Caution: Events added to a case are accessible in the context of that case to any user who has permissions to view or edit the case. Users who do not have permissions on the events themselves have permissions to view full events in the context of a case to which they are assigned.
As a best practice, keep this in mind when adding events to a case and setting access control lists (ACLs) on cases. For more information on ACLs, see Granting or Removing Resource Permissions.
You can create or update cases directly from the Viewer panel while you are monitoring suspicious events. The events you select for the case are displayed on the case’s Events tab.
To add events to a case:
Lock the case. Display the case editor, although this is not required.
Right-click and select one of the following:
Add to Case > New Case to create a new case.
Add to Case > Case in Editor if you already have the case displayed on the Inspect/Edit panel.
Note: Here are additional options for adding events to cases.
If there are multiple Case Editors open when you choose Add to Case > Case in Editor, the selected events are added to the Case Editor in focus (showing on top of the others).
If no Case Editors are currently open but you choose Add to Case > Case in Editor option anyway, a new case is created and the selected events are added to it.
Case > Other to display the Case Selector popup. Navigate to the case where you want to add the events, select the case, and click OK.
The selected events appear in the Case Editor on the Events panel.
For new cases, follow additional instructions in Creating or Editing a Case.
Click OK.
Console adds the events and displays the destination case’s Events tab.
To view the added events on this tab, expand Other selected Event(s).
Tip: Events related to a case are preserved in the case’s Events panel for tracking purposes even after the retention period where the events would typically age out of the database. See Using the Case Events Panel. However, on the channel, the events are available based on the retention period of the Default Storage Group. For details on the retention period and how to change it, refer to the Administration section of the ArcSight Command Center User’s Guide. See the topic, “Storage,” for information about editing the retention period of Default Storage Group.