Skip to main content
Note The Case Management Settings page is only available to users who have the case_management:admin permissions. For more information about Case Management Permissions, navigate here.
The images below serve as examples of the general settings layout. Your general settings may differ slightly depending on how your case management settings and tables have been configured.

General Settings

System Settings

Closed Cases Comments

By default, closed cases are locked to ensure their forensic integrity. However, if you would like to add comments to closed cases, toggle the button to enable this setting.

Case Sharing Notifications

By default, users receive email notifications when a case is shared with them. Use this option to disable sending these notifications.

Alerts

Prevent Alert Deletion

When enabled, alert records become permanent and cannot be deleted, ensuring complete audit trials for compliance and forensic purposes.
If this setting is enabled, the Delete Alert workflow action is disabled and cannot be used.
The alert record is still editable

Alert Event Lock

By default, this setting is enabled to maintain data integrity and audibility. It locks the event field on all alert records, making it read-only so that the field cannot be modified. You can disable this behavior by toggling the setting off.

Observable Extraction Rules

‘Observable Extraction Rules’ define how the system processes incoming alert payloads to identify and extract key observables and their relations These observables, such as IP addresses, URLs, usernames, file hashes, and hostnames, are critical for understanding the context and potential impact of an alert. Extracted observables enable further enrichment, triage, and automated response actions.
For detailed instructions on creating and using ‘Observable Extraction Rules’, see the Observable Extraction Rules documentation.

Deduplication Rules

‘Deduplication Rules’ determine how the system identifies and groups incoming alerts that relate to the same underlying issue. Rather than opening a new case for every alert, the system evaluates each alert against these rules to decide whether it should be added to an existing case. This helps reduce case duplication and keeps investigations organized.
For detailed instructions on creating and using Deduplication Rules, see the Deduplication Rules documentation.
  • In the Close Case Reason tab, you can customize the case closure process by configuring the required inputs. Click the “Select Field” button and select an input field from the dropdown menu. You can make the selected field mandatory by checking the corresponding box.
  • The input fields available in the Select Field dropdown menu correspond to the columns in the Cases Table. To add new fields to the “Close Case Reason Form,” you must first create and add a new column to the Cases Table.
  • In the Observable Alert Relation tab, you can edit the already existing relations, delete relations or add new relations.
  • Any changes made to a relation are automatically applied to all associated records. This includes updates to Deduplication Rules Settings and Extract Observable Rules that reference the relation, ensuring consistency across your case management configuration.
  • When a relation is deleted, any rules that reference that relation will have their relation scope reset, but the rules themselves will not be deleted. The rule will then apply to alerts regardless of relation.

Tables

To add custom columns to any Case Management table, first locate the header of the desired table. Click the button next to the table’s tab to open the column options menu. From there, click the Add new column button to create and configure a new custom column.

Cases

In the Cases section of the Case Management Settings, you can manage various aspects of your Cases details:
In the Case Type tab, you can edit existing case types, delete them, or add custom case types.
Note: When a case type is modified, all related configurations, such as observable extraction rules or deduplication rules, that reference that case type will automatically update to reflect the new changes made.
In the Status tab you can add your own custom active statuses or customize existing Case Statuses.

You can customize the Case Status SLA by clicking the icon next to the colored block, then entering your preferred time period in minutes, hours or days

In the Response tab, you can add new actions or modify existing ones to trigger prebuilt on-demand workflows, by helping your team take immediate, contextual action on case-related items such as:
Note: You can also manage response actions directly from the Case Overview or in the Timeline section of the Case Overview.
In the Close Reason tab, you can create your own custom reason for closing a case, modify an already existing reason or delete a close reason.
  • In the Tags Tab, you can edit the already existing tags, delete tags or create new tags.
  • In the Vendors Tab, you can edit the already existing vendors, delete vendors or add new vendors.
Note: When a vendor is modified, all related configurations, such as observable extraction rules or deduplication rules, that reference that vendor will automatically update to reflect the new name.
Recommendation: Always specify the original source of the alert, even if it is ingested via a SIEM. For example, if CrowdStrike alerts are ingested via Splunk, list “CrowdStrike” as the vendor.
MITRE ATT&CK is a globally recognized framework that categorizes and describes common adversary tactics, techniques, and procedures (TTPs) based on real-world observations. In Case Management, mapping alerts or cases to MITRE ATT&CK techniques helps standardize threat classification and improve response strategies.
  • In the MITRE ATT&CK tab, you can edit the already existing MITRE ATT&CK types, delete or add your own custom MITRE ATT&CK types.
  • Reconnaissance
  • Resource Development
  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Command and Control

Alerts

In the Alerts section of your Case Management Settings you can:
  • In the Alert Type tab, you can edit existing Alerts, delete them, or add custom Alerts.
In the Response tab, you can add new actions or modify existing ones to trigger prebuilt on-demand workflows, by helping your team take immediate, contextual action on case-related items such as:
Note: You can also manage response actions directly from the Case Overview or in the Timeline section of the Case Overview.
This tab defines the alert flag field that indicates whether an alert has been processed. If the box is checked, it means the alert was processed—observables were successfully extracted and the alert was automatically linked to a case. If the box is not checked, the alert is considered unprocessed.
In the Processed tab, you can rename the label “Processed Alerts” to something of your choice and set a default value for the checkbox. However, please note that the “Column ID” remains unchanged.
This tab is used to define the alert flag field that indicates whether an alert has an observable extraction template. If the box is checked, it means a template exists for that alert; if it’s unchecked, no template is present. Without a template, observables cannot be extracted from the alert, and the alert will not be automatically deduplicated into a case.
In the “Template Exists” tab, you can rename “Template Exists” to a name of your choice and set it as the default value.

Observable Settings

In the Observables section of your Case Management Settings you can:
  • In the Observables Type tab, you can edit existing Observables, delete them, or add custom Observables.
Note: When an observable type is modified, all related configurations, such as observable extraction rules or deduplication rules, that reference that observable type will automatically update to reflect the new changes made.
  • In the Reputation tab, you can edit existing Reputation types, delete them, or add your own custom Reputation Type.
In the Response tab, you can add new actions or modify existing ones to trigger prebuilt on-demand workflows, helping your team take immediate, contextual action on case-related items such as:
Note: You can also manage response actions directly from the Case Overview or in the Timeline section of the Case Overview.
The Observables tab displays all the observables you have created.
  • You can rename an observable, add or update its default value, and mark the column as unique. Marking it as unique prevents duplicate values from being added to this column in the table.

Attachments Settings

In the Attachments section of your Case Management Settings you can:
In the Attachments Type tab, you can edit existing Attachments, delete them, or add custom Attachments.
In the Response tab, add new actions or modify existing ones.

Task Settings

In the Tasks section of your Case Management Settings you can:
In the Status tab you can add your own custom active statuses or customize the already existing Task Statuses.
In the Response tab, you can add new actions or modify existing ones to trigger prebuilt on-demand workflows, helping your team take immediate, contextual action on case-related items such as:
Note: You can also manage response actions directly from the Case Overview or in the Timeline section of the Case Overview.

Custom Table Settings

Custom Tables let you create flexible, user-defined tables within a case—tailored entirely to your specific needs. You can design the table structure, choose the fields you want, and control how and when the table appears, making it easy to manage case-related data in a way that fits your workflow.

Create a Custom Table

1

Navigate to Case Management Settings

In the Case Management Settings, click the ’ Add new table’ button.

2

Name and Describe Your Table

Give your table a name and optionally add a description. Click Create Table.
3

Confirmation of Table Creation

A popup will confirm that your custom table has been successfully created. The new table will now appear under the ‘Tables’ section of the Case Management Settings
The custom table you create will also appear in the Case Management interface alongside the built-in tables—such as Cases, Alerts, Observables, Attachments, and Tasks.
4

Add Custom Columns

Click the next to the response tab and click the ’ Add new column’ button.

5

Fill Out the Field Details

  • Field Name – Enter a name for the field.
  • Input Type – Select the type of input this field will accept (e.g., Text, Number, Time, etc.).
  • Advanced Settings: Default Value – Optionally set a default value to be used when no value is provided by the user. Leave it blank if you don’t want a default.
  • Advanced Settings: Unique Value – Enable this to ensure that all entries in this column are unique within the table. This prevents duplicates for the selected field.
The Unique Value setting is only available for the following input types: Text, Numbers, Users, and Time. Learn more about enforcing unique values here.

Manage Custom Tables

To manage a custom table, click the menu next to the table’s name. From this menu, you can:

  • Edit the table’s name, fields, or configuration
  • Copy Schema to duplicate the structure for use elsewhere
  • Copy Table ID for referencing the table programmatically
  • Delete the table if it’s no longer needed