Working with Cases
This guide covers the day-to-day operations and features available when working with cases in the system.
Case Detail View
The case detail view is your primary workspace for managing cases:
![Case Detail Interface] Screenshot showing the main case detail interface with all components
Key Areas
- Header: Case title, ID, and quick actions
- Details Panel: Core case properties and metadata
- Tabs: Access different case components
- Activity Timeline: Recent updates and changes
Case Components
1. Tasks
Tasks help track action items within a case:
- Create and assign tasks
- Set priorities and due dates
- Track task completion
- Add task notes and attachments
![Tasks Tab] Screenshot of the tasks management interface
2. Observables
Manage artifacts and indicators:
- Add files, IPs, domains, and other observables
- Automatic enrichment
- Relationship visualization
- Threat intelligence lookup
![Observables Tab] Screenshot showing observable management and analysis
3. TTPs (Tactics, Techniques, and Procedures)
Map case activities to known attack patterns:
- MITRE ATT&CK® framework integration
- Custom TTP definitions
- Visual attack flow mapping
- Related procedure documentation
![TTPs Tab] Screenshot of the TTP mapping interface
4. Timeline
Chronological view of case activities:
- Automatic event tracking
- Manual timeline entries
- Filter and search capabilities
- Evidence timeline reconstruction
![Timeline Tab] Screenshot showing the case timeline view
5. AI Insights
AI-powered analysis and recommendations:
- Automated case analysis
- Similar case detection
- Recommendation engine
- Pattern recognition
![AI Insights Tab] Screenshot of AI-powered insights and recommendations
Case Actions
Assignment and Collaboration
- Assign cases to team members
- Transfer ownership
- Add collaborators
- Team notifications
Linking and Relationships
- Link related cases
- Connect alerts
- Establish observable relationships
- Create case groups
Documentation
- Add notes and comments
- Attach files and evidence
- Generate reports
- Export case data
Case Merging
When multiple cases are related:
- Select cases to merge
- Choose primary case
- Review relationships
- Confirm merge action
Analysis Tools
1. Search and Filters
- Full-text search
- Advanced filtering
- Saved searches
- Custom views
2. Visualizations
- Relationship graphs
- Timeline views
- Statistical analysis
- Custom dashboards
3. Reporting
- Case summaries
- Status reports
- Team metrics
- Custom report templates
Best Practices
- Documentation: Keep detailed notes and updates
- Observables: Add context to all observables
- Tasks: Break down complex investigations
- Timeline: Document key findings and decisions
- Collaboration: Use comments for team communication
Keyboard Shortcuts
Common actions have keyboard shortcuts:
Ctrl/Cmd + S: Save changesCtrl/Cmd + E: Edit modeCtrl/Cmd + F: SearchEsc: Cancel/Close
Mobile Access
The case interface is responsive and supports:
- Mobile viewing
- Basic editing
- Task management
- Status updates
![Mobile Interface] Screenshot showing the mobile case interface
Integration Features
Cases integrate with:
- Email notifications
- Slack/Teams messages
- Webhook triggers
- External systems
For information about case workflows and status management, see Case Workflows.