Skip to main content

Cloud-delivered Case ManagerCase Manager Documentation

Manually Add an Entity

Add the primary objects you're investigating to the incident. You can create three types of entities: file, device, and user.

Add a File Entity

If you're investigating a file, like a Word or Excel document, add a file entity. A file entity contains specific data, including file path, size, and hash.

  1. Navigate to an incident or its workbench.

  2. Click Add a new entityA dark blue computer and a dark blue circle with a white plus sign in the top right..

    In an incident, you may also locate the Entities panel, then click Add a new entityA dark blue plus sign..

  3. Under Entity type, select File.

  4. To extract a file's name, hash, and size, select Upload file. To manually fill all fields, select Manually enter file details.

    • If you selected Upload file:

      1. Click UPLOAD FILE, then select a file from your system.

      2. Under File path, enter where the file is located in your file system.

    • If you selected Manually enter file details, fill in the fields:

      • File name – Enter the name used to uniquely identify the file in the file system.

      • Hash type – Enter at least one hash value from a MD5, SHA256, SHA1, or SHA512 function.

  5. Click SAVE. The entity appears in the incident under the ENTITIES panel.

Add a Device Entity

If you're investigating a device, add a device entity. A device entity contains specific data, including IP address, zone, and top user.

  1. Navigate to an incident or its workbench.

  2. Click Add a new entityA dark blue computer and a dark blue circle with a white plus sign in the top right..

    In an incident, you may also locate the Entities panel, then click Add a new entityA dark blue plus sign..

  3. Under Entity type, select Device.

  4. To extract data from an existing host, IP or URL asset in Advanced Analytics, select Select from AA. To manually enter all details, select Custom.

    • If you selected Select from AA, start typing to search for a host or IP, select a result, then enter an associated URL. Fill in the fields:

      • Type – Select an operating system, Windows, Linux, or Mac.

      • Zone – Enter the internal network location the device last connected from. This may be a city, business unit, building, or room.

      • Location – Enter the city, U.S. state (if applicable), and country the device last connected from.

    • If you selected Custom, enter at least one Host, IP, or URL, then fill in the fields:

      • Type – Select an operating system, Windows, Linux, or Mac.

      • Zone – Enter the internal network location the device last connected from. This may be a city, business unit, building, or room.

      • Location – Enter the city, U.S. state (if applicable), and country the device last connected from.

  5. Click SAVE. The entity appears in the incident under the ENTITIES panel.

Add a User Entity

If you're investigating a person, add a user entity. A user entity contains specific data, including data about employment, contact information, and manager.

  1. Navigate to an incident or its workbench.

  2. Click Add a new entityA dark blue computer and a dark blue circle with a white plus sign in the top right..

    In an incident, you may also locate the Entities panel, then click Add a new entityA dark blue plus sign..

  3. Under the Entity type, select User.

  4. To extract data from an existing user in Advanced Analytics, select Select from AA. To manually enter all details, select Custom.

    • If you selected Select from AA, start typing to search for a user, then select from the results. Case Manager extracts all data available in Advanced Analytics.

    • If you selected Custom, enter the user's Full Name or Username, then fill in the fields:

      • Account ID – Enter the account ID associated with the user's login credentials.

      • User email – Enter the user's work email address

      • User title – Enter the user's job title.

      • User department – Enter the corporate department the user works in.

      • Employee type – Indicate the user's employee type; for example, full-time, part-time, or contractor.

      • Zone – Enter the internal network zone within your organization the user last connected from. This may be a city, business unit, building, or room.

      • User office phone – Enter the phone number the user uses at their office location.

      • User cell phone – Enter the user's personal cell phone number.

      • Manager name – Enter the full name of the user's manager.

      • Manager email – Enter the manager's work email address/

      • Manager title – Enter the manager's job title.

      • Manager office phone – Enter the phone number the manager uses at their office location.

      • Manager cell phone – Enter the manager's personal cell phone number.

  5. Click SAVE. The entity appears in the incident under the ENTITIES panel.