- Case Manager Release Notes
- Get Started with Case Manager
- Configure Case Manager Settings
- Investigate a Security Incident
- Manually Create an Incident
- Edit an Incident
- Delete an Incident
- Manually Add an Entity
- Manually Add an Artifact
- Delete an Entity or Artifact
- Add Advanced Analytics Evidence to a Case Manager Incident
- Manage Tasks During an Investigation
- Send Messages from an Incident
- Filter Incidents
- Search for an Incident
- Sort Incidents
- Export Incidents
Add a File Entity
If you're investigating a file, like a Word or Excel document, add a file entity. A file entity contains specific data, including file path, size, and hash.
Click Add a new entity.
In an incident, you may also locate the Entities panel, then click Add a new entity.
Under Entity type, select File.
To extract a file's name, hash, and size, select Upload file. To manually fill all fields, select Manually enter file details.
If you selected Upload file:
Click UPLOAD FILE, then select a file from your system.
Under File path, enter where the file is located in your file system.
If you selected Manually enter file details, fill in the fields:
File name – Enter the name used to uniquely identify the file in the file system.
Hash type – Enter at least one hash value from a MD5, SHA256, SHA1, or SHA512 function.
Click SAVE. The entity appears in the incident under the ENTITIES panel.
Add a Device Entity
If you're investigating a device, add a device entity. A device entity contains specific data, including IP address, zone, and top user.
Click Add a new entity.
In an incident, you may also locate the Entities panel, then click Add a new entity.
Under Entity type, select Device.
To extract data from an existing host, IP or URL asset in Advanced Analytics, select Select from AA. To manually enter all details, select Custom.
If you selected Select from AA, start typing to search for a host or IP, select a result, then enter an associated URL. Fill in the fields:
Type – Select an operating system, Windows, Linux, or Mac.
Zone – Enter the internal network location the device last connected from. This may be a city, business unit, building, or room.
Location – Enter the city, U.S. state (if applicable), and country the device last connected from.
If you selected Custom, enter at least one Host, IP, or URL, then fill in the fields:
Type – Select an operating system, Windows, Linux, or Mac.
Zone – Enter the internal network location the device last connected from. This may be a city, business unit, building, or room.
Location – Enter the city, U.S. state (if applicable), and country the device last connected from.
Click SAVE. The entity appears in the incident under the ENTITIES panel.
Add a User Entity
If you're investigating a person, add a user entity. A user entity contains specific data, including data about employment, contact information, and manager.
Click Add a new entity.
In an incident, you may also locate the Entities panel, then click Add a new entity.
Under the Entity type, select User.
To extract data from an existing user in Advanced Analytics, select Select from AA. To manually enter all details, select Custom.
If you selected Select from AA, start typing to search for a user, then select from the results. Case Manager extracts all data available in Advanced Analytics.
If you selected Custom, enter the user's Full Name or Username, then fill in the fields:
Account ID – Enter the account ID associated with the user's login credentials.
User email – Enter the user's work email address
User title – Enter the user's job title.
User department – Enter the corporate department the user works in.
Employee type – Indicate the user's employee type; for example, full-time, part-time, or contractor.
Zone – Enter the internal network zone within your organization the user last connected from. This may be a city, business unit, building, or room.
User office phone – Enter the phone number the user uses at their office location.
User cell phone – Enter the user's personal cell phone number.
Manager name – Enter the full name of the user's manager.
Manager email – Enter the manager's work email address/
Manager title – Enter the manager's job title.
Manager office phone – Enter the phone number the manager uses at their office location.
Manager cell phone – Enter the manager's personal cell phone number.
Click SAVE. The entity appears in the incident under the ENTITIES panel.