Cases

An Alert Logic case groups identified security issues, or case items, that require investigation, action, or followup. Cases allow you to organize and prioritize your security-related tasks. For example, you can group certain incidents and vulnerabilities into a case and then track that case to its resolution.

You can create cases manually, as needed, and you can also set up your system to create a case automatically when incident escalation occurs.

Access cases

To access the Cases page, click SEARCH tab, and then click the Cases subheading.

Search cases

You can search existing cases from the Case page using any combination of the available search features: the search box, search filters, and right-click options. Each method provides a different type of search capability.

The Search box provides a simple way to search for a specific term in case summaries.

To search cases, type a keyword into the Search box, and then click Search.

Search filters

The most thorough way to investigate cases is to use search filters. You can use search filters to combine different search parameters, such as status, priority, and summary.

To search cases using search filters:

  1. Navigate to the Cases page, and then click Search Filters....
  2. (Optional) In the Saved Filters drop-down list, select a previously saved filter if applicable, and click Load or Load in New Window.
    Previously defined filters appear.
  3. In the drop-down list of columns, select a column to filter by.
  4. In the drop-down list of operations, select an operation for the search term for the selected column.
  5. For the search term, enter a search value. The type of entry field used depends on the selected column; for example, a text box is used for Summary, a list of defined values is used for Customer, and date and time fields are used for Due Date.
  6. (Optional) Click Add another filter to add an additional search parameter, and repeat steps 4 - 6. If created several filters and want to delete one, click Remove for the filter to delete.
  7. Click Apply Filters to run your search query.
  8. (Optional) To save your defined filters, specify a name in the Save filters as: box, and click Save.
  9. (Optional) To discard defined filters and applied results, click Clear.
  10. (Optional) To hide the Search Filters configuration area, click Search Filters.

Right-click options

Right-click options let you filter and sort displayed cases using columns and defined values.

To filter and sort cases using right-click options:

  1. Navigate to the Cases page.
  2. Click Search or Apply Filters to bring up your cases.
  3. On the Case List page, right-click a value in the list of displayed cases and select one of the following options:

    • Only show rows with this value
    • Hide rows with this value
    • Clear show/hide/sort settings for this column—This option returns the column to its default view.
    • Sort list by this column

View case details

Within each case are details such as case items (for example, incidents, vulnerabilities, log messages, and to-do items), notes, associated files, status, and priority.

To view details of a case:

  1. Navigate to the Cases page.
  2. Click Search or Apply Filters to bring up your cases.
  3. On the Case List page, click the Summary value for the case to view.
    Case details appear.
  4. (Optional) Use the Case Items, Notes, and Files tabs to view the respective details. Expand the Contact Details option to view contact preferences.
  5. (Optional) To modify case details, see Cases.

Create a case

A case lets you group together security issues, or case items, that require investigation, action, or follow-up. System-generated case items include incidents, events, log messages, hosts, and vulnerabilities. You can also include user-defined tasks, or to-do items; for example, you can create a to-do item to install the latest service pack.

When creating a case manually, you must first identify the case items to include in the case, and then define the details of the case itself, such as its status or priority. You can also set up your account to create a case automatically when the Alert Logic Security Operations Center (SOC) escalates an incident. If additional issues are determined to be related, you can add case items to an existing case.

Select items to add to a case

Before you can create a case manually or add items to an existing case, you must first identify and select the system-generated case items to include. Incidents, events, log messages, hosts, and vulnerabilities are types of system-generated case items that you can select. Selected case items are collected in the Case Creation cart for subsequent processing.

Incidents

With incidents, you can select one or multiple incidents at a time to add to a case. Use the appropriate procedure below.

To select an incident to add to a case:

  1. Click the Incidents tab, and then click the Monitor subheading.
  2. Click Search or Apply Filters to bring up your incidents.
  3. In the displayed list of incidents, click the ID of the incident to add to a case.
    The incident details appear.
  4. In the left navigation area, click Add to case.
    The incident is added to the Case Creation cart.

To select multiple incidents to add to a case:

  1. Click the Incidents tab, and then click the Monitor subheading.
  2. Click Search or Apply Filters to bring up your incidents.
  3. In the displayed list of incidents, select the box for each incident to add to a case.
  4. Right-click an area other than the ID column and select Add to Case.
    The selected incidents are added to the Case Creation cart.

Events

With events, you can select one or multiple events at a time to add to a case. Use the appropriate procedure below.

To select an event to add to a case:

  1. In the Alert Logic console, click SEARCH, and then click the Events tab.
  2. Click Search or Apply Filters to bring up your events.
  3. In the displayed list of events, click the Name of the event to add to a case.
    The event details appear.
  4. In the left navigation area, click Add to case.
    The event is added to the Case Creation cart.

To select multiple events to add to a case:

  1. In the Alert Logic console, click SEARCH, and then click the Events tab.
  2. Click Search or Apply Filters to bring up your events.
  3. In the displayed list of events, select the box for each event to add to a case.
  4. Right-click in the list and select Add to Case.

Log Messages

To select a log message to add to a case:

  1. In the Alert Logic console, click SEARCH, and then click the Log Messages tab.
  2. Perform a search to display a list of log messages.
  3. Hover your mouse pointer over a log message, and then click add to case.

Hosts

To select a host to add to a case:

  1. In the Alert Logic console, click OVERVIEW, and then click Dashboards.
  2. On the left navigation area, click Scans.
  3. On the Scans tab, click Schedule New Scan.
  4. Under What to Scan, click Management.
  5. In the left navigation area, click Browse Devices.
  6. In the left navigation area, click By IP Range.
  7. In the IP Range list, select the IP address range that includes the host you want to add to a case, and then click Search.
  8. Click the IP address of the host that you want to add to the case.
  9. On the Host Information page, in the left navigation area, click Add to case.
    The host is added to the Case Creation cart.

Vulnerabilities

To select a vulnerability to add to a case:

  1. In the Alert Logic console, click OVERVIEW, and then click Dashboards.
  2. On the left navigation area, click Scans.
  3. On the Statistics tab, click Vulnerabilities by Risk Level.
  4. Next to the chart that appears, under the Title column, click the risk level of the vulnerability that you want to add to the case, such as High, Critical, or Urgent.
  5. Select the check box for the vulnerability to add to a case.
  6. Below the list of vulnerabilities, click Add to Case.
    The vulnerability is added to the Case Creation cart.

Create a case manually

Using a case lets you easily track the progress of security issues that need to be addressed. You can assign an owner to manage case progress, set a status and priority, document supporting notes and files, and more.

After you have identified the security issues and have collected the case items in the Case Creation cart, you can create the case.

To create a case manually:

  1. In the Alert Logic console, click SEARCH, and then click the Cases icon.
  2. (Optional) To include a to-do item in the case, in Add to-do item, type a description of the work item to add to the case, and then click Add.
  3. Verify that the Create new Case option is selected.
  4. Click Finalize Case.
  5. On the New Case page, under Summary, type a descriptive name for the case.
  6. In the Priority list, select one of the following options:
    • 1–Critical
    • 2–High
    • 3–Medium
    • 4–Low
    • 5–No Priority
  7. In the Status list, select one of the following options:
    • New
    • Acknowledged
    • Being worked on
    • Escalated
    • Closed
  8. To assign an owner, in the Assignment left column, select an individual owner or group and click Add to add your selection to the right column. You can add more than one owner.
  9. In the Due Date area, indicate the number of hours, days, or months to close the case.
  10. In Description, type a description for the case.
  11. Under Case Items, select any cart items to not include in the new case, and then click Remove.
  12. (Optional) To include a note, click Add Notes, and then in Description, type the note text. You can add more than one note.
  13. (Optional) To attach a file, click Upload Files, and then click Browse to locate the file. You can add more than one file.
  14. Click Create Case.

Add case items to an existing case

You can add additional case items to an existing case. After you have identified the security issues and have collected the case items in the Case Creation cart, you can then add the case items to a case.

To add a case item to a case:

  1. In the Alert Logic console, click SEARCH, and then click the Cases icon.
  2. (Optional) To include a to-do item in the case, in Add to-do item, type a description of the work item to add to the case, and then click Add.
  3. Select Add to existing Case.
  4. Select the customer from the customer drop-down list.
  5. Type the Case ID value in the Case ID field.
  6. Click Finalize Case.

Modify a case

As work on a case progresses, you can update corresponding case details. For example, you can change the case owner if necessary, update the status and priority of the case, mark case items as done, add supporting documentation, and more.

Update case details

After a case has been created, you can make updates to many of the case details.

To update case details:

  1. Navigate to the Cases page.
  2. Click Search or Apply Filters to bring up your cases.
  3. On the Case List page, click the Summary value for the case to modify.
    Case details appear.
  4. Modify any of the following case details:
    • Change Owner—To assign or change a case owner, next to Assigned to:, click Change Owner. Add the new owner(s) to the Selected Owner/Group, and then click Save.
    • Add tags—To add keywords to a case, click Add tags. Type tags to add to the case, and click Save Tags.
    • Update case item state—To update the state of a case item, see Cases.

    To add a case item to a case, see Add case items to an existing case.

    • Add a Note—To add a note to a case, select the Notes tab. In Add a Note, type the note text, and then click Save.
    • Add a File—To add a file to a case, select the Files tab. Click Browse to locate a file, and then click Add.
    • Status—To change the case status, select one of the following values from the drop-down list, and then click Update:
      • New
      • Acknowledged
      • Being worked on
      • Escalated
      • Cloud
      • New status
    • Priority—To change the priority, select one of the following values from the drop-down list, and then click Update:
      • 1–Critical
      • 2–High
      • 3–Medium
      • 4–Low
      • 5–No Priority
  5. (Optional) After you have made all changes, click Case List in the left navigation area to return to return to the Case List.

Update case item state

Each case contains one or more case items, which you can track individually. When you complete work for a case item, you can mark the case item as done. If you determine that a case item should not be included in a case, you can easily remove the case item from the case.

The combined state of all case items in a case is reflected on the Case List page in the "% Complete" column. This column allows you to quickly view the progress of a case. When you mark case items in a case as done, the percentage complete changes based on the total number of items in the case and the number of those items that are done.

Consider adding a note to the case to document your case item resolution. See Cases.

To update the state of a case item:

  1. Navigate to the Cases page.
  2. Click Search or Apply Filters to bring up your cases.
  3. On the Case List page, click the Summary value for the case to update.
  4. In the displayed case details, click the Case Items tab.
  5. In the displayed list of case items, select the box next to each case item to modify.
  6. In the drop-down list, select one of the following options:
    • Mark selected as done—Changes completion value to Complete.
    • Mark selected as not done—Changes completion value to Incomplete.
    • Remove items from case
  7. Click Apply.

Related topics