Management Module

The Management module in CYBERQUEST provides centralized control over all system components, allowing administrators to configure, monitor, and maintain various aspects of the security information and event management platform. This comprehensive guide covers all management functionalities available through the Web Interface.

Event Dictionary

The Event Dictionary is a fundamental component of CYBERQUEST that defines how different types of security events are parsed, normalized, and interpreted by the system.

CYBERQUEST includes a comprehensive event dictionary focused on Windows operating systems, with ongoing expansion to cover all major supported technologies. The dictionary is continuously updated to include new event types and security threats.

Accessing the Event Dictionary

Navigate to Settings > Management > Event Dictionary in the Web Interface to access the event management page. This interface displays all defined event objects and provides tools for managing them.

• Click the export button next to any event definition. Events are exported as proprietary CQO files for backup or sharing.

• To import events, use the import option, by pressing button.

• Use the update button to refresh the event dictionary with latest definitions.

• Click the edit button to modify event properties

• Use the delete button to remove event definitions. Confirmation is required before deletion to prevent accidental removal

• Use the Bulk Import button to select a file and import multiple event definitions. Only files in .cqo format are supported

• Use the Select button to choose multiple events. The Export option becomes available to export the selected event definitions

• Use the Quick Filter bar to search by:

• Event ID
• Event name
• Event description

Creating a New Event Definition

Creating custom event definitions extends CYBERQUEST's capabilities to parse and analyze events from proprietary applications, custom systems, or technologies not covered by the default dictionary.

Access the Creation Interface

• Navigate to Settings > Management > Event Dictionary
• From the Event Dictionary web interface, select the "ADD EVENT" option
• The Add Event Dictionary configuration page will open

• Platform: Technology or system generating the event
• Event ID: Unique identifier for the event type (recommend using a standardized numbering scheme)
• Event Name: Descriptive name for the event
• Description: Detailed explanation of what the event represents
• ADD EXTRA ROW: Up to 150 additional fields for event-specific details

After reviewing all configured settings, use the Save button to store the new event definition. Once saved, the event becomes immediately available for parsing and analysis.

Managing Dashboards

Dashboards in CYBERQUEST provide visual representations of security data, allowing security teams to monitor key metrics, track incidents, and gain insights into security posture. The Dashboards management interface enables administrators to create, configure, and maintain dashboard configurations for various use cases.

Navigate to Settings > Management > Dashboards in the Web Interface. This page displays all dashboard objects configured in your CYBERQUEST instance.

• Click the export button next to any dashboard. Dashboards are exported in .cqo format for backup or sharing, useful for migrating dashboards between environments or creating backups

• Use the import option from the Dashboards web interface

• Click the edit button to modify dashboard properties

• Use the delete button to remove dashboards. Confirmation is required to prevent accidental deletion

Creating New Dashboards

Click the create button from the Dashboards management page.

The Save Dashboard configuration window will open:

• Name: A unique identifier for the dashboard.
• Friendly Name: A user-friendly or readable name
• Text: Optional descriptive text or notes about the dashboard
• Choose Field: Select the specific data field
• How Many Records: Specify the maximum number of data entries to display
• Data Filter: Apply conditions or criteria to limit which records appear
• Choose Chart Type: Select the visualization style

Click "Save" to persist your configuration or "Cancel" to discard changes

Managing Filters

Filters in CYBERQUEST are query-based tools that allow security teams to focus on specific subsets of security data based on defined criteria. They enable precise data filtering for investigations, reporting, compliance monitoring, and threat hunting by applying conditional logic to event streams.

Navigate to Settings > Management > Filters in the Web Interface to access the filters management page. This interface displays all configured filter objects.

• Click the edit button to update an existing filter. Predefined filters follow compliance standards and may require advanced query knowledge.
• Click the delete button to remove a filter. A confirmation prompt ensures filters aren’t deleted accidentally.
• Use the button to make a filter active or inactive. Active filters are applied automatically, while inactive filters are saved but not executed.

Creating New Filters

Click the create button from the Filters management page:

• Name: A clear, descriptive title that makes the filter easy to identify.

• Description: Details about the filter’s purpose.

• Query: A CYBERQUEST query language expression that defines the exact criteria for selecting or excluding data.

• Active/Inactive: Enables or disables the filter. When active, the filter is applied automatically, when inactive, it is saved but not executed.

For detailed instructions on saving a new filter from Browser Module, refer to the following link: Save as New Filter.

Managing Objects

Objects in CYBERQUEST represent entities within your IT environment that can be monitored, analyzed, and managed. The Objects Management interface provides centralized control over all object definitions, allowing administrators to create, modify, and maintain object configurations for consistent entity resolution and contextual enrichment across the platform.

• Objects enable consistent identification of entities (users, systems, applications) across different data sources and event types, resolving various identifiers (IP addresses, hostnames, user IDs) to the same logical entity for accurate tracking and analysis
• Objects provide additional context to security events by linking them to known entities, adding information like department affiliation, system criticality, or geographic location to enhance threat assessment and investigation efficiency
• Objects ensure uniform representation of entities in lists, reports, and investigations
• Most objects are created automatically when new entities are detected in the environment
• Administrators can create and modify objects manually for custom or specialized entities

Navigate to Settings > Management > Objects in the Web Interface to access the objects management page. This interface displays all object definitions configured in the CYBERQUEST instance. A drop-down list allows viewing all objects or selecting a specific object to display.

• Click the edit button to modify the details of an existing object in the selected list.
• Click the delete button to remove an object. A confirmation prompt ensures objects aren’t deleted accidentally.

Creating New Objects

Click the create button from the Objects management page, the Add Object configuration will open:

• Name: Descriptive name for the object
• Value: Specific identifier or value for the object
• TTL: Specifies the duration (in seconds) that the object will remain active in the list before it automatically expires and is removed. Entering -1 will make the object permanent.
• Object List: Selects the target list where the object will be added. Examples include BlackListIP for blocking IP addresses.

Click "Save" to persist your configuration or "Cancel" to discard changes.

Agent Manager

The Agent Manager in CYBERQUEST provides centralized control over all deployed agents, allowing administrators to register, configure, monitor, and manage agents that collect and forward data from various sources.

Navigate to Settings > Management > Agent Manager in the Web Interface to access the agent management page. This interface displays all registered agents and their current status.

• Click the edit button to modify an agent’s configuration parameters; changes are applied immediately.

• Use the status toggle to set agent status between:

• Manually Deploy: Agent requires manual intervention for deployment
• Not Deployed: Agent is not currently deployed
• Start Agent Service : Start agent service on target machine
• Stop Agent Service : Stop agent service on the target machine
• Uninstall Service : Remove agent service from target machine
• DOWNLOAD WINDOWS AGENT - download the latest version of the CYBERQUEST agent. The agent must be installed on a Windows target machine and the file will be downloaded as “AgentSetup.msi”.

Registering New Agents

• Click the "Register New Agent" button from the Agent Manager page

• Select "Windows" as the target platform and click "Next"

• Complete the agent configuration form with required details

Agent Configuration Parameters

When registering a new agent, several fields must be completed:

• Agent Name: The name assigned to the agent for identification within the system.
• Computer: The IP address of the host machine where the agent will be installed.
• Agent Deployment Credentials: Credentials used for deploying the agent.
• Tenant: Choose the appropriate tenant from the available list.
• Agent Notes: Optional comments or descriptions for reference
• Agent Batch Size: Number of events processed in a single batch
• Compress Data: Enable data compression before transmission
• Encrypt Data: Enable encryption for secure data transfer
• Agent Log Cleanup: Specify log retention and cleanup rules
• Throttle Data Collection (@Number events): Limit event collection rate to prevent system overload
• Message Queue Port: Port for message queue communication
• Message Queue Server: Hostname or IP of message queue server
• Message Queue Username: Authentication username for message queue
• Message Queue Password: Password for message queue access
• Message Queue Use SSL: Enable SSL for secure queue communication
• Settings Managed from CyberQuest Cloud: Allows remote configuration via CyberQuest Cloud

Before starting the "Deploy Agent Service to Target Machine" process, run the following command on the Windows machine using Windows PowerShell. This step creates a required firewall rule to ensure proper communication during the deployment.

New-NetFirewallRule -DisplayName "CQ-Agent" -Direction Inbound -LocalPort 445 -Protocol TCP -Action Allow -RemoteAddress "CQ-Address-IP" -Profile Any

Once the configuration is saved, the installation process for the Windows agent can begin. To start the deployment, click the button labeled "Deploy agent service to target machine". This action will initiate the installation of the agent on the specified host using the previously defined settings. Ensure that the target machine is accessible and the deployment credentials are correct before proceeding.

A status message will appear at the top of the screen once the agent installation begins. Wait until the message is displayed - this confirms that the agent has been installed successfully on the target machine.

For detailed instructions on agent deployment and management, refer to: - Collecting with CQ Windows agent - How to manually deploy the agent

Data Source Manager

A centralized tool in CYBERQUEST for managing all data sources. It allows administrators to configure, monitor, and maintain the systems, applications, and services that provide security events, logs, and telemetry for analysis.

Navigate to Settings > Management > Data Sources Manager in the Web Interface to access the data source management page. This interface displays all configured data sources and their current status.

• Bulk Clone : Clone the current data source settings for multiple elements specified in the "Bulk Clone" field. Useful for creating similar configurations across multiple systems or data sources.

• Clone : Duplicate an existing data source configuration. The copy starts with the same settings and can be adjusted as needed.

• Edit : Modify data source configuration parameters, including collection settings, parsing rules, and integration options.

• Delete : Remove a data source from the system. Requires confirmation to prevent accidental deletion.

Adding New Data Sources

• To add a new data source click the "Add Data Source" button and a selection window will open presenting available data source types from a predefined list.

• Complete the configuration form with required details specific to the data source type.

• Click "Save" to persist your configuration or "Cancel" to discard changes.

The Select datasource button reveals a comprehensive menu for managing multiple data sources simultaneously:

• Assign Agent : Assign multiple agents to selected data sources. Use the checkboxes to select the data sources, then choose the agent that will collect and forward data to CYBERQUEST.
• Unassign Agents : Remove agent assignments from multiple data sources. This stops data collection from the selected sources until new agents are assigned.
• Bulk delete : Delete multiple data sources in a single operation. Useful for cleaning up obsolete or unused data sources.
• Close selection : Close the bulk operations menu and return to standard view.
• Bulk Export : Export multiple selected data sources at once. The exported file contains their configurations, which can be saved for backup or reused later.

For detailed instructions on configuring specific data source types, refer to:

• How to collect data from Check Point Firewall
• How to collect data on Active Directory
• How to collect data on Windows Application Log
• How to collect data on Windows Security Log
• How to collect data on Windows System Log
• How to connect to CQ Threat Intelligence
• How to connect to Active Directory

Credential Manager

Credential Manager - Safely stores and manages the credentials used by agents and data sources. All credentials are encrypted, accessed only by authorized components, and managed from a single, central interface.

Navigate to Settings > Management > Credential Manager in the Web Interface to access the credential management page. This interface displays all stored credentials and provides tools for managing them.

• Click edit button to modify the properties of an existing credential. Passwords must be re-entered, and changes take effect immediately for all agents using it.
• Click edit button to permanently remove a credential after confirmation. Make sure it’s not in use by any active agents or data sources.

Creating New Credentials

To create a new credential set:

• Click the "Add Credential" button

• The credential configuration form will open:

Complete the form with the following parameters:

• Credentials Type: Select the type of credential:
  • Generic (default) - Standard username/password credentials.
  • APIKey - Access key for API authentication.
  • SSHPublicKey - SSH public key for secure login.
  • Token - Authentication token for services.
  • APIKeyWithPassword - API key that also requires a password.
• Name: A clear, descriptive name for the credential set that shows its purpose and associated system.
• Username/Email: The username or email address used for authentication. For system accounts, use the full username format (e.g., "DOMAIN\username").
• Password: The password for the account. Make sure it is strong and secure.
• Confirmation Password: Re-enter the password to confirm accuracy.
• Domain: The domain name for domain user credentials. Leave blank for local accounts.
• Notes: Optional comments or descriptions about the credential's usage, purpose, or restrictions.

Click "Save" to store the credentials or "Cancel" to discard changes.

Vulnerability Manager

Vulnerability Assessment Module - Uses OpenVAS to provide full-featured vulnerability scanning for systems.

Navigate to Settings > Management > Vulnerability Manager in the Web Interface to access the vulnerability management dashboard. This interface provides centralized control over vulnerability scanning operations, results, and remediation tracking.

For detailed information about vulnerability management capabilities, refer to: Vulnerability Manager

Tag Alias

Tag Alias - Enables events from a data source to be processed with a different parser than the one originally assigned. This allows better handling of misclassified events, improved parsing, or customized processing without changing the original event definitions.

For detailed information about Tag Alias functionality and advanced configuration, refer to: Tag Alias

UEBA Manager

UEBA Manager helps organizations detect and respond to potential security threats more effectively, reducing the risk of data breaches and insider misuse while strengthening overall security. It identifies unusual user behavior, such as accessing data outside normal hours, connecting from unfamiliar locations, or downloading large amounts of information. By recognizing these patterns, UEBA Manager enables quick detection and response to suspicious activities.

Navigate to Settings > Management > UEBA Manager in the Web Interface to access the UEBA management dashboard. This interface provides centralized control over behavioral analytics configurations, group memberships, and monitoring settings.

For detailed information about UEBA capabilities and advanced configuration, refer to: How to manage UEBA

Data Storages

Data Storage Management provides centralized control for managing how data is collected, processed, and stored in CYBERQUEST. Administrators can configure storage settings, message queues, encryption options, and integrations with external systems such as Elasticsearch.

Navigate to Settings > Application Settings > Data Storage in the Web Interface to access the data storage configuration page. This interface provides a user-friendly way to configure storage parameters without directly editing configuration files.

The Data Storage configuration page displays all configurable parameters:

Data Storage Configuration enables advanced setup of data storage components used by CYBERQUEST. To modify the configuration, open the /var/opt/cyberquest/datastorage/conf.xml file on the CYBERQUEST server.

All configurable parameters are listed in the table below:

Parameter	Description	Default Value
dbDriver	JDBC driver class for MySQL database	com.mysql.jdbc.Driver
dbUserName	Database username for configuration access	root
dbPass	Database password for configuration access	****
dbUrl	JDBC connection URL for primary database	jdbc:mysql://127.0.0.1:3306/config
dbAlternateUrl	JDBC connection URL for failover database	jdbc:mysql://127.0.0.1:3306/config
serverGuid	Unique identifier for the server instance	D39498A9-1C85-0379-1E78-C161E6FFEEEA

To modify a variable, click the Edit button. After making changes, click Save to apply them or Cancel to discard them.

All configurable variables are listed in the table below.

Parameter	Description	Default Value
maxEventsPerFile	Maximum events per storage file	20000
fileWriterTimeout	Timeout for event writer operations (seconds)	60
mqUserName	Username for MQ service authentication	cq
mqPassword	Password for MQ service authentication	****
mqHost	Hostname or IP address of MQ server	127.0.0.1
mqVhost	The MQ service virtual server. In distributed architectures, it may differ from the default CYBERQUEST server	/
mqPort	Network port for MQ communication	5672
mqExchangeName	Default exchange name for event processing	eventsExchange
mqQueueName	The MQ queue name	jobCommands
mqReceiveQueueType	The MQ Receive queue type	fanout
mqRouting	The routing path for message queues	agents
mqReceiveCommandExchangeName	The MQ Receive command exchange name	eventsExchange
mqReceiveCommandQueueName	Specifies the MQ Receive command queue name	jobCommands
mqReceiveCommandQueueType	Specifies the MQ Receive command queue type	direct
mqReceiveCommandRouting	Specifies the MQ Receive command routing path	servers
mqSendExchangeName	The MQ Send exchange name
mqSendQueueName	Specifies the MQ Send queue name	archive
mqSendRouting	Specifies the MQ Send routing path	agents
mqSendQueueType	Specifies the MQ Send queue type	direct
encryptionPublicKeyFilePath	Path to public key file for encryption	/var/opt/cyberquest/encryption/datastorage/public_key.txt
encryptionPrivateKeyFilePath	Path to private key file for decryption	/var/opt/cyberquest/encryption/datastorage/private_key.txt
elasticClusterName	Online DataStorage cluster name	ES.
elasticHostName	Elasticsearch host address	127.0.0.1
encryptionPrivateKeyPassword	Password for private key encryption	***
encryptionPrivateKeyPasswordPath	Path to file containing private key password	/var/opt/cyberquest/encryption/datastorage/privateKeyPassword.txt
fileImportThreads	How many threads are used for import	5
mqQueueType	Specifies the queue type	direct
mqReceiveExchangeName	Specifies the MQ Receive exchange name	DA.publish
mqReceiveQueueName	The MQ Receive queue name	DataStorage
mqReceiveRouting	Specifies the MQ Receive routing key	agents
mqAlternateHost	The alternate host name to use if the current queue is dead	127.0.0.1
mqVHost	The MQ Receive virtual host	/
elasticUserName	Online DataStorage user name	cq
elasticPassword	Password for Online DataStorage authentication	***
ElasticSearchIsHttpsConnection	Enable HTTPS for Online DataStorage communication	1
ElasticSearchIsUserAuth	Enable user authentication for Online DataStorage	1

The list below provides examples of defined jobs.

• How to restore data from archive
• How to create a Copy job
• How to create a RTBF job
• How to delete data from Data Storage

Data Sources Status

Data Sources Status - Shows real-time information on the health and performance of all data collection activities. It helps administrators ensure that data sources are actively collecting events, quickly spot any issues, and maintain continuous data flow for monitoring and analysis.

Navigate to Settings > Management > Data Sources Status in the Web Interface to access the data source monitoring dashboard. This interface provides a centralized view of all data collection activities.

Data source status is displayed using color-coded indicators for quick visual assessment:

🟢 Collecting (Green): Data source is actively collecting events and forwarding them to CYBERQUEST

🟡 Waiting for Next Collection (Yellow): Scheduled data source awaiting its next collection cycle

🔴 Stopped or Critical Error (Red): Data collection has stopped due to critical error or configuration issue

⚫ Disabled (Black/Gray): Data source has been manually disabled by administrator

An icon indicates that collection is scheduled to execute at defined time intervals, while sources without this icon execute in real-time.

The list can be sorted by any column or exported by clicking the button.

Since CYBERQUEST can handle a large number of data collections, the collection status list may become long. Up to 100 entries can be displayed per page. Avoid combining many entries with automatic page refresh to prevent performance issues.

The Columns menu at the top of the page allows selection of which columns are shown for all entries. Details for each column are listed in the table below.

Field	Description
Computer Name	Source name (network IP address or resolved FQDN)
Log Name	Name of the log source
Type	Log type category
Messages	Number of collected events
Last Received Time	Last current time when data was received from source
Last Local Time	Last device time when data was received from source
Last Update Time	Last time a modification was made for data source
Last Message	Last message from data collector
Last Error	Last error message from data collector
Next Collection	Date and time when next collection will start
Producer	Module or agent that collected the events
Producer Uptime	Uptime of module or agent that collects events
Extra Data	Additional comments or contextual information
Alert Interval Minutes	Time interval to check source status

Networks

The Management > Networks section lets administrators organize and configure network segments across the infrastructure. Networks can be classified by zone and tenant, which helps improve monitoring accuracy and security scoring.

Creating New Network

Click the create button from the Networks management page.

The Add network configuration window will open:

• Name - a descriptive name for the network segment to easily identify it.

• IP Range - the range of IP addresses that belong to this network segment (e.g., 192.168.10.0/24).

• Security Score - a numeric value representing the network’s security level or risk assessment.

• Network Zone - the classification of the network, such as Internal Network, Internal Network, DMZ, Internal Cloud, or External Cloud for better monitoring and policy application.

• Tenant - the organizational unit, team, or group responsible for or associated with the network segment.

Once an network is created, the following actions can be performed on it:

• Edit Network - update the network’s configuration and settings. Changes take effect immediately.

• Delete Network - remove the network from the system. Confirmation is required to prevent accidental deletion.

Check IP allows administrators to verify whether a specific IP address belongs to a defined network segment by pressing the button. This helps ensure accurate network mapping, proper monitoring, and correct assignment of security policies.

• IP - enter the IP address to verify which network segment it belongs to.

• Tenant - select the organizational unit or group to check the IP against its assigned network segments.

After entering the information, click Check to verify the IP or Cancel to exit without checking.

PlayBooks

Playbooks - automate and simplify the incident response process, helping security teams respond quickly and effectively to threats. They follow industry best practices, regulations, and organizational policies to ensure a consistent, coordinated approach that reduces the impact of security incidents and enables fast remediation.

To access the Playbooks interface, navigate to Settings > Management > Playbooks. The page will then open.

• Event Trigger: CYBERQUEST detects a suspicious event, like a network intrusion attempt or a high-severity alert from a security device. Playbook execution can be triggered automatically by an alert or manually from event or alert actions.

Playbooks can be added, edited, or deleted as needed.

Adding a Playbook

To add a new Playbook and orchestrate actions, click New Playbook. Playbooks are built visually, with two required blocks: Start and End.

Actions are executed according to the criteria set in the Playbook. Available actions are grouped by vendor and can be added using drag-and-drop.

Certain actions are triggered only when specific conditions are met.

Actions share information through an environment object, which stores alert or event data that can be used by subsequent actions.

The environment object is defined as follows:

{
"Event":{
// ... the event which gets populated automatically by CyberQuest
},
"Alert":{
  // ... the alert which gets populated automatically by CyberQuest
}
"playbookGUID": // the individual playbook definition,
"startDate": 1685004728 // unix timestamp
"endDate": 1685004728  // timestamp
"status": "SUCCESS"  
"history":[
    {
      "inputEnviroment":{
      // gets populated on the input enviroment of the individual step
      },
      "outputEnviroment":{
      // gets populated on the output enviroment of the individual step
      },
      "startDate": 1685004728 // unix timestamp
      "endDate": 1685004728  // timestamp
      "status": "SUCCESS"  
    }
]
}

During execution, CYBERQUEST updates the environment object to record the execution history and log details. All actions have access to this object.

Execution History

Every action creates execution logs that help with debugging Playbooks and actions. If an error occurs, these logs can be reviewed to identify the cause, making troubleshooting easier and ensuring Playbooks run correctly and reliably.

Playbook logs can be downloaded in .txt format by clicking the button, or viewed by clicking the button:

Viewing Execution History

Click the button in Execution History to view the input parameters and output data for each step of the execution.

Service Level Agreement (SLA) Management

Service Level Agreements (SLAs) in CYBERQUEST provide a structured framework for defining and enforcing response and resolution time commitments for security incidents and cases. SLAs ensure that security teams meet organizational performance standards, comply with regulatory requirements, and maintain consistent incident response timelines. By automating time tracking and escalation processes, SLAs help optimize resource allocation and improve overall security operations efficiency.

Navigate to Settings > Management > Service Level Agreement (SLA) in the Web Interface to access the SLA management page. This interface displays all configured SLAs and provides tools for creating, editing, and managing SLA definitions.

Name: Descriptive name for the SLA that clearly indicates its purpose and scope (e.g., "Critical Incident SLA").

Description: Comprehensive explanation of the SLA's purpose, applicable scenarios, and any special considerations.

Case Types: Select one or more case types from the dropdown list that this SLA will apply to. These case types are predefined in Case Management and represent categories of incidents.

Confirmation Time (minutes): Maximum time allowed for acknowledging and assigning a case after creation. This represents the initial response commitment.

Response Time (minutes): Maximum time allowed for resolving a case after acknowledgment. This represents the resolution commitment.

Click "Save" to persist your configuration or "Cancel" to discard changes

Once an SLA is created, the following actions can be performed on it:

• Editing SLAs - Modify SLA parameters, case type associations, or time commitments using the Edit button. Changes take effect immediately for all active and future cases, while historical SLA compliance data remains unchanged.

• Deleting SLAs - Remove an SLA using the Delete button. Confirmation is required to prevent accidental deletion. Deleted SLAs no longer apply to future cases, but historical data is preserved.

Case confirmation and response times are automatically determined by the assigned SLA: Case Overview

Analyst Actions Management

Analyst Actions in CYBERQUEST provide a human-in-the-loop automation capability that allows playbooks to pause execution and request input or confirmation from security analysts during critical decision points. This feature enables automated workflows to incorporate human judgment, expertise, and situational awareness, ensuring that complex security decisions benefit from both automated efficiency and human oversight. Analyst Actions are essential for scenarios requiring ethical considerations, legal compliance, risk assessment, or complex judgment that cannot be fully automated.

Navigate to Settings > Management > Analyst Actions in the Web Interface to access the Analyst Actions management interface. This page displays all pending analyst questions and provides tools for managing and responding to them.

To continue execution, the analyst must respond when prompted. If no response is given within the timeout set in the action module, the default action defined at the action level will be applied automatically.

To respond to an Analyst Confirmation action: 1. Click the confirmation button next to the action 2. The confirmation window will open with details of the request:

To respond to an Analyst Input action: 1. Click the input button next to the action 2. The input form window will open with the request details:

Once the answer is saved, the action is removed and execution continues using the provided response.

Case Templates

Case Templates in CYBERQUEST allow administrators to define reusable field structures for case creation, ensuring consistency and efficiency across all cases. Each template contains predefined fields that can capture information in four formats: text, boolean (true/false), select (dropdown options), and float (numeric values with decimals).

Templates can include:

• Text fields for entering free-form information like usernames or descriptions.
• Select fields for choosing from predefined options.
• Boolean fields for simple yes/no or true/false inputs.
• Float fields for numeric values with decimals.

Once a Case Template is created, it can be used to generate new cases in the Case Management module. This ensures that every case follows the same predefined structure and captures all required details for analysis, reporting, and tracking.

Creating a New Case Using a Case Template

To create a new case using a case template, navigate to Case Management > New Case, select the desired template from the Template drop-down list, fill in the required case details, and save.