Overview

Cases are the core entities for managing security incidents, investigations, and related activities. Each case represents a distinct security event or investigation that needs to be tracked and resolved.

![Case List View] Screenshot showing the main case list view with filters, search, and case cards

Key Features

  • Case Lifecycle Management: Track cases from creation to resolution
  • Customizable Status Workflows: Configure case statuses to match your organization’s processes
  • Team Collaboration: Assign cases to team members and track their progress
  • Rich Metadata: Track severity, TLP (Traffic Light Protocol), and PAP (Permissible Actions Protocol)
  • Tagging System: Organize cases with customizable tags
  • Integration with Alerts: Link related alerts to cases
  • AI Insights: Automated analysis and insights for cases (when enabled)
  • Audit Trail: Complete timeline of case activities and changes

Case Properties

Core Properties

  • Case ID: Unique identifier (auto-generated)
  • Title: Descriptive name of the case
  • Description: Detailed information about the case
  • Status: Current state in the workflow (New, InProgress, Closed)
  • Severity: Impact level (1-5)
  • TLP: Traffic Light Protocol classification
  • PAP: Permissible Actions Protocol level
  • Tags: Custom labels for categorization
  • Custom Fields: Organization-specific additional data

Metadata

  • Created By: User who created the case
  • Created At: Timestamp of case creation
  • Updated At: Last modification timestamp
  • Assigned To: Team member responsible for the case
  • Organizations: Associated organizations (for multi-tenant setups)

Cases are connected to several other components:

  • Alerts: Security alerts that triggered or are related to the case
  • Observables: Artifacts and indicators associated with the case
  • Tasks: Action items and to-dos within the case
  • TTPs: Tactics, Techniques, and Procedures identified in the case
  • Timeline: Chronological record of case activities
  • AI Insights: AI-powered analysis and recommendations (if enabled)

![Case Detail View] Screenshot showing the detailed view of a case with all its components and tabs

Next Sections