6.4. Generate and Review auto_case_ids
These auto_case_ids can be reviewed in the Grouping Criteria
section
of the case.
In our example, three auto_case_ids were added that match all 1,000 log lines. In the future all incoming logs, that match one of the three “Detailed Reasons” will be added to this case directly and will not show up in the Log Management section.
6.4.1. Limitations
There are limitations to the visibility of grouping criteria. Grouping Criteria are only calculated for Alerts and Warnings. For all other types of logs (Notices, Info, Error) auto_case_ids are not calculated, so every log line gets its own highly specific filter that matches future occurrences of exactly the same log line but will not do any kind of generic matching. These highly specific filters are not displayed in the case for simplicities sake.
In rare cases the Analysis Cockpit will find it difficult to calculate
auto_case_ids even for Alerts and Warnings. These logs will get tagged
with optimized\_template=false
. In this case, the behavior is like for
Notices, Info and Error messages. Grouping Criteria will not show up as
it will be one highly specific filter per log line.
6.5. More Information about Cases
The Affected Assets
tab of a case shows assets that have contributed at least
one log line to this case. In this example 5 assets are affected.
All of them have the same operating system "windows".
In the Comments
tab you can add comments and attachments
to this case. Attachments can be used to pass additional information to
members of the analysis team (e.g. memory dump for further analysis).
The Changes
tab shows information about changes to this case.
In other words: This is your case audit log.
6.6. Bulk Edit / Bulk Delete
The Analysis Cockpit features a convenient way to make certain changes
to groups of cases. Just select the case in the left column and click
the Edit Cases
or Delete Cases
button.