A case contains information about an incident, usually with one or more events attached. Use cases to track, investigate, and resolve events. Where cases are similar, you can copy events directly from one case to another. You assign cases of interest to analysts, who can investigate and resolve them based on severity and enterprise policies. You can also use rules to automatically open or update a case when certain conditions are met.
You can assign cases to groups of users who receive a notification with access to the case and its associated data. Those users can take action on the assigned case and specify other actions to be taken, assign it to another user, or resolve the case.
Cases track individual or multiple related events and export event data to third-party products. Cases can stand alone or integrate with a third-party case management system.
The Case Editor has the following features:
The case's summary is displayed at the top of the Case Editor. The example shows the top part of the panel for a case that is about to be created. The editor for an existing case has more information. It is updated as the case attribute changes.
The icon bar provides options to display fields for setting case attributes. The default view of the Case Editor opens at the Initial view, Attributes panel.
For existing cases, the status summary displays more information as the cases are updated:
For existing cases, the owner is displayed below the icon bar. If there are multiple owners, the list may be hard to read. If so, resize the panel.
Additional panels and fields are displayed by the More Options widget.
Entering Case Security Classifications
Entering Follow Up Items for the Case
Entering Attack Mechanism Information
Entering Attack Agent Information
Entering Vulnerability Information
Entering Miscellaneous Information
Using the Case's History Panel
Creating or Updating a Case from Displayed Events
Viewing a Case's Events in a Channel
Including Base Events Through a Rule
Copying Event Details from One Case to Another
Attaching a Data Monitor, Dashboard, or Query Viewer to a Case
Best Practices on Attaching Files to a Case
Granting Permission to Delete Cases
Moving or Copying a Case to a Group
Viewing a Case’s Internal Audit Events
Viewing Group Cases in a Grid View
Running Case Reports and Setting Default Parameters
Customize Selected Case Report