In this installment of the Tips and Insights series, Ron Keyston discusses case management in Helix in which he reviews how to create a case, the features available in case management and the ability that Helix has to record revision and case note history within the tool.
Hi my name is Ron Keyston. I’m with the Deployment and Integration team here at FireEye and today we’re going to talk about case management in Helix. We’re going to review how to create a case, the features that are available to you in case management, and the ability that Helix has to record revision and case note history within the tool. So there are several ways that you can create a case in Helix. The first way is right here from the summary dashboard you can promote an existing alert to a case. You can also promote an existing alert from the alerts dashboard itself. When you promote an alert to a case that case inherits the name, description and priority of the alert for the case details. However, those can be overridden and edited from the case dashboard here. So if you have a series of low priority alerts that you want to aggregate into a single case you can change the priority of the case to medium or high instead of inheriting the low priority alert from the alert itself. The other way you can create a case is from the case dashboard by creating one directly.
When you create a case directly you can give it a name, a status, a priority, as well as a classification. So you can classify cases unauthorized access, denial of service, malware, and so on. You can also give it a description so that someone coming to the case later has an idea of what it is you’re investigating. Once you have a case that you’re working with you can modify it as the investigation progresses. Cases can have one of five statuses. The first status is the ‘Declared Status”. This status means that you have triaged the initial alert, investigated it, and determined that it’s more widespread than just a single event. And so you’ve declared an incident or declared a case for investigation. The second status is the “Scope Status”. This means that you’ve determined how widespread the incident is. The third status is”Contained”. This means that you’ve stopped further spread of the incident. The “Recovered Status” indicates that you have return to a production state. And finally the “Improved Status” means you’ve addressed the underlying cause with a mitigation to prevent this problem from happening again in the future. You can add individual events to a case by searching with MQL. clicking on the event or events you want to add to the case, and then clicking the add case button here. It will then pop-up a dialog box allowing you to either create a new case from these events or add it to an existing case. You can also add multiple alerts to an individual case from the alerts tab here. There’s a revision or case history tab that’s available for auditing or documentation purposes. Anytime there’s a change made to the status of the case, the severity of the case, who the case is assigned to, or whether the case is open or closed, that will all be recorded in the revisions tab for documentation not any purposes later. Finally, there’s a note tab allowing you to take detailed case notes and these notes are recorded with the user who created them. That was Helix case management in a nutshell. Continue checking back with us for more FireEye product tips.