Skip to main content

Inside a Case: Investigate Cases in Torq

Learn how to navigate through a case to easily review threat details, track investigations, and take actions.

Overview

In the Cases page, you can see key details about all your cases at a glance. Use filters and search to limit the cases you see, to assess priority, and decide where to focus.

Click on a case to open the case view and explore your case in detail—use the quick view to investigate key data at a glance, or the expanded view for full case information.

Case structure

Key case data is surfaced at the top of the case, including case status, severity, SLA details, threat category, quick actions, and pending tasks.

Further case information is organized across various main tabs:

  • Overview: with Case summary and Description, security context, and MITRE ATT&CK mappings

  • Timeline: a record of every case action chronologically

  • Custom fields: case-specific data that may not be captured in standard fields

  • Socrates: autonomous AI SOC analyst

In the expanded case view, additional tabs provide full case details:

  • Observables: list of observables linked to the case, with direct links to the observable itself

  • Notes: additional notes added by the analyst

  • Attachments: files attached to the case

  • Linked cases: list of other cases linked to the case, and their relationship, with direct links to the related cases

  • Events: events associated with the case, with access to the event JSON

  • Runbooks: the runbook and Actionplan (if relevant) associated with the case, with a link to the runbook

  • Custom tabs: any custom case tabs added to the case

Overview

The Overview tab surfaces critical information up front, so you can orient quickly before diving into the investigation. Information is contained in the following sections:

Case summary

Use the case summary in the Overview tab to quickly catch up on the investigation status and gain insights into key findings. This AI-generated summary enhances your investigation process, making it as efficient as possible.

The summary considers various case attributes and associated information, including the case description, observables, comments, notes, and events. It regenerates automatically when the case is updated, and you can regenerate it manually at any time by clicking the Regenerate icon on the right of the Case Summary.

The Case summary structure

The summary is designed for clarity, emphasizing critical information:

  • What: A concise summary of the incident, clearly outlining the main events to help you grasp the situation.

  • When: Key timestamps in the investigation, offering a clear and concise sequence of events.

  • Impact: Potential implications of the security incident, leveraging security industry knowledge to support accurate situation assessment.

  • Key indicators: Significant findings from the investigation that can be further explored to deepen understanding of the ongoing events.

Security context

The most important case attributes are automatically surfaced through a built-in set of structured fields. View pre-defined case fields (such as alert_id, source_product, severity, and detection_name) directly inside the Overview tab.

Alert attributes can be automatically mapped to the fields in workflow steps.

Cases created from an alert in Auto Triage are automatically populated with the normalized security context fields.

MITRE ATT&CK mapping

MITRE ATT&CK details are surfaced directly in each case, giving you structured, immediate context on the attacker tactics and techniques associated with the threat.

MITRE mappings can be added automatically from vendor alert payloads or manually during the investigation.

Cases created from an alert in Auto Triage are automatically populated with MITRE ATT&CK mappings.

Description

The description provides the initial context for the investigation. It supports embedded mentions of observables and custom fields.

Embed threat indicator details

Highlight the most significant threat indicators by displaying custom fields and observable details directly in a case description. Embedded mentions provide high visibility into key details without switching tabs or scrolling through the full case context.

Embed details directly in the case, or automatically through a workflow.

Timeline

The Timeline records every case action chronologically. It gives you a complete picture of the investigation's progress and a clear view of what happened, when it happened, and who or what caused each change.

The Timeline logs actions such as when a case is created, case details are updated, observables are added or removed, and when cases are linked.

Custom fields

Custom fields surface case-specific data that may not be captured in standard fields. Each case can have unique custom fields to ensure analysts don't miss important details. Always check these to ensure you have a complete understanding of the case.

Custom fields can only be created automatically through workflow steps. You can manually edit the values of custom fields inside the case.

Embed custom field details directly in a case description for high visibility.

Socrates

Socrates is an autonomous AI SOC analyst designed to transform your case investigations, operating both inside individual cases and across cases in your workspace.

Have a conversation with Socrates inside a case to get help with case investigations. Socrates will analyze the findings, provide relevant data, and carry out actions as directed.

Cases can also be assigned directly to Socrates. It will take on the role of the analyst, adhering to the case runbook and its associated Actionplan, providing updates on completed tasks, and seeking analyst confirmation as needed.

Case SLAs

View the SLA for a case clearly in the case card in the Cases page, or in the case view. To clearly convey the case's urgency, SLAs are shown as either time remaining or time elapsed, depending on your workspace settings. This applies to both Resolution and custom SLAs for a consistent experience.

In the Cases page, use the Resolution SLA and/or custom SLA filters to customize the cases you see.

Tasks

Whether acknowledging messages or submitting required information, tasks are easily managed through the Cases page. Use the Tasks filter to stay up to date and promptly address all tasks assigned to you.

Upon assignment via an Interaction flow, tasks become visible on the case. In the Cases page, assigned tasks are indicated by an icon on relevant cases in the Cases page. You can also filter the Cases page by Tasks to find all cases with pending tasks.

In a case, assigned tasks are shown with the case details. Expand the task list using the arrow, find the task you need to complete, and select View. Input your responses in the provided fields for the task and submit.

Timeline entries are created for pending tasks and task submissions.

Observables

Observables are the threat indicators associated with a case—such as IP addresses, URLs, file hashes, domain names, and more. They are central to understanding the scope and nature of a threat. All observables associated with a case are listed under the Observables tab. Observables are managed at a workspace level in the Observables page.

Key observables are also surfaced in the Overview tab for immediate visibility into the key threat indicators.

Embed observable details directly in a case description for high visibility.

Notes

The Notes tab in a case provides a centralized, versatile space to store and organize critical case-related information. From documenting scan results to storing detailed reports, it ensures key updates are accessible and well-structured.

In the Notes tab, you can highlight key notes, mark notes as public, manage changes, and track note actions.

Notes can also be managed automatically in workflows.

Attachments

Attach files to cases to provide additional details, such as screenshots, source code, relevant documents, and more.

Add files to a case by clicking Upload files or by dragging and dropping from your computer. You can also add attachments or observables directly from the case timeline by using the + add button. When an image is included in a timeline comment, it's automatically saved as an attachment.

Download an attachment by clicking any listed attachment in the Attachments tab.

Avoid attaching potentially malicious files. Other users may accidentally download and open them.

Linked cases

Linking related cases helps you see the bigger picture when an incident connects to other investigations — for example, multiple cases from the same phishing campaign or attack chain.

To link a case, click Link a related case and select the cases to link from the list. Define the relationship between the cases, and click Link.

Use the Relations filter at the bottom right of the tab to view links by relationship type.

Click any linked case to open it directly.

Hover over a case and click on the three-dot menu to change the relationship type or delete the linked case.

Events

The Events tab displays raw events linked to the case. If a workflow created the case in response to an integration event, that triggering event is automatically attached and visible here.

Events are listed chronologically, with the most recent at the top. Reviewing events helps you understand what triggered the case and provides essential context for the investigation. Expand an event to view the event JSON.

Runbooks

Runbooks provide step-by-step instructions for investigations aligned with the organization's standards and best practices, ensuring consistency and thoroughness in your investigative processes. Runbooks are managed in the Runbooks page.

If a runbook is associated with the case, it is accessible and viewable in the Runbook tab. You can toggle between viewing the runbook or the Actionplan (if relevant), or change the runbook associated with the case.

If no runbook is associated yet, you can associate one by clicking Associate runbook in the Runbook tab.

For Socrates-assigned cases, you can generate an Actionplan for Socrates to execute directly from the runbook in the Runbooks page.

Custom tabs

Customize how you organize case data by adding custom tabs to cases. Custom tabs are created and managed in Cases settings. Add or remove custom tabs to cases automatically in workflows, controlling when tabs appear to surface the most relevant data at each stage of investigation.

Custom tabs can also be managed automatically in workflows.

Actions in a case

Analysts can also take actions directly inside a case:

  • Trigger workflows

  • Submit a case for review

Trigger workflows

You can trigger workflows directly from a case to run response actions, enrich data, notify teams, or update external systems—without leaving the investigation.

Case reviews

Cases can be submitted for review before being resolved, escalated, or shared with stakeholders. Reviewers can approve or reject an investigation. The case timeline records all review-related actions, including assigning a reviewer, the reviewer's activity, and the final review conclusion.

Case review must be enabled for a workspace in the Cases settings page.

Manage case access

Restrict access to a case to control which individuals or groups can see sensitive information.

In the three-dot menu in the case view, select Case access.

Select Restricted access from the dropdown and add users or groups to grant them access to the case.

Case restrictions are managed at the workspace level, where only Assignees, Reviewers, and other explicitly specified Collaborators can view and edit the case.

Did this answer your question?