- Get Started with Threat Center
- Group Detections
- Work on Cases
- Triage Alerts in Threat Center
- Edit and Collaborate in Threat Center
- Find Cases or Alerts
- Build a Search in Threat Center
- Enter a Search Using Exabeam Query Language in Threat Center
- Enter a Search Using Natural Language in Threat Center
- Run a Recent Search in Threat Center
- Create a New Saved Search in Threat Center
- Run a Saved Search in Threat Center
- Edit a Saved Search in Threat Center
- Delete a Saved Search in Threat Center
- Sort Cases or Alerts
- View Case and Alert Metrics
- Get Notified About Threat Center
Respond to a Case
After you create a case, investigate, remediate, and close it. Document your response and track your progress.
Search for cases of interest. By default, Threat Center displays cases opened in the past week, and cases are sorted by risk score, from highest to lowest. You can also manually sort cases by risk score or age.
Get an overview of cases of interest:
Risk Score – The case risk score and associated priority.
Age – The time elapsed since the case was created.
Grouped By – The attribute by which detections are grouped.
Rules – The number of triggered correlation or Advanced Analytics rules associated with related detections.
MITRE TTPs – The number of MITRE ATT&CK® tactics and techniques the case best describes.[5]
Use Cases – The number of Exabeam use cases the case best describes.
Users – The number of users associated with related detections.
Endpoints – The number of source and destination hosts associated with related detections.
Stage – The current case stage.
Queue/Assignee – The queue and assignee assigned to respond to the case.
To view more details about a case, select the case.
In the Overview tab, get an overview of the case:
Copilot Threat Summary – An AI-generated summary of the case and recommended next steps. This summary is updated every time detections are added to the case.
Risk Score – The case risk score and associated priority.
User Description – The case description.
Grouped By – The attribute by which detections are grouped.
Timeframe – Important markers of time associated with the case, including:
First Detection – The date and time the first detection was added to the alert.
Duration – The days, hours, and minutes elapsed between when the first and last detection was added to the alert.
Case Creation – The date and time the case was created.
Age – For an open case, the days, hours, and minutes elapsed between when the case was created and the current time; or, for a closed case, the days, hours, and minutes between when the case was created and last closed.
Users – Users associated with related detections.
Devices – The source and destination hosts associated with related detections.
Rules Triggered – The triggered rules from which associated detections are created and the number of times they created associated detections.
Latest Notes – The notes most recently added to the case.
MITRE TTPs – The ATT&CK tactics and techniques that best describe the case.
Use Cases – The Exabeam use cases that best describe the case.
Attachments – Files attached to the case.
Under the Threat Timeline tab, understand the historical context around the case. Review a timeline of related detections; up to 100 associated parsed events; and key response moments, including when the associated alert was created, when the case was created, when the investigation started, when remediation ended, and when the case closed.
To continue your investigation and view the event in Search, click Open in Search.
To view all detection details, including the assigned risk score, ATT&CK tactics and techniques, Exabeam use cases, tags, and event fields associated with the detection, click View All.
To view all parsed event fields, click View All Fields.
For Advanced Analytics detections, to review all events for the user or asset in the Advanced Analytics Smart Timeline™, click View Timeline in Advanced Analytics.
For Correlation Rules detections, to review more information about the correlation rule that created the detection, click Rule Definition:
Name – The correlation rule name.
Author – Who created the correlation rule.
Severity – The rule severity: None, Low, Medium, High or Critical.
Use Case – The Exabeam use case most relevant to the rule.
MITRE Properties – The ATT&CK techniques most relevant to the rule.
Tags – Tags associated with the rule.
Repeating Triggers – The field values by which the rule is suppressed if the rule is over-triggered.
As you work on a case:
Update the priority and case stage, assign the case to another queue or assignee, and add notes and attachments with your findings.
Expedite your case response and get answers to any question about the case or related entities using the Copilot Analyst Assistant. To navigate to the Copilot Analyst Assistant, click Open Analyst Assistant:
In Copilot Analyst Assistant, enter a prompt, then press return or Enter or click
.Deepen your investigation in Search and view all events associated with the attribute by which detections are grouped. To navigate directly to these events in the Search timeline view, click Open Investigation Timeline.
[5] MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation ("MITRE"). Exabeam is not affiliated with or sponsored or endorsed by MITRE. Nothing herein is a representation of the views or opinions of MITRE or its personnel.