- Case Manager Release Notes
- Get Started with Case Manager
- Configure Case Manager Settings
- Investigate a Security Incident
- Manually Create an Incident
- Edit an Incident
- Delete an Incident
- Manually Add an Entity
- Manually Add an Artifact
- Delete an Entity or Artifact
- Add Advanced Analytics Evidence to a Case Manager Incident
- Manage Tasks During an Investigation
- Send Messages from an Incident
- Filter Incidents
- Search for an Incident
- Sort Incidents
- Export Incidents
Case Manager Tasks
Assign specific responsibilities and ensure everyone responds consistently using tasks.
A task is an action an analyst must complete when they investigate; for example, confirm incident is contained, capture volatile data from systems as evidence, determine root cause. Tasks are organized into phases of an investigation.
Phases and tasks ensure everyone across your organization responds to different security scenarios consistently. A manager builds a set of standard scenarios and creates processes for each one. When analysts investigate an incident, they follow this process, working on separate items in parallel so their efforts don't overlap.
You can configure tasks globally for phases or incident types or manage specific tasks in individual incidents.
You can create a task just for one specific incident. To automatically create a task depending on the conditions of an incident, create a playbook.
In the sidebar, click SETTINGS, then select Analytics.
Under Case Management, select Incident Configuration.
Select the Tasks & Phases tab.
Click ADD A TASK.
Enter information about the task:
Name – Enter a name for the task.
Instructions – Enter instructions, details, or other information about the task.
Phase – Select the phase that the task appears under.
(Optional) Incident type – Select the incident type that the task appears under.
Due date – If there is no due date, select None. If there is a due date, select how many days after the task is initiated.
(Optional) Required task – If the task must be completed, select this box. If the task is incomplete, you can't change the incident status to Closed.
Click SAVE.
Click PUBLISH.
In the sidebar, click SETTINGS, then select Analytics.
Under Case Management, select Incident Configuration.
Select the Tasks & Phases tab.
Hover over a task, then select edit .
Change the task details:
Name – Enter a name for the task.
Instructions – Enter instructions, details, or other information about the task.
Phase – Select the phase that the task appears under.
(Optional) Incident type – Select the incident type that the task appears under.
Due date – If there is no due date, select None. If there is a due date, select how many days after the task is initiated.
(Optional) Required task – If the task must be completed, select this box. If the task is incomplete, you can't change the incident status to Closed.
Click SAVE.
Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.
In the sidebar, click SETTINGS, then select Analytics.
Under Case Management, select Incident Configuration.
Select the Tasks & Phases tab.
Hover over a task, then select the up or down arrows to move the task up or down.
Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.
In the sidebar, click SETTINGS, then select Analytics.
Under Case Management, select Incident Configuration.
Select the Tasks & Phases tab.
Hover over a task, then select the trash . A warning appears.
Click DELETE.
Click PUBLISH. Your changes are reflected in new incidents. They don't apply to existing incidents, open or closed.