Showing results for 
Search instead for 
Did you mean: 

SIEM Foundations: Create and Manage Cases in ESM 10x

ESM cases provide a lightweight embedded workflow system you can use to track incidents, and the events associated with them, through your incident response process.  ESM’s case management system allows you to define various case statuses that you can use to implement a custom workflow.  Below we’ll outline a basic workflow for managing incidents through cases, which you can use as a starting point and modify as needed to meet your needs.

As a first step, we’ll need to identify an incident that merits tracking through a case.  For our purposes, it’s most convenient to start with an incident that is identified through manual inspection of your ESM dashboards. However, as you mature your processes, you should look for opportunities to automate case management through use of alarms and other techniques.

Once you have an incident identified, we’ll start with a basic workflow that tracks three states for a case.  The case states we will use include the following:

  • Open: Cases that have been created, but not yet assigned to an individual.  To manually create a case, select the events related to the incident (individually or in bulk via shift-click and control-click selection) and then click Create a new case through the case management icon at the bottom of the Event Details panel.

You will be presented with a window to add some details on your case.  Enter a summary, assignee, severity, and status as shown.

Note the links for Organization and Status on this window.  You can use these to modify the existing states, and create new ones, if needed.

  • In process: Cases that are being investigated by an individual.  Incident responders will manually move cases from “Open” to “In process” as they are picked up for analysis during the work day.  In order to review cases that are open, you can open the view “Event Workflow Views/Case Management” and filter for Status of “Open” as shown in  the screenshot below.

While working the case, the analyst may:

    • Add additional events to the case to create a more complete view of the incident (click “Add events to a case” through the case management icon at the bottom of the Event Details panel)

    • Add notes to the case to provide details about the involved hosts or users, or other important contextual details.

    • Re-assign or change the status of the case as appropriate.

  • Closed: Cases that have been fully investigated and considered resolved.  Responders will manually set cases to “Closed” state when analysis of the related incident is complete.

This workflow shows a simple manual process that works for small groups managing incidents via cases.  Through proper use of alarms, creation and assignment of cases can be automated to support larger enterprises and workgroups.

« previousoutlinenext »

Version history
Revision #:
1 of 1
Last update:
‎11-08-2017 05:20 PM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community