Skip to main content

New Case

Triggers a workflow on every new case.

info

Automations based on this trigger will search for new events every 5 minutes.

Sample Event

{
    "alertCreationTimestamp": "2024-04-17T11:45:54.421",
    "alertId": "c867bae5-3c21-4c98-a142-953c01dce1df",
    "approxLogTime": "2024-04-17T11:41:47.564",
    "assignee": "si-user-1@exabeam.com",
    "assigneeId": "64f9e3ef1793b179824a8961",
    "creationTimestamp": "2024-04-17T11:48:47.559",
    "caseId": "e77e5002-bd35-4e7b-a532-cd76341ef6f3",
    "creationBy": "system",
    "stage": "CLOSED",
    "closedReason": "Closed via automation",
    "alertDescriptionRt": "Suspicious activity detected on host",
    "hasAttachments": false,
    "isDeleted": false,
    "lastModifiedBy": "si-user-1@exabeam.com",
    "lastModifiedTimestamp": "2024-04-17T11:55:19.127",
    "mitres": [
        {
            "tacticKey": "TA0004",
            "tactic": "Privilege Escalation",
            "techniqueKey": "T1078",
            "technique": "Valid Accounts"
        },
        {
            "tacticKey": "TA0011",
            "tactic": "Command and Control",
            "techniqueKey": "T1090",
            "technique": "Proxy"
        },
        {
            "tacticKey": "TA0005",
            "tactic": "Defense Evasion",
            "techniqueKey": "T1078",
            "technique": "Valid Accounts"
        },
        {
            "tacticKey": "TA0011",
            "tactic": "Command and Control",
            "techniqueKey": "T1071",
            "technique": "Application Layer Protocol"
        },
        {
            "tacticKey": "TA0001",
            "tactic": "Initial Access",
            "techniqueKey": "T1078",
            "technique": "Valid Accounts"
        },
        {
            "tacticKey": "TA0003",
            "tactic": "Persistence",
            "techniqueKey": "T1078",
            "technique": "Valid Accounts"
        }
    ],
    "alertName": "Multiple Anomalies",
    "priority": "HIGH",
    "riskScore": 71,
    "queue": "Tier 1 Analyst",
    "status": "READ",
    "tags": [],
    "useCases": [
        "Compromised Credentials",
        "Evasion",
        "Malware",
        "Abnormal Authentication & Access"
    ],
    "products": [
        "NG Analytics"
    ],
    "vendors": [
        "Exabeam"
    ],
    "srcHosts": [],
    "srcIps": [
        "10.0.83.177"
    ],
    "destHosts": [],
    "destIps": [
        "102.130.113.9"
    ],
    "users": [
        "GeorgeMartin"
    ],
    "groupedbyKey": "User",
    "groupedbyValue": "georgemartin",
    "ingestTimestamp": "2024-04-17T11:47:54.143",
    "srcEndpoints": [
        {
            "ip": "10.0.83.177",
            "host": "host164"
        }
    ],
    "destEndpoints": [
        {
            "ip": "102.130.113.9",
            "host": "host256"
        }
    ]
}