Own the Investigation -- Cases

A case is a formal human investigation task. Jutsu creates one automatically when the AI escalates an alert it could not confidently resolve. Cases are your primary daily work, and everything you document here becomes the permanent investigation record.

Path: Cases in the left sidebar.

The Cases List

image

Filters

All Status -- Filters cases by workflow stage. Options: Open, In Progress, Pending, Resolved, Closed.

All Severity -- Filter by severity: Critical, High, Medium, Low, Info.

Assigned to me -- A toggle. When on, the list shows only cases assigned to your account.

Show -- Controls how many rows appear per page. Options: 10, 20 (default), 50, 100.

Previous / Next -- Navigate between pages when the list spans more than one page.

Table view / Card view -- Two toggle buttons at the top right of the list. Table view (default) shows compact rows. Card view shows larger cards with more detail visible before clicking in.

Search cases -- Free-text search across case titles.

Case Detail

Click any case row to open the Case Detail.

image

Priority banner

The priority banner shows how urgently a case needs attention. Priorities are assigned automatically based on the severity and confidence of the underlying alert.

  • P1 -- Critical. Act immediately. The threat is confirmed or highly likely and requires urgent containment.
  • P2 -- High. Investigate today. Strong indicators of a real threat that needs prompt attention.
  • P3 -- Medium. Investigate when P1 and P2 cases are clear. Suspicious activity that warrants review but is not immediately critical.
  • P4 -- Low. Review when capacity allows. Low-confidence or low-severity activity that still needs a human decision.

Source and tags

Alert ID links back to the underlying alert. Escalated confirms the AI routed this from triage. Alert linked confirms the underlying alert is still active and connected.

Changing status

image

Click the Status dropdown in Actions. Options: OPEN (active, unattended), IN PROGRESS (you are working it now), PENDING (waiting on information), RESOLVED (investigation complete), CLOSED (no further action). Keep this updated -- teammates should know the status without asking.

Reassigning

image

Click the Assigned to dropdown and select a teammate. The case appears in their queue immediately.

Resolve button

The Resolve button at the top right of a Case Detail marks the case as resolved and closes it. Resolved cases cannot be reopened. Document your findings in the Discussion tab before clicking Resolve.

Case record: Resolved cases cannot be reopened. The Discussion tab is the permanent investigation record. Documenting findings there before resolving ensures the case has a complete audit trail.

Overview Tab

image

Escalation Reason

The AI's explanation of why it could not resolve this alert and exactly what needs to be answered to close the case. Read this first. It tells you what to investigate.

AI Summary

Full investigation narrative: what was detected, what enrichment showed, the AI's verdict with reasoning. Same content as the AI Verdict on Alert Detail, presented here so you do not need to switch tabs.

Linked Alert card

The underlying alert's title, severity, status, rule number, and timestamps. Click View alert to open the full Alert Detail with all five tabs.

If this case's alert is part of a broader campaign, related incidents appear here. 'No incidents are linked' means this is an isolated investigation.

Evidence, Timeline, and Discussion

Evidence tab

image

Click Add evidence to attach files, screenshots, exported logs, network captures, or other investigation materials. The dropdown arrow on the Add evidence split button reveals additional attachment options. Everything attached is preserved permanently in the case record as part of the audit trail.

Timeline tab

image

An automatic, immutable log of everything that happened to this case: every status change, reassignment, evidence upload, and discussion comment, with timestamps and the name of whoever made each change. You do not add to it directly -- it builds itself.

Discussion tab

image

Where you document your investigation findings, communicate with teammates, and record the reasoning behind your close or escalation decision.

  • Click the Write a comment field.
  • Document what you investigated, what you found, what you ruled out, and what you concluded.
  • Click Send.

A complete note covers what was investigated, what evidence was found, what was ruled out, and the conclusion. For example: 'Source IP 43.160.253.60 confirmed malicious by AbuseIPDB (100%) and OTX (60%). GreyNoise classifies this as targeted, not background scanner noise. Host is internet-facing on port 22. Blocked source IP at network perimeter. Verdict: True Positive.'