Overview
In the Cases page, you can see key details about all your cases at a glance. Use filters and search to limit the cases you see, to assess priority, and decide where to focus.
Click on a case to open the case view and explore your case in detail—use the quick view to investigate key data at a glance, or the expanded view for full case information.
Case structure
Key case data is surfaced at the top of the case, including case status, severity, SLA details, threat category, quick actions, and pending tasks.
Further case information is organized across various main tabs:
Overview: with Case summary and Description, security context, and MITRE ATT&CK mappings
Timeline: a record of every case action chronologically
Custom fields: case-specific data that may not be captured in standard fields
Socrates: autonomous AI SOC analyst
In the expanded case view, additional tabs provide full case details:
Observables: list of observables linked to the case, with direct links to the observable itself
Notes: additional notes added by the analyst
Attachments: files attached to the case
Linked cases: list of other cases linked to the case, and their relationship, with direct links to the related cases
Events: events associated with the case, with access to the event JSON
Runbooks: the runbook and Actionplan (if relevant) associated with the case, with a link to the runbook
Custom tabs: any custom case tabs added to the case
Overview
The Overview tab surfaces critical information up front, so you can orient quickly before diving into the investigation. Information is contained in the following sections:
Case summary
Use the case summary in the Overview tab to quickly catch up on the investigation status and gain insights into key findings. This AI-generated summary enhances your investigation process, making it as efficient as possible.
The summary considers various case attributes and associated information, including the case description, observables, comments, notes, and events. It regenerates automatically when the case is updated, and you can regenerate it manually at any time by clicking the Regenerate icon on the right of the Case Summary.
The Case summary structure
The summary is designed for clarity, emphasizing critical information:
What: A concise summary of the incident, clearly outlining the main events to help you grasp the situation.
When: Key timestamps in the investigation, offering a clear and concise sequence of events.
Impact: Potential implications of the security incident, leveraging security industry knowledge to support accurate situation assessment.
Key indicators: Significant findings from the investigation that can be further explored to deepen understanding of the ongoing events.
Security context
The most important case attributes are automatically surfaced through a built-in set of structured fields. View pre-defined case fields (such as alert_id, source_product, severity, and detection_name) directly inside the Overview tab.
Alert attributes can be automatically mapped to the fields in workflow steps.
Cases created from an alert in Auto Triage are automatically populated with the normalized security context fields.
MITRE ATT&CK mapping
MITRE ATT&CK details are surfaced directly in each case, giving you structured, immediate context on the attacker tactics and techniques associated with the threat.
MITRE mappings can be added automatically from vendor alert payloads or manually during the investigation.
Cases created from an alert in Auto Triage are automatically populated with MITRE ATT&CK mappings.
Description
The description provides the initial context for the investigation. It supports embedded mentions of observables and custom fields.
Embed threat indicator details
Highlight the most significant threat indicators by displaying custom fields and observable details directly in a case description. Embedded mentions provide high visibility into key details without switching tabs or scrolling through the full case context.
Embed details directly in the case, or automatically through a workflow.
Timeline
The Timeline records every case action chronologically. It gives you a complete picture of the investigation's progress and a clear view of what happened, when it happened, and who or what caused each change.
The Timeline logs actions such as when a case is created, case details are updated, observables are added or removed, and when cases are linked.
Custom fields
Custom fields surface case-specific data that may not be captured in standard fields. Each case can have unique custom fields to ensure analysts don't miss important details. Always check these to ensure you have a complete understanding of the case.
Custom fields can only be created automatically through workflow steps. You can manually edit the values of custom fields inside the case.
Embed custom field details directly in a case description for high visibility.
Socrates
Socrates is an autonomous AI SOC analyst designed to transform your case investigations, operating both inside individual cases and across cases in your workspace.
Have a conversation with Socrates inside a case to get help with case investigations. Socrates will analyze the findings, provide relevant data, and carry out actions as directed.
Cases can also be assigned directly to Socrates. It will take on the role of the analyst, adhering to the case runbook and its associated Actionplan, providing updates on completed tasks, and seeking analyst confirmation as needed.
Case SLAs
View the SLA for a case clearly in the case card in the Cases page, or in the case view. To clearly convey the case's urgency, SLAs are shown as either time remaining or time elapsed, depending on your workspace settings. This applies to both Resolution and custom SLAs for a consistent experience.
In the Cases page, use the Resolution SLA and/or custom SLA filters to customize the cases you see.
Tasks
Whether acknowledging messages or submitting required information, tasks are easily managed through the Cases page. Use the Tasks filter to stay up to date and promptly address all tasks assigned to you.
Upon assignment via an Interaction flow, tasks become visible on the case. In the Cases page, assigned tasks are indicated by an icon on relevant cases in the Cases page. You can also filter the Cases page by Tasks to find all cases with pending tasks.
In a case, assigned tasks are shown with the case details. Expand the task list using the arrow, find the task you need to complete, and select View. Input your responses in the provided fields for the task and submit.
Timeline entries are created for pending tasks and task submissions.
Observables
Observables are the threat indicators associated with a case—such as IP addresses, URLs, file hashes, domain names, and more. They are central to understanding the scope and nature of a threat. All observables associated with a case are listed under the Observables tab. Observables are managed at a workspace level in the Observables page.
Key observables are also surfaced in the Overview tab for immediate visibility into the key threat indicators.
Embed observable details directly in a case description for high visibility.
Notes
The Notes tab in a case provides a centralized, versatile space to store and organize critical case-related information. From documenting scan results to storing detailed reports, it ensures key updates are accessible and well-structured.
In the Notes tab, you can highlight key notes, mark notes as public, manage changes, and track note actions.
Notes can also be managed automatically in workflows.
Attachments
Attach files to cases to provide additional details, such as screenshots, source code, relevant documents, and more.
Add files to a case by clicking Upload files or by dragging and dropping from your computer. You can also add attachments or observables directly from the case timeline by using the + add button. When an image is included in a timeline comment, it's automatically saved as an attachment.
Download an attachment by clicking any listed attachment in the Attachments tab.
Avoid attaching potentially malicious files. Other users may accidentally download and open them.
Linked cases
Linking related cases helps you see the bigger picture when an incident connects to other investigations — for example, multiple cases from the same phishing campaign or attack chain.
To link a case, click Link a related case and select the cases to link from the list. Define the relationship between the cases, and click Link.
Use the Relations filter at the bottom right of the tab to view links by relationship type.
Click any linked case to open it directly.
Hover over a case and click on the three-dot menu to change the relationship type or delete the linked case.
Events
The Events tab displays raw events linked to the case. If a workflow created the case in response to an integration event, that triggering event is automatically attached and visible here.
Events are listed chronologically, with the most recent at the top. Reviewing events helps you understand what triggered the case and provides essential context for the investigation. Expand an event to view the event JSON.
Runbooks
Runbooks provide step-by-step instructions for investigations aligned with the organization's standards and best practices, ensuring consistency and thoroughness in your investigative processes. Runbooks are managed in the Runbooks page.
If a runbook is associated with the case, it is accessible and viewable in the Runbook tab. You can toggle between viewing the runbook or the Actionplan (if relevant), or change the runbook associated with the case.
If no runbook is associated yet, you can associate one by clicking Associate runbook in the Runbook tab.
For Socrates-assigned cases, you can generate an Actionplan for Socrates to execute directly from the runbook in the Runbooks page.
Custom tabs
Customize how you organize case data by adding custom tabs to cases. Custom tabs are created and managed in Cases settings. Add or remove custom tabs to cases automatically in workflows, controlling when tabs appear to surface the most relevant data at each stage of investigation.
Custom tabs can also be managed automatically in workflows.
Actions in a case
Analysts can also take actions directly inside a case:
Trigger workflows
Submit a case for review
Trigger workflows
You can trigger workflows directly from a case to run response actions, enrich data, notify teams, or update external systems—without leaving the investigation.
Case reviews
Cases can be submitted for review before being resolved, escalated, or shared with stakeholders. Reviewers can approve or reject an investigation. The case timeline records all review-related actions, including assigning a reviewer, the reviewer's activity, and the final review conclusion.
Case review must be enabled for a workspace in the Cases settings page.
Manage case access
Restrict access to a case to control which individuals or groups can see sensitive information.
In the three-dot menu in the case view, select Case access.
Select Restricted access from the dropdown and add users or groups to grant them access to the case.
Case restrictions are managed at the workspace level, where only Assignees, Reviewers, and other explicitly specified Collaborators can view and edit the case.

















