Creating a Case Manually

A Case can be manually created from Incidents or Events. The following steps need to be performed.

• Step 1 - Configure an Email Server for Notifications
• Step 2 - Create one or more FortiSIEM Analyst Teams
• Step 3 - Create a Case Management Policy
• Step 4 - Create a Case

Step 1 - Configure an Email Server for Notifications

FortiSIEM will notify Case Owners, Managers and Team Leads as a Case progresses through various stages and changes are made to the Case. For this reason, an email server must be set up first. If you have done this step for Incident notification or other purposes, then you can skip this step. The steps are:

1. Go to Admin > Settings > System > Email.
2. Under Email Settings, enter your Email server account information.
3. Click Test Email, and if it succeeds, click Save.

Detailed email server configuration steps are here.

Two points to be noted:

1. Case Management Policy controls email recipients and notification triggers. See Step 3 - Create a Case Management Policy for details.
2. The content of the email is fixed and cannot be customized.

Step 2 - Create one or more FortiSIEM Analyst Teams

FortiSIEM users assigned to a Case need some special attributes for proper enforcement of Case Management policies. For this reason, two special groups are created under CMDB > Users.

1. FortiSIEM Users: This includes all users that have login access to FortiSIEM. These users can be populated in one of the following ways:
   1. Manually define a user under CMDB > Users > FortiSIEM Users.
   2. Discovered users via LDAP and then assign a FortiSIEM Role.
2. FortiSIEM Analysts: This includes the subset of FortiSIEM Users that can be assigned to work on a Case.

FortiSIEM Analysts need to be organized into Teams. The organization of Teams can be arbitrary, but important use cases are

1. Based on Geography and Time zones - e.g. US Team, Europe Team and APAC Team that have minimally overlapping work hours.
2. Based on skill set – e.g. Windows Team, Firewall Team, Cloud Team, etc.
3. Based on Case Severities – e.g. Critical Team, Medium Severity Team, Low Severity Team, etc.

You can configure FortiSIEM to attempt multiple Teams for finding an Assignee during Case Assignment. This can be specified during Automation Policy. See Step 4 - Create Automation Policy in Creating a Case Automatically.

Each Team needs:

• A Team Lead that can perform various roles such as (a)Manual Case Assignment, (b) Handling Case escalations that have violated Service Level Agreements (SLA).
• A Team Queue to hold Cases that cannot be assigned to any one. These Cases have to be manually assigned to Analysts.

Each Team Member needs:

• Work schedule: This information is used to automatically assign Tickets to users who are working when the Case is Created.
• Time off schedule: This information is used to automatically assign Tickets to users who are working when the Case is Created.
• A Manager for Case escalations and notifications.
• Email for notifications.

Follow these steps to create a FortiSIEM Analyst Team.

1. Go to CMDB.
2. From the left pane, click Users, and select FortiSIEM Analysts.
3. Click + from the left pane.
4. From the Create New User Group dialog box:
   1. In the Group field, enter the Team Name.
   2. In the Description field, enter a Description for the Team, such as brief geographical, time zone, or team intent focus.
   3. Under Folders, click Users to expand, and select the Team users from the FortiSIEM Users >  folder and move them to Items in Group to place them in the group.
5. Click Save.
6. To make a user a Team Lead:
   1. Select the user and click Edit.
   2. Under the General tab, select the Team Lead checkbox.
   3. Click Save.
7. To specify Work and Time off schedules:
   1. Select the user and click Edit.
   2. To change the Work schedule: Under FortiSIEM Attributes, click on next to Work Schedule. By default, a Monday-Friday 8AM to 5PM local time schedule is chosen. To change this, use the GUI to create a new schedule after clicking on . When done, click Save.
   3. The Time Off schedule is similar to Work schedule and can be defined under FortiSIEM Attributes, by clicking on next to Time Off Schedule. When done, click Save.
   4. Click Save.

See detailed Team Creation Steps in Working with User Groups and detailed User Creation steps in Adding Users.

Step 3 - Create a Case Management Policy

Case Management Policy Templates dictate how a Case is assigned to an Analyst and how the Case progresses from New state to Closed state. A Case Management Policy Template can be created under Admin > Settings > General > Case Management. This involves specifying the following:

1. SLA (Violation) & Escalation
   • Setting Case Due Date.
   • Whom to notify when Remaining Time is close to Due Date, or Due Date is violated.
   • Whom to notify when there is no Case Update within a defined period.
2. (Case Change) Notifications: The users that will receive notification when a Case Attribute changes (e.g. if Case Severity, Status are manually modified).
3. (Case Change) Permission: This specifies the Analysts that are permitted to change Case Status and edit Case Notes.
   • Case Status Change: Possibilities for Change Status are Anyone, Anyone within Team, Current Asignee, and/or Team Lead.
   • Case Notes Edit: Possibilities for Edit Note are Current Assignee and/or Team Lead.
4. (Case) Auto Close: This specifies whether to close a Case immediately if all Incidents in the Case are cleared, or keep the Case open for a specific duration before closing. Keeping the Case open enables newer Incidents with matching host name or IP addresses to be included in the Case.

To create a Case Management Policy:

1. Go to Admin > Settings > General > Case Management.
2. Go to Case Management Policy tab and click New.
3. Go through the SLA & Escalation, Permissions, Notifications and Auto Close sections and choose the settings for your case environment, based on the information above. The Auto-assignment section is for Automatic case Creation section, see Creating a Case Automatically for more information.
4. Click Save.

Details for creating Case Management Policies can be found in Adding/Editing a Case Management Policy.

Step 4 - Create a Case

• Create a Case from an Incident
• Add an Incident to an Existing Case
• Create a Case from an Event
• Add an Event to an Existing Case

Create a Case from an Incident

To manually create a new Case from an Incident:

1. Go to Incidents > List View.
2. From the Columns drop-down list, select Case ID if it is not a display column. Now Case ID shows as an Incidents display column.
3. Select an Incident. If no Case ID appears, then a new Case can be created for this Incident.
4. Make sure Incident is selected and from the Actions drop-down list, select Create Case.
5. From the General tab:
   1. In the Summary field, enter a Case Summary.
   2. Next to Assignee, click Select and select the user who is going to work on the Case.
   3. Click Due Date and set the due date (if you want to override the settings from Case Management Policy).
   4. (Optional) Click Case Management Policy, and select a Case Management Policy to apply a Case Management Policy to set the Due Date.
      Note: If no Case Management Policy is selected, the Assignee will only receive an email notification for the assignment. Afterward, regardless of any case changes, the Assignee will not receive any email notification.
      
   5. From the Severity drop-down list, choose the severity of the Case.
6. If you want to add other related Incidents to the Case, then from Incidents tab, select other related Incidents from the provided list. The list is created automatically by including Incidents with the same IP address or host name in Incident Source and Incident Target fields. Only past Incidents are included here. Future Incidents with the same IP address or host name will not be included since the Case is created manually.
7. Click Save. In the dialog box, choose Jump to Cases if you want to go to the specific Case just created, or click Close if you want to stay on the current page.

Add an Incident to an Existing Case

To manually add an Incident to an Existing Case:

1. Go to Incidents > List View.
2. From the Columns drop-down list, select Case ID if it is not a display column. Now Case ID shows as an Incidents display column.
3. Select an Incident. If no Case ID appears, then the incident can be added to an existing Case.
4. Make sure Incident is selected and from the Actions drop-down list, select Add to Case....
5. Select the Case from the list provided.
6. Click OK. In the dialog box, choose Jump to Cases if you want to go to the specific Case you added the incident to, or click Close if you want to stay on the current page.

Note that if you create a Case automatically using Automation Policy, then related Incidents (same IP address or host name in Incident Source and Incident Target fields) will be automatically added to the Case.

Sometimes, an Incident may not have triggered and you may want to create a new Case from an event.

Create a Case from an Event

To manually create a new Case from an Event:

1. Go to Analytics.
2. Run a Report to capture the event raw message.
3. Hover over an event under the Raw Event Log column, click ‚, and select Create Case.
   1. In the Summary field, enter a Case Summary.
   2. Next to Assignee, click Select and select the user who is going to work on the Case.
   3. Click Due Date and set the due date (if you want to override the settings from Case Management Policy).
   4. (Optional) Click Case Management Policy, and select a Case Management Policy to apply a Case Management Policy to set the Due Date.
      Note: If no Case Management Policy is selected, the Assignee will only receive an email notification for the assignment. Afterward, regardless of any case changes, the Assignee will not receive any email notification.
      
   5. From the Severity drop-down list, choose the severity of the Case.
   6. Click Save. In the dialog box, Choose Jump to Cases if you want to go the specific Case just created, or click Close if you want to stay on this page.

Add an Event to an Existing Case

To Add an Event to an Existing Case:

1. Go to Analytics.
2. Run a Report to capture the event raw message.
3. Hover over an event under the Raw Event Log column, click ‚, and select Add to Case....
   1. Select the Case from the list provided.
   2. Click OK. In the dialog box, choose Jump to Cases if you want to go to the specific Case you added the incident to, or click Close if you want to stay on the current page.