5.3. Automated Case Creation
With Auto Baselining, the Cockpit will automatically generate cases for groups of logs that are similar, or in other words: Have the same auto_case_id.
After clicking the button
Automatically generate Cases button in the
Auto Baselining tab you will be prompted for a threshold. This means:
Do only create a case when you find at least that many similar logs. In
our example below the Cockpit will now generate cases for all groups of
at least 2000 similar events.
After pressing the
Start button, the Cockpit will start calculating
and create cases. Depending on the data volume this may take a while and
you will be presented a page that shows that Auto Cases is still running
along with the current number of cases.
It is safe to leave this page, once the status in
Running. It will
continue in the background.
The Analysis Cockpit generates auto_case_ids only for Alerts and Warnings. Don't use the Autocase feature for Notice and Info level events.
5.4. Add to Case
Sometimes you may want to add log lines to an already existing case
because they represent the same security context. To do this you can
just click the
Add to Case button and select the suitable case. It is
also possible to add an additional comment to this case for the
5.5. Customizing the Detailed View of Log Lines
The detailed view for log lines opens by clicking on a log line. Within
this view you can select some fields as favorite fields by clicking on
the star symbol. They will always be shown at the top of this view.
hostname are selected by default.
To search for all log lines with the same entry as this log line in a particular field, you can click the dropdown on the left hand side of the field.
Additionally, you can find a
VIRUSTOTAL button in every hash field and a
VALHALLA button in every reason field. By clicking
VIRUSTOTAL the hash
will be searched on Virustotal. By clicking
VALHALLA you will get more
information about the matching rule from valhalla.nextron-systems.com.