Cases

Modified on Sat, 7 Sep at 3:37 PM

Cases

About Cases

The Cases page lets you see a list of the Perception Point X-Ray cases that have been opened in your organization. Cases are opened when:

A suspected ATO attempt is detected by Perception Point X-Ray. For example, a suspicious mail inbox rule was set, or a suspicious login to a mail account was attempted. Some cases are added based on a combination of suspicious activities.

Note: Suspected ATO attempts are detected only if the Perception Point ATO functionality is enabled in the organization. The ATO functionality is available for Microsoft 365 installations only. For details, see "Configuring Microsoft 365 - ATO detection" on page 227.

An end-user downloads a significant number of files that contain sensitive data. For details, see "Detecting sensitive file downloads" on page 333.

Each new case is assigned the Open status. You can click any case in the Cases page to display additional details about the case, such as a description of the suspicious activity, and the user who performed the suspicious activity. You can analyze a case, and then resolve it, to remove it from the list of open cases.

The Perception Point IR Team constantly monitors all cases that are added. The Perception Point IR Team analyzes each case that is added, and determines if the suspicion is warranted - requiring further attention - or if the case can be closed. If the Perception Point IR Team determines that the case requires additional analysis by your organization, they will set the case stage to client. An email can also be sent to your organization, outlining the suspicions. The email will be sent to the recipients that are specified in the "Alert via email on malicious cases" setting. For details on configuring the email, see "Configuring alerts" on page 113.

The Cases page includes suspicious activity only. The Events page lists all events that have occurred in Perception Point X-Ray - even if the events are not suspicious. For details, see "Events" on page 695.

To show the Cases page:

In Perception Point X-Ray, in the left navigation menu, select Security Operations > Cases.

Any admin user with the "Self Analysis" role [or higher] can access the Cases page.

Case severity

Perception Point X-Ray assigns a severity to each case. You can modify the severity when you handle a case. [See "Handling a case" on page 692 below.] The severity can be:

[

] Low: For example, a user logged-in.
[

] Medium: For example, Suspicious inbox rule change.
[

] High: For example, a user set up a mailbox rule that appears to be suspicious, such as "Suspicious Inbox Rule Detected".

You can use the case severity to filter the cases shown in the Cases page.

Case status

Perception Point X-Ray assigns a Malicious status to each new entry in the Cases page. After analysis, you can modify the status of the case. [See "Handling a case" on page 692 below.]

[

] Clean: The case has been analyzed, and no suspicious activity was found.
[

] Malicious: The case has been analyzed and malicious behavior was detected - or the case has not yet been fully analyzed, and the original Malicious status remains.

You can use the case status to filter the cases shown in the Cases page.

Case stage

Perception Point X-Ray assigns a stage to each entry in the Cases page. The stage indicates where the case is in the analysis process. The status can be:

[

] Client: The case has been analyzed by the Perception Point IR Team. The Perception Point IR Team has assigned the case to your organization for further analysis.
[

] Closed: The case has been investigated and is now closed. No further analysis is required.

You can use the case status to filter the cases shown in the Cases page.

Case triggers

The following are some of the triggers that will create new cases:

Suspected ATO cases

Suspected download of sensitive data

Suspicious rules

Suspicious rule created

Suspicious Junk Folder rule

Suspicious Inbox rule created

Suspicious forwarding rule detected

Suspicious Inbox rule change

Suspicious Inbox rule detected

Suspicious login activity detected

Suspicious failed login activity detected

Sensitive file downloads

Handling a case

When you handle a case, you can change its status and severity. After you handle a case, the stage of the case will automatically be set to closed. After a case has been closed, you can't reopen the case.

To handle a case:

In the Cases page, locate the required case, expand its view, and then click the Handle Case [

] button on the right of the case.

Set the Status and the Severity as required.
Click Submit.

UI elements

The Cases page includes the following UI elements:

UI element	Description
Stage	See above.
Severity	See above.
Status	See above.
Organization	The organization in which the suspicious activity was detected.
User	The email account on which the suspected ATO activity was performed.
Description	A brief description of the suspicious activity.
Timestamp	The time and date on which the suspicious activity was performed.
Handle case	See above.

Some of these UI elements appear - depending on the type of the suspicious activity that was detected:

Type of suspicious activity	UI element	Description
New Inbox Rule Forwarding Rule Created	IP Address	The distribution of the IP addresses that have been used to sign-in to the targeted email account.
	Location	The distribution of the locations [countries] from which users have signed-in to the targeted email account.
	Forward	The email address to which the suspicious rule forwards emails.
User Logged In User Login Failed	IP Address	The distribution of the IP addresses that have been used to sign-in to the targeted email account.
	Location	The distribution of the locations [countries] from which users have signed-in to the targeted email account.
	Operating System	The distribution of the operating systems that have been used to sign-in to the targeted email account.
	Browser	The distribution of the browsers that have been used to sign-in to the targeted email account.