Methods of Creation

1. Manual Creation

Cases can be created manually through the user interface in several ways:
  • Using the “New Case” button in the cases list view
  • From the quick actions menu in the navigation bar
  • Through the case templates in the settings
![Create Case Dialog] Screenshot showing the case creation dialog with all available fields

2. From Templates

Case templates provide a standardized way to create cases with predefined fields:
  • Choose from available templates or start with a blank case
  • Templates can include pre-filled fields and default values
  • Organization-specific templates are supported
![Case Templates] Screenshot showing the template selection dialog during case creation

3. From Alerts

Cases can be automatically or manually created from security alerts:
  • Convert single alerts to cases
  • Merge multiple alerts into a single case
  • Inherit alert properties (severity, TLP, etc.)

Required Fields

When creating a case, the following fields are mandatory:
  • Title: A clear, descriptive name for the case
  • Status: Initial status (defaults to “New”)
  • Severity: Impact level (1-5)
  • TLP: Traffic Light Protocol classification
  • PAP: Permissible Actions Protocol level

Optional Fields

Additional fields that can be specified during creation:
  • Description: Detailed information about the case
  • Tags: Custom labels for categorization
  • Assignee: Team member responsible for the case
  • Custom Fields: Organization-specific data fields
  • Organizations: Visibility settings for organizations

Case Creation Settings

Administrators can configure various aspects of case creation:
  • Default values for new cases
  • Required and optional fields
  • Available templates
  • Automation rules for case creation
  • Organization-specific settings
![Case Settings] Screenshot showing the administrative settings for case creation

Best Practices

  1. Titles: Use clear, descriptive titles that include key information
  2. Templates: Create templates for common case types to ensure consistency
  3. Severity: Follow organization guidelines for severity assignment
  4. TLP/PAP: Carefully consider information sharing restrictions
  5. Custom Fields: Use custom fields to capture organization-specific data

Automation Options

Cases can be created automatically through various triggers:
  • Alert-based triggers
  • Integration webhooks
  • API endpoints
  • Scheduled workflows

Next Steps

After creating a case:
  1. Add relevant observables and artifacts
  2. Create initial tasks
  3. Link related alerts
  4. Assign team members
  5. Add detailed documentation
For more information on working with cases after creation, see Working with Cases.