- Case Manager Release Notes
- Get Started with Case Manager
- Configure Case Manager Settings
- Investigate a Security Incident
- Manually Create an Incident
- Edit an Incident
- Delete an Incident
- Manually Add an Entity
- Manually Add an Artifact
- Delete an Entity or Artifact
- Add Advanced Analytics Evidence to a Case Manager Incident
- Manage Tasks During an Investigation
- Send Messages from an Incident
- Filter Incidents
- Search for an Incident
- Sort Incidents
- Export Incidents
Add a File Artifact
If you find a file associated with an incident, add a file artifact. A file artifact contains specific data, including file path, size, and hash.
Click Add a new artifact.
In an incident, you may also locate the Artifacts tab, then click Add a new artifact.
Under Artifact type, select File.
To extract a file's name, hash value, and size, select Upload file. To manually enter all details, select Manually enter file details.
If you selected Upload file, click UPLOAD FILE, then select a file from your file system. Fill in the fields:
File path – Enter where in the file system this file is located.
Threat status – Indicate if the artifact is a malicious, benign, or unknown threat, or a false positive.
Role – Specify if the artifact describes a victim, attacker, or unknown.
Related entity – Indicate which entity the artifact is related to.
If you selected Manually enter file details, fill in the fields:
File name – Enter the name used to uniquely identify the file in the file system.
Hash type – Enter at least one hash value from a MD5, SHA256, SHA1, or SHA512 function.
Threat status – Indicate if the artifact is a malicious, benign, or unknown threat, or a false positive.
Role – Specify if the artifact describes a victim, attacker, or unknown.
Related entity – Indicate which entity the artifact is related to.
Click SAVE. The artifact appears in the incident under the Artifact tab.
Add an IP Artifact
If you find an IP address associated with an incident, add an IP artifact. An IP artifact contains specific data, including geolocation, role, and threat status.
Click Add a new artifact.
In an incident, you may also locate the Artifacts tab, then click Add a new artifact.
Under Artifact type, select IP.
Fill in the fields:
IP – Enter the IP address this artifact describes.
Location – Enter the city, U.S. state (if applicable), and country this IP last connected from.
Threat status – Indicate if the artifact is a malicious, benign, or unknown threat, or a false positive.
Role – Specify if the artifact describes a victim, attacker, or unknown.
Related entity – Indicate which entity the artifact is related to.
Click SAVE. The artifact appears in the incident under the Artifact tab.
Add a Process Artifact
If you find a process associated with an incident, add a process artifact. A process artifact contains specific data, including run time, ID, and parent process.
Select the fingerprint button.
Under Artifact type, select Process.
Fill in the fields:
Process name – Enter the file name of the program that executed the process.
Process path – Enter where in the file system the program file was located.
Process ID – Enter the ID of the process the artifact describes.
UID – Enter process's user ID, available in Unix-like operating systems.
Start time – Enter the date and time the process started running. You may also select the calendar and clock icons to enter a date and time.
End time – Enter the date and time the process stopped running. You may also select the calendar and clock icons to enter a date and time.
Threat status – Indicate if the artifact is a malicious, benign, or unknown threat, or a false positive.
Role – Specify if the artifact describes a victim, attacker, or unknown.
Related entity – Indicate which entity the artifact is related to.
Click SAVE. The artifact appears in the incident under the Artifacts tab.
Add a URL Artifact
If you find a URL associated with an incident, add a URL artifact. A URL artifact contains specific data, including geolocation, IP, and role.
Click Add a new artifact.
In an incident, you may also locate the Artifacts tab, then click Add a new artifact.
Under Artifact type, select URL.
Fill in the fields:
URL – Enter the URL the artifact describes.
IP – Enter the the URL's corresponding IP address.
Location – Enter the city, U.S. state (if applicable), and country the URL was last accessed from.
Threat status – Indicate if the artifact is a malicious, benign, or unknown threat, or a false positive.
Role – Specify if the artifact describes a victim, attacker, or unknown.
Related entity – Indicate which entity the artifact is related to.
Click SAVE. The artifact appears in the incident under the Artifacts tab.
Add an Email Address Artifact
If you find an email address associated with an incident, add an email address artifact. An email address artifact contains specific data, including role and threat status.
Click Add a new artifact.
In an incident, you may also locate the Artifacts tab, then click Add a new artifact.
Under Artifact type, select Email Address.
Fill in the fields:
Email address – Enter the email address the artifact describes.
Threat status – Indicate if the artifact is a malicious, benign, or unknown threat, or a false positive.
Role – Specify if the artifact describes a victim, attacker, or unknown.
Related entity – Indicate which entity the artifact is related to.
Click SAVE. The artifact appears in the incident under the Artifacts tab.