate assets the employee has access to. | String |
Destination host/IP | The host name or IP address of the machine where the activity occurred. | String |
Employee ID | The employee's ID. | String |
Employee name | The employee's name. | String |
Employee tenure | How long the employee has been with your organization. | Integer |
Recipient (To) | The email address the email was sent to. | Email address |
Risk factors | Factors that increase risk or further indicate someone's intent. | String |
Sender | The email address that sent the email. | Email address |
Source host/IP | The host name or IP address of the machine from where the activity originated. | String |
URL | An entire URL string including the host, fully qualified domain name (FQDN), and path. For example, www.exabeam.com/info?user=abc | URL |
User type | The type of employee involved in the incident; for example, contractor, partner, or employee. | String |
Web domain | The host the employee accessed; for example, gmail.google.com. | URL |
Workforce protection knowledge base article | Link to an Exabeam Community article describing the Workforce Protection use case. | URL |
Out-of-the-Box Incident Fields for External Threats Incident Types
Each incident type has a unique set of incident fields. Review the incident fields for each External Threats incident type.
There are five out-of-the-box incident types, one for each External Threats use case. Each incident type contains a specific set of incident fields out of the box:
You can edit certain incident fields and rearrange how they appear in the incident type's layout to better suit your needs.
Phishing Incident Fields
Review out-of-the-box incident fields specific to the Phishing incident type.
Incident field | Description | Data type |
|---|---|---|
Attachment name | The file name of an email attachment. | String |
CC | The email addresses CC'd in an email. | Email address |
Email body | The content of an email. | Multi-line text |
Message ID | An email's unique identifier. | String |
Payload type | The method used to deliver the payload in a phishing attack; for example, attachment, hyperlink, client vulnerability, or business email compromise (BEC). | String |
Phishing knowledge base article | Link to an Exabeam Community article describing the Phishing use case. | URL |
Received date | The date the email was received. | URL |
Recipient (To) | The email address the email was sent to. | Email address |
Sender | The email address that sent the email. | Email address |
Source country | The geographical location from where the sender sent the email. | String |
Source host/IP | The host name or IP address of the machine from where the activity originated. | String |
Subject | An email's subject line. | String |
User agent | The browser's user agent. | String |
Malware Incident Fields
Review out-of-the-box incident fields specific to the Malware incident type.
Incident field | Description | Data type |
|---|---|---|
Alert ID | The alert's unique identifier. | String |
Alert name | The name of the alert; for example, Oracle Database User Authentication Brute Force Attempt. | |
Alert severity | How critical the alert is, according to the vendor. | String |
Alert type | The type of alert, which usually describes the threat the alert detected; for example, trojan, vulnerability, or unauthorized access. | String |
Alert URL | The alert's URL. | URL |
Attacker file | The file the malicious entity used to deliver the malware payload | String |
Attacker IP | The malicious entity's IP identifier. | IP |
Attacker URL | The malicious entity's URL identifier. | URL |
Malware category | The malware type, which usually describes what the malware does on your computer; for example, ransomware, spyware, adware, trojan, or worm. | String |
Malware knowledge base article | Link to an Exabeam Community article describing the Malware use case. | URL |
Malware name | The name of the malware, typically in the Computer Antivirus Research Organization (CARO) malware naming scheme; for example, Ransom.Win32.Locky.A.dldl or Backdoor:Win32/Caphaw.D!Ink. | String |
Method of intrusion | The method used to deliver the malware or ransomware; for example, malvertisement, phishing email, or USB. | String |
PID | The process identifier of the executed process. | Integer |
Process name | The name of the executed process; for example, | String |
Process path | The file path of where the executed process is located. | Multi-line text |
Victim host | The name of the machine targeted for the malware. | String |
Ransomware Incident Fields
Review out-of-the-box incident fields specific to the Ransomware incident type.
Incident field | Description | Data type |
|---|---|---|
Alert ID | The alert's unique identifier. | String |
Alert name | The name of the alert; for example, Oracle Database User Authentication Brute Force Attempt. | |
Alert severity | How critical the alert is, according to the vendor. | String |
Alert type | The type of alert, which usually describes the threat the alert detected; for example, trojan, vulnerability, or unauthorized access. | String |
Alert URL | The alert's URL. | URL |
Attacker file | The file the malicious entity used to deliver the malware payload | String |
Attacker IP | The malicious entity's IP identifier. | IP |
Attacker URL | The malicious entity's URL identifier. | URL |
Malware category | The malware type, which usually describes what the malware does on your computer; for example, ransomware, spyware, adware, trojan, or worm. | String |
Ransomware knowledge base article | Link to an Exabeam Community article describing the Ransomware use case | URL |
Malware name | The name of the malware, typically in the Computer Antivirus Research Organization (CARO) malware naming scheme; for example, Ransom.Win32.Locky.A.dldl or Backdoor:Win32/Caphaw.D!Ink. | String |
Method of intrusion | The method used to deliver the malware or ransomware; for example, malvertisement, phishing email, or USB. | String |
PID | The process identifier of the executed process. | Integer |
Process name | The name of the executed process; for example, | String |
Process path | The file path of where the executed process is located. | Multi-line text |
Victim host | The name of the machine targeted for the malware. | String |
Brute Force Attack Incident Fields
Review out-of-the-box incident fields specific to the Brute Force Attack incident type.
Incident field | Description | Data type |
|---|---|---|
Brute force attack knowledge base article | Link to an Exabeam Community article describing the Brute Force Attack use case. | URL |
Destination host/IP | The host name or IP address of the machine where the activity occurred. | String |
Failure reason | A description of why the activity failed. | String |
Logon type | The methods used to log on to a system; for example, through the system’s local console (interactive) or through a task scheduler (batch). | String |
Outcome | The result of the activity; for example, failed, denied, approved, or successful. | String |
PID | The process identifier of the executed process. | Integer |
Process name | The name of the executed process; for example, | String |
Process path | The file path of where the executed process is located. | Multi-line text |
Source host/IP | The host name or IP address of the machine from where the activity originated. | String |
Cryptomining Incident Fields
Review out-of-the-box incident fields specific to the Cryptomining incident type.
Incident field | Description | Data type |
|---|---|---|
Cryptomining knowledge base article | Link to an Exabeam Community article describing the Cryptomining use case. | URL |
Destination host/IP | The host name or IP address of the machine where the activity occurred. | String |
Source post | The port used by the source IP or host. | Integer |
Failure reason | A description of why the activity failed. | String |
Firewall rule | The firewall rule that allowed or denied network traffic. | String |
Outcome | The result of the activity; for example, failed, denied, approved, or successful. | String |
PID | The process identifier of the executed process. | Integer |
Process name | The name of the executed process; for example, | String |
Process path | The file path of where the executed process is located. | Multi-line text |
Source host/IP | The host name or IP address of the machine from where the activity originated. | String |
User agent | The browser's user agent. | String |
Create a Custom Incident Field
Create incident fields to standardize the information displayed in an incident type.
In the sidebar, click SETTINGS
, then select Analytics.Under Case Management, select Incident Configuration.
Select the FIELDS tab.
Click ADD FIELDS.
Enter information about your field. The information required varies based on field type.
To list multiple values, select List predefined options.
If people can enter a value for the incident field in the incident, select Editable Field.
If people can enter or select multiple values from a list in the incident, select Can enter or select multiple values.
If the field must have a value for the incident to close, select Required Field. If a required field doesn't have a value, you can't change the incident's status to Closed.
Click SAVE.
Edit a Custom Incident Field
When you edit an incident field, the changes only apply to new incidents. If an existing incident has this field, it doesn't change.
In the sidebar, click SETTINGS
, then select Analytics.Under Case Management, select Incident Configuration.
Select the FIELDS tab.
Hover over an incident type, click the More
menu, then select Edit.Edit the information about your field. The information required varies based on field type.
To list multiple values, select List predefined options.
If people can enter a value for the incident field in the incident, select Editable Field.
If people can enter or select multiple values from a list in the incident, select Can enter or select multiple values.
If the field must have a value for the incident to close, select Required Field. If a required field doesn't have a value, you can't change the incident's status to Closed.
Click SAVE.
Delete a Custom Incident Field
When you delete an incident field, the field still appears in incidents that already have it but you can't add it to a new incident layout.
In the sidebar, click SETTINGS
, then select Analytics.Under Case Management, select Incident Configuration.
Select the FIELDS tab.
Hover over an incident field, click the More
menu, then select Delete.