- Case Manager Release Notes
- Get Started with Case Manager
- Configure Case Manager Settings
- Investigate a Security Incident
- Manually Create an Incident
- Edit an Incident
- Delete an Incident
- Manually Add an Entity
- Manually Add an Artifact
- Delete an Entity or Artifact
- Add Advanced Analytics Evidence to a Case Manager Incident
- Manage Tasks During an Investigation
- Send Messages from an Incident
- Filter Incidents
- Search for an Incident
- Sort Incidents
- Export Incidents
Incident Types
Standardize information, actions, and evidence for common security incidents using incident types.
An incident type is a category that represents a security scenario. Incident types standardize incident fields, phases, tasks, and playbooks, and ensure you have the information and tools you need to resolve an incident based on attack vector or case context.
For example: In your organization, a phishing campaign targets multiple users, and each user automatically triggers and creates an incident. Since all these incidents are of a specific type—phishing—you need a specific set of information, actions, and evidence to resolve them, like sender, recipient, or email subject. The phishing incident type ensures they are all included in a phishing incident, and you have everything you need to research and resolve it.
There are 22 out-of-the-box incident types: one for each Exabeam Threat Detection, Investigation, and Response (TDIR) use case category, one automatically assigned to all incidents, and one specifically for incidents created from notable Advanced Analytics sessions.
You can modify these out-of-the-box incident types to better suit your needs or create your own incident type from scratch.
Generic Incident Type
The Generic incident type standardizes incident fields for every incident created, manually or automatically.
Every incident created, manually or automatically, is automatically assigned the Generic incident type. You can't unassign the Generic incident type from an incident; every incident must be assigned the Generic incident type.
The Generic incident type comes with specific incident fields. You can't remove these incident fields from the incident type, but you can add custom incident fields for information you want to appear in every incident. You can also customize the incident type's layout and rearrange how these fields appear in an incident.
Behavior Analytics Incident Type
The out-of-the-box Behavior Analytics incident type standardizes incident fields, phases, and tasks for incidents created from a notable Advanced Analytics session or sequence.
When an Advanced Analytics user session or asset sequence becomes notable and creates a Case Manager incident, the incident is automatically assigned the Behavior Analytics incident type.
The Behavior Analytics incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can customize them to better suit your needs.
You can assign additional incident types on top of the Behavior Analytics type to keep the Behaviour Analytics incident fields, or reassign the incident to a more accurate incident type. To quickly and accurately reassign the incident to the correct type, consider using the Automated Incident Classification turnkey playbook.
Out-of-the-Box Incident Types for Compromised Insiders Use Cases
Standardize information, actions, and evidence for Compromised Insiders incidents using seven related out-of-the-box incident types.
There are seven out-of-the-box incident types for each Compromised Insiders use case:
Compromised Credentials Incident Type
Use the out-of-the-box Compromised Credentials incident type to standardize incident fields, phases, and tasks for incidents describing the Compromised Credentials use case.
Assign the Compromised Credentials incident type to incidents in which someone has stolen credentials, authenticated anomalously, or done something else to indicate they are compromising your system externally.
The Compromised Credentials incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can create your own incident fields and customize the phases and tasks to better suit your needs.
Lateral Movement Incident Type
Use the out-of-the-box Lateral Movement incident type to standardize incident fields, phases, and tasks for incidents describing the Lateral Movement use case.
Assign the Lateral Movement incident type to incidents in which a privileged account or asset does something unusual, or a non-privileged user does something that typically requires privileged access.
The Lateral Movement incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can create your own incident fields and customize the phases and tasks to better suit your needs.
Privilege Escalation Incident Type
Use the out-of-the-box Privilege Escalation incident type to standardize incident fields phases, and tasks for incidents describing the Privilege Escalation use case.
Assign the Privilege Escalation incident type to incidents in which a host or person uses brute-force techniques to find valid credentials, executes BloodHound, or switches accounts.
The Privilege Escalation incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can create your own incident fields and customize the phases and tasks to better suit your needs.
Privileged Activity Incident Type
Use the out-of-the-box Privileged Activity incident type to standardize incident fields, phases, and tasks for incidents describing the Privileged Activity use case.
Assign the Privileged Activity incident type to an incident in which a disabled or deactivated user account become active, a non-privileged user accesses privileged assets, an account anomalously access domain controllers, or an administrative account triggers a security alert.
The Privilege Activity incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can create your own incident fields and customize the phases and tasks to better suit your needs.
Account Manipulation Incident Type
Use the out-of-the-box Account Manipulation incident type to standardize incident fields, phases, and tasks for incidents describing the Account Manipulation use case.
Assign the Account Manipulation incident type to incidents in which an attacker uses persistence techniques to maintain access to your network even if you try to interrupt or cut off their access. Persistence techniques include creating or manipulating user accounts, or modifying credentials or permissions to groups.
The Account Manipulation incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can create your own incident fields and customize the phases and tasks to better suit your needs.
Data Exfiltration Incident Type
Use the out-of-the-box Data Exfiltration incident type to standardize incident fields, phases, and tasks for incidents describing the Data Exfiltration use case.
Assign the Data Exfiltration incident type to incidents in which an account triggers Data Loss Prevention (DLP) alerts, uploads large amounts of data, or use other techniques to exfiltrate data from your network.
The Data Exfiltration incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can create your own incident fields and customize the phases and tasks to better suit your needs.
Evasion Incident Type
Use the out-of-the-box Evasion incident type to standardize incident fields, phases, and tasks for incidents describing the Evasion use case.
Assign the Evasion incident type to an incident in which someone disables or uninstalls security software, obfuscates or encrypts data, or otherwise abuse trusted processes to hide malware.
The Evasion incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can create your own incident fields and customize the phases and tasks to better suit your needs.
Out-of-the-Box Incident Types for Malicious Insiders Use Cases
Standardize information, actions, and evidence for Malicious Insiders incidents using eight related out-of-the-box incident types.
There are eight out-of-the-box incident types for each Malicious Insiders use case:
Data Leak Incident Type
Use the out-of-the-box Data Leak incident type to standardize incident fields, phases, and tasks for incidents describing the Data Leak use case.
Assign the Data Leak incident type to an incident in which someone in your organization sends email to personal accounts, uploads a lot of data, triggers Data Loss Prevention (DLP) alerts, or use other techniques to exfiltrate data from your network.
The Data Leak incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can create your own incident fields and customize the phases and tasks to better suit your needs.
Privilege Abuse Incident Type
Use the out-of-the-box Privilege Abuse incident type to standardize incident fields, phases, and tasks for incidents describing the Privilege Abuse use case.
Assign the Privileged Abuse incident type to an incident in which a non-privileged, privileged, service, executive, or disabled account anomalously accesses assets, creates accounts, or triggers security alerts.
The Privilege Abuse incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can create your own incident fields and customize the phases and tasks to better suit your needs.
Data Access Abuse Incident Type
Use the out-of-the-box Data Access Abuse incident type to standardize incident fields, phases, and tasks for incidents describing the Data Access Abuse use case.
Assign the Data Access incident type to an incident in which someone in your organization accesses certain applications or database for the first time, accesses data from risky geographical locations, or use other techniques to collect data.
The Data Access Abuse incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can create your own incident fields and customize the phases and tasks to better suit your needs.
Audit Tampering Incident Type
Use the out-of-the-box Audit Tampering incident type to standardize incident fields, phases, and tasks for incidents describing the Audit Tampering use case.
Assign the Audit Tampering incident type to an incident in which clears audit or event logs, or use other techniques to manipulate, interrupt, or destroy data and avoid being detected.
The Audit Tampering incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can create your own incident fields and customize the phases and tasks to better suit your needs.
Destruction of Data Incident Type
Use the out-of-the-box Destruction of Data incident type to standardize incident fields, phases, and tasks for incidents describing the Destruction of Data use case.
Assign the Destruction of Data incident type to incidents in which someone starts deleting accounts, anomalously manipulates files, or use other techniques to manipulate, interrupt, or destroy your data.
The Destruction of Data incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can create your own incident fields and customize the phases and tasks to better suit your needs.
Physical Security Incident Type
Use the out-of-the-box Physical Security incident type to standardize incident fields, phases, and tasks for incidents describing the Physical Security use case.
Assign the Physical Security incident type to incidents in which someone fails to badge in somewhere they've never been, uses disabled account to try accessing a physical space, or otherwise anomalously badges into a building or location.
The Physical Security incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can create your own incident fields and customize the phases and tasks to better suit your needs.
Workforce Protection Incident Type
Use the out-of-the-box Workforce Protection incident type to standardize incident fields, phases, and tasks for incidents describing the Workforce Protection use case.
Assign the Workforce Protection incident type to incidents in which someone in your organization searches for a job, or badges into a physical space at an unusual time, or triggers a Data Loss Prevention (DLP) alert.
The Workforce Protection incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can create your own incident fields and customize the phases and tasks to better suit your needs.
Abnormal Authentication and Access Incident Type
Use the out-of-the-box Abnormal Authentication and Access incident type to standardize phases and tasks for incidents describing the Abnormal Authentication and Access use case.
Assign the Abnormal Authentication and Access incident type to incidents in which someone uses a user-agent string for the first time, connects to your network on an unusual day of the week, does something from an unusual geographical location, accesses an application using an unusual operating system or browser, or consecutively fails to log in to their account an excessive number of times.
The Abnormal Authentication and Access incident type doesn't come with specific incident fields, but it does prescribe specific phases and tasks for investigating, containing, and remediating the incident. You can create your own incident fields and customize the phases and tasks to better suit your needs.
Out-of-the-Box Incident Types for External Threats Use Cases
Standardize information, actions, and evidence for External Threats incidents using five related out-of-the-box incident types.
There are five out-of-the-box incident types for each External Threats use case:
Phishing Incident Type
Use the out-of-the-box Phishing incident type to standardize incident fields, phases, and tasks for incidents describing the Phishing use case.
Assign the Phishing incident type to an incident in which someone in your organization receives an email from an unknown domain, sends more emails than usual, receives an email with malicious links or attachments; or if the incident includes other signs of phishing.
The Phishing incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can create your own incident fields and customize the phases and tasks to better suit your needs.
Malware Incident Type
Use the out-of-the-box Malware incident type to standardize incident fields, phases, and tasks for incidents describing the Malware use case.
Assign the Malware incident type to incidents in which someone accesses a domain generated by a domain generation algorithm (DGA, or triggers an antivirus or endpoint detection and response (EDR) security alert.
The Malware incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can create your own incident fields and customize the phases and tasks to better suit your needs.
Ransomware Incident Type
Use the out-of-the-box Ransomware incident type to standardize incident fields, phases, and tasks for incidents describing the Ransomware use case.
Assign the Ransomware incident type to incidents in which an attacker encrypts data on your systems so no one can access files or data, from common user files like PDFs, images, audio or text to critical system files, disk partitions, or a Master Boot Record (MBR).
The Ransomware incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can create your own incident fields and customize the phases and tasks to better suit your needs.
Brute Force Attack Incident Type
Use the out-of-the-box Brute Force Attack incident type to standardize incident fields, phases, and tasks for incidents describing the Brute Force Attack use case.
Assign the Brute Force Attack incident type to an incident in which someone has failed to log in to an account multiple times.
The Brute Force Attack incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can create your own incident fields and customize the phases and tasks to better suit your needs.
Cryptomining Incident Type
Use the out-of-the-box Cryptomining incident type to standardize incident fields, phases, and tasks for incidents describing the Cryptomining use case.
Assign the Cryptomining incident type to incidents in which someone in your organization accesses cryptocurrency websites, accesses websites that mine for cryptocurrency in the browser's background, or runs cryptomining processes on their workstation or host.
The Cryptomining incident type comes with specific incident fields, and also prescribes specific phases and tasks for investigating, containing, and remediating the incident. You can create your own incident fields and customize the phases and tasks to better suit your needs.
Create a Custom Incident Type
Create a custom incident type from scratch to represent a common security scenario and standardize information, actions, and evidence.
In the sidebar, click SETTINGS, then select Analytics.
Under Case Management, select Incident Configuration.
In the Types tab, click ADD TYPE.
In the CREATE INCIDENT TYPE menu, enter a name and description for the incident type.
Click SAVE. The new incident type appears in the list of incident types with a Custom status.
For your new incident type, create custom incident fields or design a custom layout.
Delete a Custom Incident Type
When you delete an incident type you created, you can no longer apply the type to any incidents. You won't delete an existing incident that was assigned the type or any of its data.
In the sidebar, click SETTINGS, then select Analytics.
Under Case Management, select Incident Configuration.
In the TYPES tab, hover over an incident type, select the More menu, then select Delete.
A warning appears. Click DELETE.