How does FortiSIEM determine which analyst group receives a case?

Automation policies define rules that match incident categories (such as Availability, Performance, Security, or Changes) to specific analyst groups. When an incident occurs, FortiSIEM evaluates these rules and assigns the resulting case to the appropriate team based on the configured case management policy, which can distribute cases randomly among team members or assign directly to team leads.

What investigation capabilities are available once a case is assigned?

Analysts can view related incidents, affected hosts, observables, and MITRE ATT&CK tactics and techniques associated with each case. The Explore feature reveals details about linked incidents, while the Investigate tab provides a chronological timeline showing the attack's progression from initial detection through subsequent events.

Automated Case Management and Assignment in FortiSIEM 7.2

Name: Automated Case Management and Assignment in FortiSIEM 7.2
Uploaded: 2026-05-08T19:18:59-04:00
Duration: 4 min 41 s
Description: #FortiSIEM's case management overview page provides analysts with a comprehensive understanding of case trends. By analyzing open cases, severity levels, and escalated cases, analysts can identify patterns, prioritize incidents, and assess overall sec...

Fortinet

05/08/2026

0 (0%)

Report Like Favorite

TL;DR

FortiSIEM 7.2 introduces automated case management that assigns incidents to analyst groups based on configurable policies matching case categories to team expertise levels.
Administrators can define SLAs, escalation procedures, and assignment methods (random, team lead, or manual) through case management policies with customizable notifications.
Automation policies route incidents by category—availability and performance to Level 1, security and changes to Level 2—ensuring appropriate skill matching.
The Case Management Overview provides KPIs tracking incident response efficiency, while investigation tools include MITRE ATT&CK mappings and chronological attack timelines.

Automated Case Assignment and Policy Configuration

This demonstration walks through FortiSIEM 7.2's automated case management capabilities, showing how security operations teams can streamline incident handling through policy-based assignment. The workflow begins with creating analyst groups organized by expertise level—Escalations, Level 1, and Level 2—each designed to handle cases matching their technical capabilities. Administrators can configure case management policies that define service level agreements, escalation procedures, and assignment methods including random distribution among team members or direct assignment to team leads. The automation policies tie incident categories to specific analyst groups, ensuring availability and performance issues route to Level 1 analysts while security and change-related incidents requiring advanced skills automatically escalate to Level 2 teams.

Case Investigation and MITRE ATT&CK Integration

Beyond assignment automation, FortiSIEM provides analysts with comprehensive investigation tools once cases are created. The Case Management Overview page surfaces key performance indicators tracking incident response efficiency from event detection through case creation. When analysts drill into individual cases, they gain visibility into related incidents, affected hosts, observables, and the tactics and techniques employed by attackers. MITRE ATT&CK mappings help identify attack patterns and techniques used to gain access, while a chronological timeline in the Investigate tab reveals the attack's progression. This end-to-end workflow—from automated triage to deep investigation—demonstrates how FortiSIEM aims to reduce manual overhead while maintaining thorough incident analysis capabilities.

Chapters

0:00 - Introduction to Automated Case Management
0:15 - Creating Analyst Groups
0:31 - Configuring Case Management Policies
1:34 - Building Automation Policies
3:01 - Case Overview and KPIs
3:38 - Case Investigation and MITRE Mappings

Key Quotes

0:00 "In this demo, we introduce a new feature in Fortisim 7.2, where you can automate case management and assign cases in the automated fashion."
2:37 "This automation policy will handle change and security incidents, which require advanced skills. Therefore, I will assign it to the Level 2 Analyst group."
3:05 "Fortisim's Case Management Overview page provides analysts with a comprehensive understanding of case trends."

Categories:

» Webinar Library » Fortinet
» Data Protection

Tags:

Show more Show less

Browse videos

Upcoming Webinar Calendar

05/12/2026

01:00 PM

05/12/2026

Transforming Black Box to Glass Box: Revealing Hidden Threats and AI Risks through Data Lineage

https://www.truthinit.com/index.php/channel/1895/transforming-black-box-to-glass-box-revealing-hidden-threats-and-ai-risks-through-data-lineage/
05/12/2026

11:30 PM

05/12/2026

Implementing Effective Strategies for Active Directory Security and Data Protection

https://www.truthinit.com/index.php/channel/1888/implementing-effective-strategies-for-active-directory-security-and-data-protection/
05/13/2026

01:00 AM

05/13/2026

Transforming the Black Box: Revealing AI Risks and Hidden Threats through Data Lineage

https://www.truthinit.com/index.php/channel/1890/transforming-the-black-box-revealing-ai-risks-and-hidden-threats-through-data-lineage/
05/13/2026

05:00 AM

05/13/2026

Transforming Black Box to Glass Box: Revealing AI Risks and Hidden Threats through Data Lineage

https://www.truthinit.com/index.php/channel/1894/transforming-black-box-to-glass-box-revealing-ai-risks-and-hidden-threats-through-data-lineage/
05/19/2026

01:00 PM

05/19/2026

Establishing a Robust AI Governance Framework for GenAI Throughout Its Lifecycle

https://www.truthinit.com/index.php/channel/1936/establishing-a-robust-ai-governance-framework-for-genai-throughout-its-lifecycle/
05/20/2026

10:00 PM

05/20/2026

APAC: Establishing an AI Governance Framework for GenAI Throughout the Deployment Process

https://www.truthinit.com/index.php/channel/1953/establishing-an-ai-governance-framework-for-genai-throughout-the-deployment-process/
05/21/2026

11:00 AM

05/21/2026

The Autonomous Era: Orchestrating a Resilient Enterprise

https://www.truthinit.com/index.php/channel/1372/the-autonomous-era-orchestrating-a-resilient-enterprise/
05/27/2026

04:00 AM

05/27/2026

Rivoluziona i rischi dell'AI in opportunità con Netskope AI Security

https://www.truthinit.com/index.php/channel/1925/rivoluziona-i-rischi-dellai-in-opportunità-con-netskope-ai-security/
05/28/2026

10:00 AM

05/28/2026

Harnessing AI: Transforming Perception into Purposeful Mastery

https://www.truthinit.com/index.php/channel/1924/harnessing-ai-transforming-perception-into-purposeful-mastery/
05/28/2026

01:00 PM

05/28/2026

AI in the Fast Lane: Effectively Managing AI Security for Small Teams

https://www.truthinit.com/index.php/channel/1951/ai-in-the-fast-lane-effectively-managing-ai-security-for-small-teams/
06/02/2026

01:00 PM

06/02/2026

Satori Spring: Insights from Recent Research on the 2026 Threat Landscape

https://www.truthinit.com/index.php/channel/1930/satori-spring-insights-from-recent-research-on-the-2026-threat-landscape/
06/04/2026

02:00 AM

06/04/2026

Mastering the Unseen: Managing Shadow AI and Agentic MCP Traffic

https://www.truthinit.com/index.php/channel/1948/mastering-the-unseen-managing-shadow-ai-and-agentic-mcp-traffic/
06/16/2026

07:00 AM

06/16/2026

Transforming Data Risk into Actionable Priorities: What to Address First

https://www.truthinit.com/index.php/channel/1952/transforming-data-risk-into-actionable-priorities-what-to-address-first/