Case Management and Queries

A case contains information about an incident, usually with one or more events attached. Use cases to track, investigate, and resolve events. Where cases are similar, you can copy events directly from one case to another. You assign cases of interest to analysts, who can investigate and resolve them based on severity and enterprise policies. You can also use rules to automatically open or update a case when certain conditions are met.

You can assign cases to groups of users who receive a notification with access to the case and its associated data. Those users can take action on the assigned case and specify other actions to be taken, assign it to another user, or resolve the case.

Cases track individual or multiple related events and export event data to third-party products. Cases can stand alone or integrate with a third-party case management system.

The Case Editor has the following features:

• The case's summary is displayed at the top of the Case Editor. The example shows the top part of the panel for a case that is about to be created. The editor for an existing case has more information. It is updated as the case attribute changes.

• The icon bar provides options to display fields for setting case attributes. The default view of the Case Editor opens at the Initial view, Attributes panel.

• For existing cases, the status summary displays more information as the cases are updated:

  

• For existing cases, the owner is displayed below the icon bar. If there are multiple owners, the list may be hard to read. If so, resize the panel.

• Additional panels and fields are displayed by the More Options widget.