- Case Manager Release Notes
- Get Started with Case Manager
- Configure Case Manager Settings
- Investigate a Security Incident
- Manually Create an Incident
- Edit an Incident
- Delete an Incident
- Manually Add an Entity
- Manually Add an Artifact
- Delete an Entity or Artifact
- Add Advanced Analytics Evidence to a Case Manager Incident
- Manage Tasks During an Investigation
- Send Messages from an Incident
- Filter Incidents
- Search for an Incident
- Sort Incidents
- Export Incidents
Case Manager Phases
Organize your investigations and ensure everyone responds consistently using phases.
A phase is a general stage of your investigating process. It contains tasks that an analyst must complete in each phase.
Phases and tasks ensure everyone across your organization responds to different security scenarios consistently. A manager builds a set of standard scenarios and creates processes for each one. When analysts investigate an incident, they follow this process, working on separate items in parallel so their efforts don't overlap.
Exabeam provides five phases out of the box:
Detection
Containment
Eradication & Mitigation
Recovery
Post-Incident Activity
Rename phases or create your own phase according to your needs. You can also delete and reorder phases.
Create a Phase
To standardize how you respond to incidents, break out your investigating process into phases and assign tasks to each one.
In the sidebar, click SETTINGS
, then select Analytics.Under Case Management, select Incident Configuration.
Select the Tasks & Phases tab.
Click ADD PHASE.
Enter a unique phase name, then click SAVE.
Click PUBLISH. The phase appears only in new incidents. It doesn't appear in existing incidents, open or closed.
Rename a Phase
Rename any phase to change how they appear in incidents.
In the sidebar, click SETTINGS
, then select Analytics.Under Case Management, select Incident Configuration.
Select the TASKS & PHASES tab.
Hover over a phase, then select edit
.Change the phase name.
Click SAVE.
Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.
Reorder Phases
Reorder a phase to change the order that they appear in incidents.
In the sidebar, click SETTINGS
, then select Analytics.Under Case Management, select Incident Configuration.
Select the Tasks & Phases tab.
Hover over a phase, then select the up
or down 
arrows to move the phase up or down.Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.
Delete a Phase
Remove a phase from any new incidents you create.
In the sidebar, click SETTINGS
, then select Analytics.Under Case Management, select Incident Configuration.
Select the Tasks & Phases tab.
You can only delete a phase that does not have tasks assigned to it. If the phase you're deleting has any tasks assigned to it, reassign them to a new or existing phase.
Hover over the phase, then select the trash
.Click DELETE.
Click PUBLISH. The phase doesn't appear in new incidents. It still appears in existing incidents, open or closed.