- Get Started with Threat Center
- Threat Center
- Threat Center Permissions
- Threat Center Alerts: Read
- Threat Center Alerts: Read, Write, and Delete
- Threat Center Cases: Read
- Threat Center Cases: Read, Write, and Delete
- Threat Center Detection Grouping Rules: Read
- Threat Center Detection Grouping Rules: Read, Write, and Delete
- Threat Center Watchlist: Read
- Threat Center Watchlist: Read, Write, and Delete
- Threat Center Cases
- Threat Center Alerts
- Threat Center Detections
- Threat Center Risk Score
- Monitor Entities of Interest in Threat Center
- Group Detections
- Work on Cases
- Work on Alerts
- Edit and Collaborate in Threat Center
- Use Automation Tools in Threat Center
- Find Cases and Alerts
- Sort Cases or Alerts
- Filter Cases or Alerts
- Search for Cases or Alerts in Threat Center
- Build a Search in Threat Center
- Enter a Search Using Exabeam Query Language in Threat Center
- Enter a Search Using Natural Language in Threat Center
- Run a Recent Search in Threat Center
- Create a New Saved Search in Threat Center
- Run a Saved Search in Threat Center
- Edit a Saved Search in Threat Center
- Delete a Saved Search in Threat Center
- View Case and Alert Metrics
- Get Notified About Threat Center
- Threat Center APIs
You can update a single case or alert . You can also update multiple cases at once.
Any changes you make are recorded in the case or alert history.
Update a Single Case or Alert
In an case or alert, you can update the name, description, priority, MITRE ATT&CK® tactics and techniques, use cases, and tags. In a case, you can also assign the case to another stage, queue, and assignee. You can't update the User and Endpoint attributes, which are derived from detections.[10]
Update Any Case or Alert Attribute
Update a single attribute or multiple attributes in a case or alert.
In a case or alert, navigate to the Overview tab, then:
To update a single attribute, for the attribute you're updating, click Edit.
To update multiple case or alert attributes, click Edit Details.
Make your changes. Keep in mind:
For the description, you can enter up to 1,024 characters. To better communicate your message, you can format the text.
When you assign a case to a queue, you can only assign the case to an assignee who is a queue member. If you assign a case to a queue and the current assignee is not a queue member, the assignee is changed to Unassigned.
Click Update. This action is recorded in the case or alert history.
Assign a Case Stage, Queue, or Assignee
Quickly assign a single case to another stage, queue, or assignee.
When you assign a case to a queue, you can only assign the case to an assignee who is a queue member. If you assign a case to a queue and the current assignee is not a queue member, the assignee is changed to Unassigned.
You can also change the case stage to Closed for multiple cases or alerts at once in the Cases tab.
In the case, select the attribute.
To search for a value, start typing.
From the list, select a value. Your changes are saved. This action is recorded in the case history.
If you change the case stage to Closed, you must select the reason why you're closing the case and optionally enter a comment before you can change the case stage.
Update Multiple Cases
Update multiple cases at once. You can't update multiple alerts at once.
For cases in the Closed stage, you can only update the Stage attribute. After you change the stage to any other stage besides Closed, you can update the other attributes.
In the Cases tab, select up to 50 cases to update:
To select all displayed cases, click the checkbox in the header row, then select Edit.
To select specific cases, click the checkbox for the cases you're updating, then select Edit.
Select the checkbox for the attributes you're updating, then make your changes to the attribute:
Stage – Select a different case stage.
If you change the case stage to Closed, you must select the reason why you're closing the case and optionally enter a comment before you can change the case stage.
Queue – Select a different queue. To update the assignee, you must select a queue.
Assignee – Select a different assignee responsible for responding to the case. You can only select from members of the selected queue. If you don't select a queue, the only assignee you can select is Unassigned.
Priority – Select a different priority.
MITRE TTPs – Select an ATT&CK technique. The technique is added to the cases and doesn't replace any existing techniques.
Use Cases – Select an Exabeam use case. The use case is added to the cases and doesn't replace any existing use cases.
Custom Tags – Select a tag. The tag is added to the cases and doesn't replace any existing tags.
In Add a note to all selected cases, enter the content for a note. You can enter up to 10,000 characters. To better communicate your message, you can also format the text.
The note is added to the cases and doesn't replace any existing notes.
For cases in the Closed stage, you can only update the Stage attribute. After you change the stage to any other stage besides Closed, you can update the other attributes.
Click Update <#> Cases. While the cases are updating, you're free to continue your work or navigate to another page.
When the cases have finished updating, you receive a <#> case(s) updated succesfully. notification.
[10] MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation ("MITRE"). Exabeam is not affiliated with or sponsored or endorsed by MITRE. Nothing herein is a representation of the views or opinions of MITRE or its personnel.