- Case Manager Release Notes
- Get Started with Case Manager
- Configure Case Manager Settings
- Investigate a Security Incident
- Manually Create an Incident
- Edit an Incident
- Delete an Incident
- Manually Add an Entity
- Manually Add an Artifact
- Delete an Entity or Artifact
- Add Advanced Analytics Evidence to a Case Manager Incident
- Manage Tasks During an Investigation
- Send Messages from an Incident
- Filter Incidents
- Search for an Incident
- Sort Incidents
- Export Incidents
Ingest Data into Case Manager
To use Case Manager, you must ingest data from an incident source and pull a specific type of data using an incident feed. After Case Manager has this data, it creates incidents for you to investigate.
An incident source is the server from which Case Manager ingests data, like:
Advanced Analytics. Case Manager automatically creates an incident when a user or asset crosses a risk threshold and becomes notable.
A security product, like a SIEM or an endpoint solution.
Microsoft Office 365 or Outlook, ingested using email ingest.
An incident feed pulls a specific type of data; for example, Carbon Black or FireEye. You must configure an incident server before you configure an incident feed.
You can add, edit, or delete an incident source. You can also add, edit, or delete incident feeds.
After you add an incident source and incident feed, add incident rules to automatically assign, prioritize, and restrict new incidents.