5.4. Automated Case Creation

>Baselining\THOR Events

With Auto Baselining, the Cockpit will automatically generate cases for groups of logs that are similar, or in other words: have the same auto_case_id.

After clicking the button Automatically generate Cases in the Auto Baselining tab, you will be prompted for a threshold. The threshold will dictate when a case should be created. In our example below the Cockpit will now generate cases for all groups of at least 100 similar events - which might be a lot or not enough events, depending on your environment. You should have a good understanding of how many events your usual case contains before using the Auto Baselining feature.

Automatically create cases

Automatically create cases

Automatically create cases

Automatically create cases

After pressing the Start button, the Cockpit will start calculating and create cases. Depending on the amount of events in your Analysis Cockpit, this may take a while and.

Auto Cases Status

Auto Cases Status

It is safe to leave this page once the status is Running. It will continue in the background. To see if the Auto Baselining is still running, you can open the dialog again.

Important

The Analysis Cockpit generates auto_case_ids only for Alerts and Warnings. Don't use the Autocase feature for Notice and Info level events.

5.5. Add to Case

Sometimes you may want to add log lines to an already existing case because they represent the same security context. To do this you can select any events you would like to add to a specific case and click the Add to Case button and select the suitable case. It is also possible to add an additional comment to this case for the addition.

Add to Case

Add to Case

5.6. Customizing the Detailed View of Log Lines

The detailed view for log lines opens by clicking on a log line. Within this view you can select some fields as favorite fields by clicking on the star symbol. They will always be shown at the top of this view. MESSAGE, MODULE and hostname are selected by default.

To search for all log lines with the same entry as this log line in a particular field, you can click the dropdown on the left hand side of the field.

customizing the detailed view for log lines

Customizing the detailed view for log lines

Additionally, you can find a VIRUSTOTAL button in every hash field and a VALHALLA button in every reason field. By clicking VIRUSTOTAL the hash will be searched on Virustotal. By clicking VALHALLA you will get more information about the matching rule from valhalla.nextron-systems.com.

5.7. Usage of the Context Menu

You can use the context menu on any value in your logs to get an action menu. Within this menu, you can do different actions:

Context Menu

Context Menu

You can filter, search for similar events, or even create cases based on the value you right-clicked.