Creating Cases
This guide explains the different ways to create cases in the system and the available options during case creation.
Methods of Creation
1. Manual Creation
Cases can be created manually through the user interface in several ways:
- Using the “New Case” button in the cases list view
- From the quick actions menu in the navigation bar
- Through the case templates in the settings
![Create Case Dialog] Screenshot showing the case creation dialog with all available fields
2. From Templates
Case templates provide a standardized way to create cases with predefined fields:
- Choose from available templates or start with a blank case
- Templates can include pre-filled fields and default values
- Organization-specific templates are supported
![Case Templates] Screenshot showing the template selection dialog during case creation
3. From Alerts
Cases can be automatically or manually created from security alerts:
- Convert single alerts to cases
- Merge multiple alerts into a single case
- Inherit alert properties (severity, TLP, etc.)
Required Fields
When creating a case, the following fields are mandatory:
- Title: A clear, descriptive name for the case
- Status: Initial status (defaults to “New”)
- Severity: Impact level (1-5)
- TLP: Traffic Light Protocol classification
- PAP: Permissible Actions Protocol level
Optional Fields
Additional fields that can be specified during creation:
- Description: Detailed information about the case
- Tags: Custom labels for categorization
- Assignee: Team member responsible for the case
- Custom Fields: Organization-specific data fields
- Organizations: Visibility settings for organizations
Case Creation Settings
Administrators can configure various aspects of case creation:
- Default values for new cases
- Required and optional fields
- Available templates
- Automation rules for case creation
- Organization-specific settings
![Case Settings] Screenshot showing the administrative settings for case creation
Best Practices
- Titles: Use clear, descriptive titles that include key information
- Templates: Create templates for common case types to ensure consistency
- Severity: Follow organization guidelines for severity assignment
- TLP/PAP: Carefully consider information sharing restrictions
- Custom Fields: Use custom fields to capture organization-specific data
Automation Options
Cases can be created automatically through various triggers:
- Alert-based triggers
- Integration webhooks
- API endpoints
- Scheduled workflows
Next Steps
After creating a case:
- Add relevant observables and artifacts
- Create initial tasks
- Link related alerts
- Assign team members
- Add detailed documentation
For more information on working with cases after creation, see Working with Cases.