The Overview tab provides a comprehensive glance at the Case in your system. The screen includes all the alerts that comprise your case, the timeline that they occurred, any warnings or Insights generated by the Alerts. playbooks associated with each alert, as well as a context sensitive Context Details which display information on whatever is highlighted.
In the Alerts section at the top, hover over an Alert to display the Action icon and the corresponding dropdown list.
The following actions are displayed:
- Simulate Alert: Clone an alert. It re-ingests the alert for testing purposes. None of the information and metrics from simulated alerts are counted in the dashboards and reports metrics. Simulated alerts will not be grouped by design.
- Move Alert: When assigned to you, you can move the alert to a new separate case in the Case Queue.
- Close Alert: Close the specific Alert while keeping the Case open.
- Add Entity: Manually add an entity to the specific Alert. Let’s look at a quick user case for this.
- Alert is titled IRC Connections. This means somebody within the organization has tried to access this website.
- Click on the relevant trigger in the Playbook, in this case, CiscoUmbrella_GetWhoIs.
- In the Context Details pane on the right, copy the email address of the User.
- Click Add Entity. The new entity will appear in the Context Details of the Case, and of this specific alert.
- Click Save.
- In the Timeline section, use the plus/minus buttons to scale the timeline.
- In the Playbooks section, you can click on each trigger and each action to see full details and information on the Context Details pane.
Send Message to Specific User
At the bottom of the screen, type the @ button and then select either an individual Analyst or a User Group to send a message to. Click Send after you’ve written the message. The message will appear in the User’s notification list.
Both the Manual actions and the Actions that appear in the Playbook are populated after you download the corresponding integration in the Marketplace.
To perform a manual action:
- In the highlighted case, click icon on the bottom right of the screen. (If you don’t see this icon, adjust your zoom accordingly). The Manual Action screen displays.
- Select the required Action. For example, select Virus Total > Scan URL. Make sure to fill in the required information.
- Select the Alerts and Entities that you want the action to run on. Click Execute. The action details will appear in the context details and will be documented on the Case wall.
Need more help with this?
Click here to open a Support ticket