Cases#

Cases are analyst-driven investigations in AgentSOC, available at /cases for the list and /cases/:id for a single case.

What it does#

A case is the workspace where you and your team investigate something deliberately — gathering evidence, recording your reasoning, and tracking the work to a conclusion. Unlike machine-grouped incidents, a case is opened and owned by people, giving you a structured place to document an investigation from start to finish.

Each case tracks its status and assignee, keeps a discussion thread, and holds the evidence you collect, so the full story of an investigation lives in one place.

Key actions#

• Open and assign. Create a case for an investigation and assign an owner to drive it.
• Attach evidence. Add the artifacts that support your findings and review them in the case's evidence view.
• Add comments. Record analysis, observations, and decisions in the discussion thread to keep collaborators in sync.
• Escalate. Raise a case for additional attention when it warrants more senior or specialized review.
• Update status. Move the case through its lifecycle as the investigation progresses, with status changes captured in its activity.

Cases vs. incidents#

The distinction is who does the grouping:

• An Incident is system-correlated — AgentSOC connects related alerts into an attack chain automatically.
• A case is a human investigation — you open it, decide what belongs in it, attach evidence, and write up conclusions.

In practice you often open a case to investigate one or more incidents or alerts, then use the case to hold the evidence and narrative the automated grouping cannot.

Tips#

• Comment as you go so the case reads as a clear timeline rather than a reconstruction after the fact.
• Capture evidence at the time you find it; raw signals can age out of upstream systems.
• Case activity and status changes feed the audit record — see Audit Logging.

Related#

• Incidents
• Reports
• Audit Logging