Overview
Cases are the core entities for managing security incidents, investigations, and related activities. Each case represents a distinct security event or investigation that needs to be tracked and resolved. ![Case List View] Screenshot showing the main case list view with filters, search, and case cardsKey Features
- Case Lifecycle Management: Track cases from creation to resolution
- Customizable Status Workflows: Configure case statuses to match your organization’s processes
- Team Collaboration: Assign cases to team members and track their progress
- Rich Metadata: Track severity, TLP (Traffic Light Protocol), and PAP (Permissible Actions Protocol)
- Tagging System: Organize cases with customizable tags
- Integration with Alerts: Link related alerts to cases
- AI Insights: Automated analysis and insights for cases (when enabled)
- Audit Trail: Complete timeline of case activities and changes
Case Properties
Core Properties
- Case ID: Unique identifier (auto-generated)
- Title: Descriptive name of the case
- Description: Detailed information about the case
- Status: Current state in the workflow (New, InProgress, Closed)
- Severity: Impact level (1-5)
- TLP: Traffic Light Protocol classification
- PAP: Permissible Actions Protocol level
- Tags: Custom labels for categorization
- Custom Fields: Organization-specific additional data
Metadata
- Created By: User who created the case
- Created At: Timestamp of case creation
- Updated At: Last modification timestamp
- Assigned To: Team member responsible for the case
- Organizations: Associated organizations (for multi-tenant setups)
Related Components
Cases are connected to several other components:- Alerts: Security alerts that triggered or are related to the case
- Observables: Artifacts and indicators associated with the case
- Tasks: Action items and to-dos within the case
- TTPs: Tactics, Techniques, and Procedures identified in the case
- Timeline: Chronological record of case activities
- AI Insights: AI-powered analysis and recommendations (if enabled)