To access the Cases page:
- Log in to LogRhythm NDR's new UI.
Click Hunt from the sidebar menu, and then click Cases.
The Cases page appears displaying the total number of cases which are further classified as Critical, High, Medium, and Low.The cases are generally categorized based on Severity, Certainty, and Score. By default, the cases are summarized based on severity.
- To change the category, click the drop-down menu available next to the Dialog Box/Side Panel toggle button and select the required category.
- Click on a particular case to open a drop-down table that contains further details regarding the case.
Details such as Occurred On, Score, Certainty, Severity, Case ID, Entry Origin, Entry Type, Trigger, Src, and Dest are listed in the table.
Click the column headers in the table to sort the table entries in ascending or descending order.
- To group the entries, drag and drop the column entries to a designated space.
- To add or remove column headers, click the Show Columns icon.
To export the case details, click the Export icon.
- To show or hide column grouping space, click the Show/Hide Column Group icon.
- To show or hide column filters, click the Show/Hide Column Filters icon.
To filter from the list of available cases, use the Anomaly and Score sliders.The Anomaly slider filters cases based on severity.
The Score slider filters entries based on score.
- To open a particular case without detailed summary, set the Dialog Box/Side Panel toggle button to Off.
- To get detailed summary of a case, set the Dialog Box/Side Panel toggle button to On.
More Details Window
- To get a more detailed summary, click the three-dot menu option available at the bottom of the Summary panel.
The More Details... page appears displaying details such as summary, recommendation, details, source, and destination.
The Entry Origin table is displayed, which maps the rule and the time period in which that case was created.
Below the Entry Origin table, the Highlighted Events and All Events tab are available.
- Click the Bookmark icon to bookmark the selected case.
- Click the Investigate icon at the top-right of the page to further investigate a particular case.
- To select one of the following actions, click the three-dot menu icon:
- Email Alert
- Run Firewall SmartResponse
- Close Incident
- Open Case
- Mark for Investigation
- To further filter the cases, use the Anomaly and Threat Severity sliders available in the Highlighted Events tab.
The highlighted users chart is displayed below the sliders where the case events and types are mapped to their respective dates.
The highlighted users table is presented with information such as Occurred on, Info, Activity, Category, and Attribute.
- Click the column headers in the table to sort the table entries in the ascending or descending order.
To export the table details, click the Export icon.
To filter the entries, click the Show/Hide Column Filters and select your filter parameters.
In the Info column of the table, the Alert Event option is available to the user.
- Click the Alert Event drop-down option, corresponding to a particular case to choose one of the following:
- Whitelist - To whitelist an entry.
- Payload - To view payload as Text and Hex.
- Make Main Event - To make the entry a main event.
- Auto Main Event - To revert back to the original main event.
- Rapid 7
- Click the corresponding links provided in the table, for further information on the topics.
- To view the event details, click anywhere on the row.
There are 3 tabs available in the event page: Details tab, Raw Data (JSON) tab, and Related Logs tab.
- To view the source and destination IP addresses, click the Details tab.
- To view the raw data in JSON format, click the Raw Data (JSON) tab.
- To see all the related logs, click the Related Logs tab.
The Activity timeline for this particular case is displayed at the end of the More Details window.