New Case
Triggers a workflow on every new case.
info
Automations based on this trigger will search for new events every 5 minutes.
Sample Event
{
"alertCreationTimestamp": "2024-04-17T11:45:54.421",
"alertId": "c867bae5-3c21-4c98-a142-953c01dce1df",
"approxLogTime": "2024-04-17T11:41:47.564",
"assignee": "si-user-1@exabeam.com",
"assigneeId": "64f9e3ef1793b179824a8961",
"creationTimestamp": "2024-04-17T11:48:47.559",
"caseId": "e77e5002-bd35-4e7b-a532-cd76341ef6f3",
"creationBy": "system",
"stage": "CLOSED",
"closedReason": "Closed via automation",
"alertDescriptionRt": "Suspicious activity detected on host",
"hasAttachments": false,
"isDeleted": false,
"lastModifiedBy": "si-user-1@exabeam.com",
"lastModifiedTimestamp": "2024-04-17T11:55:19.127",
"mitres": [
{
"tacticKey": "TA0004",
"tactic": "Privilege Escalation",
"techniqueKey": "T1078",
"technique": "Valid Accounts"
},
{
"tacticKey": "TA0011",
"tactic": "Command and Control",
"techniqueKey": "T1090",
"technique": "Proxy"
},
{
"tacticKey": "TA0005",
"tactic": "Defense Evasion",
"techniqueKey": "T1078",
"technique": "Valid Accounts"
},
{
"tacticKey": "TA0011",
"tactic": "Command and Control",
"techniqueKey": "T1071",
"technique": "Application Layer Protocol"
},
{
"tacticKey": "TA0001",
"tactic": "Initial Access",
"techniqueKey": "T1078",
"technique": "Valid Accounts"
},
{
"tacticKey": "TA0003",
"tactic": "Persistence",
"techniqueKey": "T1078",
"technique": "Valid Accounts"
}
],
"alertName": "Multiple Anomalies",
"priority": "HIGH",
"riskScore": 71,
"queue": "Tier 1 Analyst",
"status": "READ",
"tags": [],
"useCases": [
"Compromised Credentials",
"Evasion",
"Malware",
"Abnormal Authentication & Access"
],
"products": [
"NG Analytics"
],
"vendors": [
"Exabeam"
],
"srcHosts": [],
"srcIps": [
"10.0.83.177"
],
"destHosts": [],
"destIps": [
"102.130.113.9"
],
"users": [
"GeorgeMartin"
],
"groupedbyKey": "User",
"groupedbyValue": "georgemartin",
"ingestTimestamp": "2024-04-17T11:47:54.143",
"srcEndpoints": [
{
"ip": "10.0.83.177",
"host": "host164"
}
],
"destEndpoints": [
{
"ip": "102.130.113.9",
"host": "host256"
}
]
}