Skip to main content

Cases

Cases are containers for investigations that bring together related alerts, query results and evidence, AI Assistant conversations, team collaboration, and investigation reports in a structured environment for organizing and resolving complex incidents.

How to Access

Navigate to Insights → Cases in the platform.

Case Tabs

Open

Active cases currently under investigation. Use filters to narrow down:

  • Assignees — Filter by assigned team member
  • Case ID — Search for specific case
  • Severity — Filter by severity level
  • Created At / Updated At — Filter by date range

Closed

Resolved cases with:

  • Closing reason
  • Resolution details
  • Historical reference
Finding Your Cases

To view only cases assigned to you, use the Assignees filter and select your name.

Creating a Case

From Scratch

  1. Click New Case
  2. Enter title and description
  3. Set severity and assignee
  4. Add initial notes

From Alerts

  1. Select alerts in the Alerts app
  2. Click Add to Case
  3. Choose Create New Case
  4. Case created with alerts attached

From Query Results

  1. Run a query in Query Analyzer
  2. Select relevant rows
  3. Click Add to Case
  4. Data becomes case evidence

Case Details

Click on a case to open the details view with multiple tabs:

Alerts Tab

View all alerts linked to this case:

  • Alert details and severity
  • Timeline of when alerts were added
  • Link to original alert

Tasks Tab

Manage investigation tasks:

  • Create tasks for team members
  • Track task completion
  • Set due dates and priorities

Observables Tab

Track indicators and artifacts:

  • IP addresses, domains, hashes
  • User accounts
  • File paths and URLs

View events connected to the case:

  • Query results added as evidence
  • Related data from investigations

History Tab

Audit trail of all case activity:

  • Status changes
  • Assignment changes
  • Notes and comments
  • All actions with timestamps

Report Tab

Generate and view case reports:

  • Investigation summary
  • Findings and conclusions
  • Export for stakeholders

Case Properties

PropertyDescription
TitleEditable case name
StatusOpen or Closed
SeverityCritical, High, Medium, Low, Informational
AssigneeTeam member responsible
Created AtWhen the case was created
Updated AtLast modification time

Working with Cases

Editing Case Details

Click on any editable field to modify:

  • Title — Click to edit inline
  • Severity — Select from dropdown
  • Assignee — Choose team member
  • Description — Update case context

Adding Notes

Document your investigation:

  • Add timestamped notes
  • Notes appear in case history
  • Maintain investigation trail

Using the AI Assistant

Each case can have an associated Assistant thread:

  • Click Enable Assistant to start
  • Assistant has context of case data
  • Get help with analysis and queries
  • Generate report drafts

Running Form Actions

Execute predefined actions:

  • Trigger playbook workflows
  • Run automated responses
  • Integrate with external systems

Closing Cases

  1. Click Close Case button
  2. Select closing reason:
    • Resolved
    • False Positive
    • Duplicate
    • No Action Required
  3. Add resolution summary
  4. Case moves to Closed tab

Best Practices

  1. Descriptive titles — Make cases easy to identify
  2. Link related alerts — Build complete context
  3. Document findings — Add notes throughout investigation
  4. Use tasks — Break complex investigations into steps
  5. Leverage the Assistant — Get AI help with analysis
  6. Close with details — Future reference depends on good documentation