Case Management
This chapter contains the following sections:
•
•
•
•
•
•
Case Management Overview
The Case Management feature can capture, combine, and preserve user-selected MARS data within a
specialized report called a case. The following data can be added to a case:
•
•
•
•
•
•
•
•
Any user can create or alter any case. You can assign a case to a MARS user on the same machine, and
can change the status of a case to assigned, resolved, or closed. The contents of a case are displayed by
category on a single GUI page (View Case), and can be automatically assembled into a single HTML
case document. You can email the Case Document to any MARS user account or user group.
When a case is closed, you can still email it, annotate it, add device information, and include a reference
Note
to another case.
Case information collected on incidents, sessions, queries, reports and mitigation logs are forensic
evidence pertinent to the following:
78-17020-01
Case Management Overview, page 18-1
Hide and Display the Case Bar, page 18-3
Create a New Case, page 18-4
Edit and Change the Current Case, page 18-5
Add Data to a Case, page 18-6
Generate and Email a Case Report, page 18-7
Text annotations
Incident ID page
Incident device information (source IP address, destination IP address, reporting device)
Session Information page
Query Results page
Build Report page
Report Results page
View Case page (the current case can reference another case)
C H A P T E R
User Guide for Cisco Security MARS Local Controller
18
18-1