Skip to main content

Cloud-delivered Case ManagerCase Manager Documentation

Case Manager Phases

Organize your investigations and ensure everyone responds consistently using phases.

A phase is a general stage of your investigating process. It contains tasks that an analyst must complete in each phase.

Phases and tasks ensure everyone across your organization responds to different security scenarios consistently. A manager builds a set of standard scenarios and creates processes for each one. When analysts investigate an incident, they follow this process, working on separate items in parallel so their efforts don't overlap.

Exabeam provides five phases out of the box:

  • Detection

  • Containment

  • Eradication & Mitigation

  • Recovery

  • Post-Incident Activity

Rename phases or create your own phase according to your needs. You can also delete and reorder phases.Rename a PhaseCreate a PhaseDelete a PhaseReorder Phases

Create a Phase

To standardize how you respond to incidents, break out your investigating process into phases and assign tasks to each one.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Click ADD PHASE.

  5. Enter a unique phase name, then click SAVE.

  6. Click PUBLISH. The phase appears only in new incidents. It doesn't appear in existing incidents, open or closed.

Rename a Phase

Rename any phase to change how they appear in incidents.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the TASKS & PHASES tab.

  4. Hover over a phase, then select edit A dark blue pencil..

  5. Change the phase name.

  6. Click SAVE.

  7. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.

Reorder Phases

Reorder a phase to change the order that they appear in incidents.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. Hover over a phase, then select the up A dark blue arrow pointing up. or down A dark blue arrow pointing down. arrows to move the phase up or down.

  5. Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.

Delete a Phase

Remove a phase from any new incidents you create.

  1. In the sidebar, click SETTINGSA grey gear icon, then select Analytics.

  2. Under Case Management, select Incident Configuration.

  3. Select the Tasks & Phases tab.

  4. You can only delete a phase that does not have tasks assigned to it. If the phase you're deleting has any tasks assigned to it, reassign them to a new or existing phase.

  5. Hover over the phase, then select the trash A dark blue trash can..

  6. Click DELETE.

  7. Click PUBLISH. The phase doesn't appear in new incidents. It still appears in existing incidents, open or closed.