Case Management Settings
Settings
Note The Case Management Settings page is only available to users who have the
case_management:admin permissions. For more information about Case Management Permissions, navigate here. The images below serve as examples of the general settings layout. Your general settings may differ slightly depending on how your case management settings and tables have been configured.
General Settings
System Settings
System Settings
Closed Cases Comments
By default, closed cases are locked to ensure their forensic integrity. However, if you would like to add comments to closed cases, toggle the button to enable this setting.Case Sharing Notifications
By default, users receive email notifications when a case is shared with them. Use this option to disable sending these notifications.
Observable Extraction Rules
Observable Extraction Rules
Observable Extraction Rules
‘Observable Extraction Rules’ define how the system processes incoming alert payloads to identify and extract key observables and their relations These observables, such asIP addresses, URLs, usernames, file hashes, and hostnames, are critical for understanding the context and potential impact of an alert. Extracted observables enable further enrichment, triage, and automated response actions.For detailed instructions on creating and using ‘Observable Extraction Rules’, see the Observable Extraction Rules documentation.
Deduplication Rules
Deduplication Rules
Deduplication Rules
‘Deduplication Rules’ determine how the system identifies and groups incoming alerts that relate to the same underlying issue. Rather than opening a new case for every alert, the system evaluates each alert against these rules to decide whether it should be added to an existing case. This helps reduce case duplication and keeps investigations organized.For detailed instructions on creating and using Deduplication Rules, see the Deduplication Rules documentation.
Close Case Reason Form
Close Case Reason Form
- In the Close Case Reason tab, you can customize the case closure process by configuring the required inputs. Click the “Select Field” button and select an input field from the dropdown menu. You can make the selected field mandatory by checking the corresponding box.
- The input fields available in the Select Field dropdown menu correspond to the columns in the Cases Table. To add new fields to the “Close Case Reason Form,” you must first create and add a new column to the Cases Table.
Tables
To add custom columns to any Case Management table, first locate the header of the desired table. Click the button next to the table’s tab to open the column options menu. From there, click the Add new column button to create and configure a new custom column.
Cases
In the Cases section of the Case Management Settings, you can manage various aspects of your Cases details:Case Type
Case Type
In the Case Type tab, you can edit existing case types, delete them, or add custom case types.
Status
Status
In the Status tab you can add your own custom active statuses or customize existing Case Statuses.
You can customize the Case Status SLA by clicking the icon next to the colored block, then entering your preferred time period in minutes, hours or days
Response
Response
In the Response tab, you can add new actions or modify existing ones to trigger prebuilt on-demand workflows, by helping your team take immediate, contextual action on case-related items such as:
Note: You can also manage response actions directly from the Case Overview or in the Timeline section of the Case Overview.
Close Reason
Close Reason
In the Close Reason tab, you can create your own custom reason for closing a case, modify an already existing reason or delete a close reason.
Tags
Tags
- In the Tags Tab, you can edit the already existing tags, delete tags or create new tags.
Vendors
Vendors
- In the Vendors Tab, you can edit the already existing vendors, delete vendors or add new vendors.
Recommendation: Always specify the original source of the alert, even if it is ingested via a SIEM. For example, if CrowdStrike alerts are ingested via Splunk, list “CrowdStrike” as the vendor.
MITRE ATT&CK
MITRE ATT&CK
MITRE ATT&CK is a globally recognized framework that categorizes and describes common adversary tactics, techniques, and procedures (TTPs) based on real-world observations. In Case Management, mapping alerts or cases to MITRE ATT&CK techniques helps standardize threat classification and improve response strategies.
- In the MITRE ATT&CK tab, you can edit the already existing MITRE ATT&CK types, delete or add your own custom MITRE ATT&CK types.
Default values include
Default values include
- Reconnaissance
- Resource Development
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
- Command and Control
Alerts
In the Alerts section of your Case Management Settings you can:Alert Type
Alert Type
- In the Alert Type tab, you can edit existing Alerts, delete them, or add custom Alerts.
Response
Response
In the Response tab, you can add new actions or modify existing ones to trigger prebuilt on-demand workflows, by helping your team take immediate, contextual action on case-related items such as:
Note: You can also manage response actions directly from the Case Overview or in the Timeline section of the Case Overview.
Processed
Processed
This tab defines the alert flag field that indicates whether an alert has been processed.
If the box is checked, it means the alert was processed—observables were successfully extracted and the alert was automatically linked to a case. If the box is not checked, the alert is considered unprocessed.
In the Processed tab, you can rename the label “Processed Alerts” to something of your choice and set a default value for the checkbox. However, please note that the “Column ID” remains unchanged.
Template Exists
Template Exists
This tab is used to define the alert flag field that indicates whether an alert has an observable extraction template. If the box is checked, it means a template exists for that alert; if it’s unchecked, no template is present.
Without a template, observables cannot be extracted from the alert, and the alert will not be automatically deduplicated into a case.
In the “Template Exists” tab, you can rename “Template Exists” to a name of your choice and set it as the default value.
Observable Settings
In the Observables section of your Case Management Settings you can:Observable Type
Observable Type
- In the Observables Type tab, you can edit existing Observables, delete them, or add custom Observables.
Reputation
Reputation
- In the Reputation tab, you can edit existing Reputation types, delete them, or add your own custom Reputation Type.
Response
Response
In the Response tab, you can add new actions or modify existing ones to trigger prebuilt on-demand workflows, helping your team take immediate, contextual action on case-related items such as:
Note: You can also manage response actions directly from the Case Overview or in the Timeline section of the Case Overview.
Observables
Observables
The Observables tab displays all the observables you have created.
- You can rename an observable, add or update its default value, and mark the column as unique. Marking it as unique prevents duplicate values from being added to this column in the table.
Attachments Settings
In the Attachments section of your Case Management Settings you can:Attachment Type
Attachment Type
In the Attachments Type tab, you can edit existing Attachments, delete them, or add custom Attachments.
Response
Response
In the Response tab, add new actions or modify existing ones.
Task Settings
In the Tasks section of your Case Management Settings you can:Status
Status
In the Status tab you can add your own custom active statuses or customize the already existing Task Statuses.
Response
Response
In the Response tab, you can add new actions or modify existing ones to trigger prebuilt on-demand workflows, helping your team take immediate, contextual action on case-related items such as:
Note: You can also manage response actions directly from the Case Overview or in the Timeline section of the Case Overview.
Custom Table Settings
Custom Tables let you create flexible, user-defined tables within a case—tailored entirely to your specific needs. You can design the table structure, choose the fields you want, and control how and when the table appears, making it easy to manage case-related data in a way that fits your workflow.Create a Custom Table
1
Navigate to Case Management Settings
In the Case Management Settings, click the ’ Add new table’ button.
2
Name and Describe Your Table
Give your table a name and optionally add a description. Click Create Table.
3
Confirmation of Table Creation
A popup will confirm that your custom table has been successfully created. The new table will now appear under the ‘Tables’ section of the Case Management Settings
The custom table you create will also appear in the Case Management interface alongside the built-in tables—such as Cases, Alerts, Observables, Attachments, and Tasks.
4
Add Custom Columns
Click the next to the response tab and click the ’ Add new column’ button.
5
Fill Out the Field Details
- Field Name – Enter a name for the field.
- Input Type – Select the type of input this field will accept (e.g., Text, Number, Time, etc.).
- Advanced Settings: Default Value – Optionally set a default value to be used when no value is provided by the user. Leave it blank if you don’t want a default.
- Advanced Settings: Unique Value – Enable this to ensure that all entries in this column are unique within the table. This prevents duplicates for the selected field.
The Unique Value setting is only available for the following input types:
Text, Numbers, Users, and Time. Learn more about enforcing unique values here.
Manage Custom Tables
To manage a custom table, click the menu next to the table’s name. From this menu, you can:
- Edit the table’s name, fields, or configuration
- Copy Schema to duplicate the structure for use elsewhere
- Copy Table ID for referencing the table programmatically
- Delete the table if it’s no longer needed
