- Case Manager Release Notes
- Get Started with Case Manager
- Configure Case Manager Settings
- Investigate a Security Incident
- Manually Create an Incident
- Edit an Incident
- Delete an Incident
- Manually Add an Entity
- Manually Add an Artifact
- Delete an Entity or Artifact
- Add Advanced Analytics Evidence to a Case Manager Incident
- Manage Tasks During an Investigation
- Send Messages from an Incident
- Filter Incidents
- Search for an Incident
- Sort Incidents
- Export Incidents
Email Ingest
Ingest suspicious emails and investigate phishing incidents using Email Ingest.
Case Manager Email Ingest creates incidents from potential phishing emails. It ingests suspicious emails from a designated phishing mailbox, parses relevant fields, creates an incident, then deletes the email from the inbox. Configure Email Ingest in your settings.
Configure Email Ingest
Link Case Manager to your phishing inbox to forward suspicious emails to Case Manager and ingest suspicious emails.
A dedicated phishing inbox that Case Manager has access to. No one should delete, move, or otherwise touch the emails in this inbox. The mailbox cannot be a shared mailbox or subfolder. You can't use the same email account you use for incident email communications.
Credentials for the phishing inbox. The account and credentials must have read and write access to the entire mailbox.
Connection to IMAP, POP3, or Exchange. For cloud-delivered deployments, only port 443 is open. To open other ports, contact your Technical Account Manager.
Protocol
Port
IMAP
143
IMAP + SSL
993
POP3
110
POP3 + SSL
995
Exchange
443
If you use Microsoft Exchange Online with OAuth2.0 modern authentication, ensure that you complete specific prerequisites.
Ensure that emails aren't encrypted and attachments are in EML format. MSG files are not yet supported.
In the sidebar, click SETTINGS
, then select Core.Under INCIDENT INGESTION, select Email Ingest.
Enter information about your email connection:
Host/Server – A mail server or host; for example, outlook.office365.com
Username – An assigned username. For IMAP, enter the email address. For Exchange, enter [domain]\[username]
Email address – The email address where emails are sent. This can't be a shared email.
Password – The password for the username you previously entered.
Protocol – The email protocol used to connect to your mail server: IMAP, POP3, Exchange. Select the box if your email provider supports Secure Sockets Layer (SSL). If you select Exchange:
Exchange version – Select your version of Microsoft Exchange:
Microsoft Exchange 2007, Service Pack 1
Microsoft Exchange 2010
Microsoft Exchange 2010, Service Pack 1
Microsoft Exchange 2010, Service Pack 2
Other Exchange Version
Authentication type – Select the protocol used to authenticate to your Exchange host: BASIC, NTLM, or OAUTH2.0.
If you select OAUTH2.0:
Client ID – Enter your Exabeam Microsoft Application (client) ID.
Client secret – Enter your Exabeam Microsoft Application client secret.
Tenant ID – Enter your Microsoft Azure AD tenant ID.
National cloud – If you have a national cloud deployment of Microsoft Azure, select your national cloud: China, Germany, or USGovernment. If you don't have a national cloud deployment, select Global.
Port – The port number your mail host or server uses.
Log level – Case Manager generates logs about your system activity that Customer Success uses to debug problems in your system. Select how detailed these log are: low or verbose. To conserve disk space, it's best to select low. If you have problems with your system, Customer Success may direct you to change log level to verbose.
Folder – Which account folder you're pulling emails from. The default folder is Inbox.
Click SAVE.
Log in to the Microsoft account you use for email ingest. When asked whether to Stay signed in? it doesn't matter whether you select yes or no. The credentials aren't saved in your cache, and you are asked every time you configure email ingest.
To start ingesting emails, click START.
By default, Case Manager ingests emails starting from today. To ingest emails starting from a different date, click Select a different date, then select a date in the calendar.
Restart Email Ingest
If email ingest isn't working, restart it to troubleshoot the issue.
In the sidebar, click SETTINGS
, then select Analytics.Under Case Management, select Incident Configuration.
Select the EMAIL INGEST tab.
Hover over an email server, then click edit
.Click Start.
If email ingest starts successfully, the server appears in the list of email feeds with a Running status.