- Get Started with Threat Center
- Group Detections
- Work on Cases
- Triage Alerts in Threat Center
- Edit and Collaborate in Threat Center
- Find Cases or Alerts
- Build a Search in Threat Center
- Enter a Search Using Exabeam Query Language in Threat Center
- Enter a Search Using Natural Language in Threat Center
- Run a Recent Search in Threat Center
- Create a New Saved Search in Threat Center
- Run a Saved Search in Threat Center
- Edit a Saved Search in Threat Center
- Delete a Saved Search in Threat Center
- Sort Cases or Alerts
- View Case and Alert Metrics
- Get Notified About Threat Center
In an case or alert, you can update the name, description, priority, MITRE ATT&CK® tactics and techniques, use cases, and tags. In a case, you can also assign the case to another stage, queue, and assignee. You can't update the User and Endpoint attributes, which are derived from detections. Any changes you make are recorded in the case or alert history.[7]
Update Any Case or Alert Attribute
Update a single attribute or multiple attributes at once.
In a case or alert, navigate to the Overview tab:
To update a single attribute, for the attribute you're updating, click Edit.
To update multiple case attributes, click Edit Case Details.
To update multiple alert attributes, click Edit Alert Details.
Make your changes. Keep in mind:
For the description, you can enter up to 1,024 characters. To better communicate your message, you can format the text.
When you assign a case to a queue, you can only assign the case to an assignee who is a queue member. If you assign a case to a queue and the current assignee is not a queue member, the assignee is changed to Unassigned.
Click Update. This action is recorded in the case or alert history.
Assign a Case Stage, Queue, or Assignee
Quickly assign a case to another stage, queue, or assignee.
When you assign a case to a queue, you can only assign the case to an assignee who is a queue member. If you assign a case to a queue and the current assignee is not a queue member, the assignee is changed to Unassigned.
You can also close multiple cases or alerts at once in the Cases tab.
In the case, select the attribute.
To search for a value, start typing.
From the list, select a value. Your changes are saved. This action is recorded in the case history.
If you change the case stage to Closed, in Type a reason, explain why you're closing the case, then click Close.
[7] MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation ("MITRE"). Exabeam is not affiliated with or sponsored or endorsed by MITRE. Nothing herein is a representation of the views or opinions of MITRE or its personnel.