Case Management and Queries

A case contains information about an incident, usually with one or more events attached. Use cases to track, investigate, and resolve events. Where cases are similar, you can copy events directly from one case to another. You assign cases of interest to analysts, who can investigate and resolve them based on severity and enterprise policies. You can also use rules to automatically open or update a case when certain conditions are met.

You can assign cases to groups of users who receive a notification with access to the case and its associated data. Those users can take action on the assigned case and specify other actions to be taken, assign it to another user, or resolve the case.

Cases track individual or multiple related events and export event data to third-party products. Cases can stand alone or integrate with a third-party case management system.

The Case Editor has the following features:

Creating or Editing a Case

Locking and Unlocking Cases

Entering Case Attributes

Entering Case Descriptions

Entering Case Security Classifications

Entering Follow Up Items for the Case

Entering Attack Mechanism Information

Entering Attack Agent Information

Entering Incident Information

Entering Vulnerability Information

Entering Miscellaneous Information

Using the Case's History Panel

Working with Events in Cases

Creating or Updating a Case from Displayed Events

Using the Case Events Panel

Viewing a Case's Events in a Channel

Including Base Events Through a Rule

Copying Event Details from One Case to Another

Deleting Events from a Case

Attaching a File to a Case

Attaching a Data Monitor, Dashboard, or Query Viewer to a Case

Viewing a Case Attachment

Editing a Case Attachment

Best Practices on Attaching Files to a Case

Closing a Case

Deleting a Case

Granting Permission to Delete Cases

Moving or Copying a Case to a Group

Finding Cases

Viewing a Case’s Internal Audit Events

Managing Case Groups

Viewing Group Cases in a Grid View

Running Case Queries

Creating a Report from a Case

Running Case Reports and Setting Default Parameters

Customizing the Case Report

Customize Selected Case Query

Customize Selected Case Report

Add a Server Property for the New Report URI

Using External Case Management Systems