Creating a Case Automatically

FortiSIEM can automatically create a Case when an Incident triggers. The advantages of automatic case creation are

  • Case is automatically assigned using the Automation Policy.
  • Related Incidents (specifically Incidents with same IP address or host name in Incident Source and Incident Target fields) will be automatically added to the Case.

The following steps need to be performed to set up automatic Case creation.

Step 1 - Configure an Email Server for Notifications

FortiSIEM will notify Case Owners, Managers and Team Leads as a Case progresses through various stages and changes are made to the Case. For this reason, an email server must be set up first. If you have done this step for Incident notification or other purposes, then you can skip this step. The steps are:

  1. Go to Admin > Settings > System > Email.
  2. Under Email Settings, enter your Email server account information.
  3. Click Test Email, and if it succeeds, click Save.

Detailed email server configuration steps are here.

Two points to be noted:

  1. Case Management Policy controls email recipients and notification triggers. See Step 3 - Create a Case Management Policy for details.
  2. The content of the email is fixed and cannot be customized.

Step 2 - Create one or more FortiSIEM Analyst Teams

FortiSIEM users assigned to a Case need some special attributes for proper enforcement of Case Management policies. For this reason, two special groups are created under CMDB > Users.

  1. FortiSIEM Users: This includes all users that have login access to FortiSIEM. These users can be populated in one of the following ways:
    1. Manually define a user under CMDB > Users > FortiSIEM Users.
    2. Discovered users via LDAP and then assign a FortiSIEM Role.
  2. FortiSIEM Analysts: This includes the subset of FortiSIEM Users that can be assigned to work on a Case.

FortiSIEM Analysts need to be organized into Teams. The organization of Teams can be arbitrary, but important use cases are

  1. Based on Geography and Time zones - e.g. US Team, Europe Team and APAC Team that have minimally overlapping work hours.
  2. Based on skill set – e.g. Windows Team, Firewall Team, Cloud Team, etc.
  3. Based on Case Severities – e.g. Critical Team, Medium Severity Team, Low Severity Team, etc.

You can configure FortiSIEM to attempt multiple Teams for finding an Assignee during Case Assignment. This can be specified during Automation Policy. See Step 4 - Create Automation Policy for details.

Each Team needs:

  • A Team Lead that can perform various roles such as (a)Manual Case Assignment, (b) Handling Case escalations that have violated Service Level Agreements (SLA).
  • A Team Queue to hold Cases that cannot be assigned to any one. These Cases have to be manually assigned to Analysts.

Each Team Member needs:

  • Work schedule: This information is used to automatically assign Tickets to users who are working when the Case is Created.
  • Time off schedule: This information is used to automatically assign Tickets to users who are working when the Case is Created.
  • A Manager for Case escalations and notifications.
  • Email for notifications.

Follow these steps to create a FortiSIEM Analyst Team.

  1. Go to CMDB.
  2. From the left pane, click Users, and select FortiSIEM Analysts.
  3. Click + from the left pane.
  4. From the Create New User Group dialog box:
    1. In the Group field, enter the Team Name.
    2. In the Description field, enter a Description for the Team, such as brief geographical, time zone, or team intent focus.
    3. Under Folders, click Users to expand, and select the Team users from the FortiSIEM Users >  folder and move them to Items in Group to place them in the group.
  5. Click Save.
  6. To make a user a Team Lead:
    1. Select the user and click Edit.
    2. Under the General tab, select the Team Lead checkbox.
    3. Click Save.
  7. To specify Work and Time off schedules:
    1. Select the user and click Edit.
    2. To change the Work schedule: Under FortiSIEM Attributes, click on next to Work Schedule. By default, a Monday-Friday 8AM to 5PM local time schedule is chosen. To change this, use the GUI to create a new schedule after clicking on . When done, click Save.
    3. The Time Off schedule is similar to Work schedule and can be defined under FortiSIEM Attributes, by clicking on next to Time Off Schedule. When done, click Save.
    4. Click Save.

See detailed Team Creation Steps in Working with User Groups and detailed User Creation steps in Adding Users.

Step 3 - Create a Case Management Policy

Case Management Policy Templates can be created under Admin > Settings > General > Case Management. This involves specifying the following:

  1. SLA (Violation) & Escalation
    • Setting Case Due Date.
    • Whom to notify when Remaining Time is close to Due Date, or Due Date is violated.
    • Whom to notify when there is no Case Update within a defined period.
  2. Automatic Case Assignment: Auto-assignment specifies the rules to find a Case Assignee. In general, the Automation Policy may specify more than one Team in a specific order.
    • Finding an Assignee within a Team – 3 options are provided.
      • Always Assign to Team Lead, if available.
      • Assign Randomly within Available Team members.
      • Assign to Available Team member with least number of Cases.
    • FortiSIEM may fail to find an available Team member within the first Team. When this occurs, then the following logic is applied:
    • No Assignee found within Team
      • For Important (e.g. Critical and High Severity by default) Cases, find next Assignee within the next Team. If Assignee still can not be found, then 4 choices are provided:
        • Assign to First Team Lead
        • Leave in First Team Queue
        • Assign to Last Team Lead
        • Leave in Last Team Queue
      • For not so important (e.g. Medium and Low Severity by default) Cases, 2 choices are provided:
        • Leave in First Team Queue
        • Leave in Last Team Queue
      • User can configure Important categories by selecting their choices (Critical, High, Medium, Low) from the drop-down list.
  3. (Case Change) Notifications: Select the users that will receive notification when a Case Attribute changes (e.g. if Case Severity, Status are manually modified).
  4. (Case Change) Permissions: Specify the Analysts that are permitted to change Case Status and edit Case Notes.
    • Case Status Change: Possibilities for Change Status are Anyone, Anyone within Team, Current Asignee and/or Team Lead.
    • Case Notes Edit: Possibilities for Edit Note are Current Assignee and/or Team Lead.
  5. (Case) Auto Close: Auto Close specifies whether to close a Close immediately if all Incidents in the Case are cleared, or keep the Case open for a specific duration before closing. Keeping the Case open enables newer Incidents with matching host name or IP addresses to be included in the Case.

To create a Case Management Policy:

  1. Go to Admin > Settings > General > Case Management.
  2. Go to Case Management Policy tab and click New.
  3. Go through the SLA & Escalation, Permissions, Notifications and Auto Close sections and choose the settings for your case environment, based on the information above.
  4. Click Save.

Details for creating Case Management Policies can be found in Adding/Editing a Case Management Policy.

Step 4 - Create Automation Policy

Automation policy provides fine grained control over the set of Incidents for which Cases will be created.

The following Incident attributes can be chosen to determine if a Case needs to be created:

  • Incident Severity
  • Specific Rules or Rule Groups
  • Time Range
  • Affected Items in Incident Source And Target
  • Affected Orgs (Service Provider Case)

For FortiSIEM to automatically find an Assignee and then manage the Case, you need to specify:

  1. A Case Management Policy
  2. An ordered list of FortiSIEM Analyst Teams to work on the Case. FortiSIEM will try to find users within the Teams in the specified order.

You can create multiple policies and arrange them using Policy Rank. Lower Ranks appear first in the list and are evaluated first. The First matched Policy is chosen to create and manage the Case for that Incident.

To create an Automation Policy:

  1. Go to Admin > Settings > General > Automation Policy.
  2. Click New.
  3. Enter the following Incident attributes:
    1. In the Name field, enter the name of the policy.
    2. From the Severity checkboxes, select the Incident Severities.
    3. From Rules, click ‚, then use the arrow buttons and select the Rule Groups or individual rules. When done, click Save. If you do not choose anything, then the default choice is ANY (meaning ALL Rules).
    4. From Time Range, click ‚, select Define Time Range, then use the GUI to configure your time range. When done, click Save. If you do not choose anything, then the default choice is ANY (meaning ALL Time Ranges).
    5. From Affected Items, click ‚ to specify specific devices and/or IP ranges. Click Select Device to configure specific devices using the GUI. Click Add IP/Range to configure an IP address or IP Range. When done, click Save. If you do not choose anything then the default choice is ANY (meaning ALL Affected Items).
    6. From Affected Orgs, click ‚ and use the GUI to select the Affected Organizations for your Service Provider deployment. When done, click Save. If you do not choose anything then the default choice is ANY (meaning ALL Organizations).
    7. For Action: check the Create Case when an incident is created checkbox and click on . Then
      1. From the Case Management Policy drop-down list, select a Case Management Policy.
      2. From the Teams FIRST drop-down list, select the FortiSIEM Analyst Team that will first handle the case. Then select + and choose the next FortiSIEM Analyst Team from the THEN drop-down list that will handle the Case if no one from the first Team is found. Click + and select another FortiSIEM Analyst Team as needed.
      3. Click Save when finished with selecting Teams.
    8. Click Save.
  4. You can change the order of evaluation by selecting a Policy and clicking the Up or Down buttons.

  5. Click a policy's Enabled checkbox to enable that policy and its rules.

Detailed steps for creating an Automation Policy can be found here.