Case Management (CASE)

case management is the primary analyst workspace in current ai soc packages ingestion creates records here with tracking prefix case use case analysis and related tabs for triage, hero ai, evidence, and lifecycle actions open case management navigate to application records → case management open a record from the list case analysis tab the case analysis tab is the main workspace for investigating each alert or case from here you identify the record, run quick actions, and review key fields in one place identification and quick actions at the top of the record you can claim assign the record to yourself as the current owner use this when you are ready to start investigating claiming also sets the time assigned timestamp for tracking re assign owner transfer ownership to another analyst or team when needed for expertise or workload balancing sustained investigation uses this case management record status (for example in progress ), investigation comments, evidence, and routing rules escalated may be set when pending case resolution and your tenant rules apply (see docid\ dsdgtaqeg95dseaf2iat ) you will also see the tracking id (for example, case 21 ) with an option to copy the link, timestamps for when the record was created and last updated (and by whom), and sla status when sla is configured (for example, how much sla time has been used, with visual indication as you approach the limit) key fields on the record the record shows essential information about origin and current state time of first evidence when the first piece of evidence was collected helps you understand the investigation timeline first created / last updated when the record was created and last modified useful for tracking how long it has been in the queue current owner who is responsible for investigating this record empty means unassigned organization which organizational unit owns this record helps with multi tenant environments signal type whether this is an alert, phishing email, or manual triage entry different types may have different workflows signal source which system generated the alert (for example, splunk, crowdstrike, email gateway) helps you understand the alert origin and reliability intelligence verdict the aggregated threat intelligence verdict (malicious, suspicious, benign, unknown) based on observable enrichment calculated from your ti providers and gives you an immediate risk assessment status and classification fields these fields help you classify and prioritize manual verdict your final assessment after investigation (malicious, suspicious, benign, unknown) the ai verdict is a recommendation; your manual verdict is the authoritative decision status current workflow state (processing, new, in progress, blocked, escalated, closed) use this to track where the record is in your investigation process priority urgency level (p0–p4) p0 is most urgent set this based on severity and business impact severity technical severity (critical, high, medium, low, informational, unknown) reflects the technical risk level of the threat classification final disposition (true positive, false positive, unknown) use this to track whether the alert was valid and to improve future detection if your layout uses a linked record for part of the workflow, some fields on this record may be read only; edit manual verdict , status , priority , severity , and classification where your form allows, or on the linked record when that is how your organization configured the application ai analysis widget (ai alert analysis) the ai analysis widget on the layout drives the ai alert analysis experience ai powered analysis and investigation guidance signal summary section signal name , investigation summary , confidence score , ai verdict , verdict analysis , threat intelligence analysis , mitre analysis , reanalyze , escalation or escalated indicators (when your layout includes them), generate remediation plan investigation plan section preparation, analysis, and determination stages with review , run , run all steps , and + add additional step automation section create a triage rule and create a playbook for repeatable handling create a playbook does not pull recovery steps from generate remediation plan into the generated playbook (by design), so automated containment is not immediately undone; use reusable recovery playbooks or your standard process after containment (see docid\ p7qjquayekczhpxeppwcp and docid\ cknuxqv85k9lu0ocqv218 ) the ai uses threat intelligence, knowledge base articles, and historical patterns to generate relevant investigation steps you can modify the plan, add steps, remove steps, or run steps in any order evidence areas knowledge base articles linked articles that match observable patterns or alert characteristics threat intelligence enrichment results for observables extracted from the record correlation related records that may be part of the same incident rules which routing rules processed this record and what actions were taken other tabs routing rule which routing rules evaluated this record and their results knowledge base quick access to linked kb articles without leaving the record metrics performance metrics and summaries timeline milestones in the lifecycle (for example, threat intel returned, correlation completed, priority set, resolution) informational; clicking a milestone does not trigger an action audit change history showing who did what and when support manual actions and troubleshooting tools record types and lifecycle signal type can be alert, phishing, or triage new records often move from processing to new , then progress through workflow states as they are claimed and resolved automated case lifecycle (flows and buttons) after case records are created, several flows and buttons automate evaluation and lifecycle case evaluation automated applies default logic based on threat intelligence, correlation, and case fields signal routing rules routing rules application that runs associated playbooks when cases meet configured conditions a run rule against pending cases button lets you test rules against existing work run ai investigation button that invokes hero ai to generate an investigation plan and, when enabled, updated verdict and confidence run rules engine against current case button that evaluates the current case against routing rules on demand pending case resolution / case prioritization / update case metrics background flows that set resolution outcomes, priority, and dashboard metrics once evaluation and rules have run use these together to keep case triage, escalation, and reporting consistent across alert and phishing pipelines processing status processing means threat intel enrichment and evaluation (correlation, kb linking, hero ai analysis) have not yet completed when both complete, the pending resolution flow may set the record to new , closed , or escalated do not expect generate plan or an ai verdict until the record has left processing threat intelligence status shows whether enrichments are pending or complete rule processing status indicates whether routing rules have been evaluated correlation status shows if correlation is pending, processing, or complete; correlation runs on a schedule and can also be run manually when needed correlation timing correlation runs on a schedule (every 10 minutes by default) and evaluates older records in batches records are typically eligible for correlation after a short delay (about 5 minutes) so ingestion and enrichment can complete first each run evaluates the oldest eligible records in a batch (up to 100 at a time) to avoid reprocessing newer records support tab manual actions (expand in the ui as needed) correlate run correlation for this record ai signal analysis / ai case analysis run hero ai analysis (for example, to refresh verdict or summary) check threat intelligence results refresh or open ti enrichment for observables run rules engine re run routing rule evaluation claim case / claim signal assign ownership when starting investigation other support tab options read only prevents accidental edits while reviewing visibility toggles for sections such as signal data , case metadata , hero ai features , alert data , and phishing email data ai alert analysis configuration (rbac) configure role based options on applications & applets → case management → form layout → case analysis tab → select the ai analysis widget → edit widget each option can be enabled or disabled and limited to specific roles (use to allow all roles) summary section, plan section, remediation section, automation section generate plan , modify plan, execute plan, marketplace components remediation without malicious verdict (optional) where to look first confirm signal source , severity , and classification validate intelligence verdict and observables use generate plan to build investigation steps detailed workflow start with metadata and triage fields to confirm status, ownership, and severity review evidence areas in order knowledge base → threat intelligence → correlation → rules use generate plan to build investigation steps, then run preparation and analysis steps first generate a verdict in determination, set manual verdict and status per your process ( escalated may be set by automated pending resolution when configured) if the pattern repeats, use create a triage rule or create a playbook in automation