---
title: "Creating Cases | ThreatConnect"
slug: "creating-cases"
description: "This article describes how to create a Case using a Workflow and without using a Workflow."
tags: ["Case Management", "Markdown"]
updated: 2025-03-31T13:54:48Z
published: 2025-03-31T13:54:48Z
canonical: "knowledge.threatconnect.com/creating-cases"
---
> ## Documentation Index
> Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Creating Cases
## Overview
A [Workflow Case](https://knowledge.threatconnect.com/v1/docs/workflow-cases) in ThreatConnect® is a single instance of an investigation, inquiry, or other procedure. Cases contain all required elements of a notable event in a logical structure and allow you to capture key evidence that your security team can use to determine an appropriate course of action. Cases can be created from a [Workflow](https://knowledge.threatconnect.com/docs/workflows-and-workflow-templates) (i.e., a codified procedure for the steps to be taken in a Case) or without a Workflow (i.e., from scratch).
This article provides steps for creating a Workflow Case. It also describes how to apply a Workflow to an existing Case that was created without a Workflow.
## Before You Start
### User Roles
- To create a Workflow Case, your user account must have an [Organization role](https://knowledge.threatconnect.com/docs/organization-roles) of Standard User, Sharing User, or Organization Administrator.
### Prerequisites
- To have access to Workflow, select the **Enable Workflow** checkbox on the **Permissions** tab of the **Organization Information** window for your Organization on the **Organizations** tab of the **Account Settings** screen (must be a System Administrator, Operations Administrator, or Accounts Administrator to perform this action).
## Creating a Case
Follow these steps to create a Case:
1. Click **Workflow** on the top navigation bar to display the **[](https://knowledge.threatconnect.com/docs/viewing-managing-and-filtering-cases)** [](https://knowledge.threatconnect.com/docs/viewing-managing-and-filtering-cases)[**Cases**screen](https://knowledge.threatconnect.com/docs/viewing-managing-and-filtering-cases) [](https://knowledge.threatconnect.com/docs/viewing-managing-and-filtering-cases)**[](https://knowledge.threatconnect.com/docs/viewing-managing-and-filtering-cases)**.
2. Click **New Case** at the upper-right corner of the **Cases**screen.
3. Fill out the fields on the **New Case**drawer (Figure 1) as follows:
- **Name**: (Required) Enter a name for the Case.
- **Workflow Template**: (Optional) Select a [Workflow](/v1/docs/workflows-and-workflow-templates) that will determine the structure of the Case (i.e., the [Phases and Tasks](/v1/docs/phases-and-tasks) that define the Case, the [Artifacts](/v1/docs/artifacts) that are to be collected within the Case, etc.). To create a Case without a Workflow, select **None**.NoteCreating Cases from Workflows is recommended, as Workflows provide predetermined [Phases, Tasks](https://knowledge.threatconnect.com/docs/parts-of-a-case#phases-and-tasks), and other settings for new Cases. Cases that do not have a Workflow applied to them do not have Phases. Instead, all Tasks are compiled in a single section.
- **Description**: (Optional) Enter a description for the Case. If you selected a Workflow from the **Workflow Template** dropdown, the Workflow’s description will automatically populate in this field auto and can be modified as desired.
- **Tags**: (Optional) Enter [standard](https://knowledge.threatconnect.com/docs/applying-tags) and [ATT&CK®](https://knowledge.threatconnect.com/docs/attack-tags)[Tags to apply to the Case.](https://knowledge.threatconnect.com/docs/case-details#tags)
- **Severity**: (Optional) Select a [severity](https://knowledge.threatconnect.com/docs/parts-of-a-case#severity) for the Case.
- **Status**: (Optional) Select a [status](https://knowledge.threatconnect.com/docs/parts-of-a-case#status) for the Case.
- **Assignee**: (Optional) Select the user or user group to which the Case will be assigned.
- **Viewable By**: (Optional) Select the users that will be able to [view the Case](https://knowledge.threatconnect.com/docs/parts-of-a-case#users-with-viewing-access). The default selection is **Everyone** (i.e., all users who can [access the Workflow feature](https://knowledge.threatconnect.com/docs/organization-roles#workflow)). NoteAssignee(s) are selected automatically in the **Viewable By** menu if the **Everyone** option is not selected
- **Artifacts**: (Optional) Click **ADD ARTIFACT** to [add Artifacts to the Case](/v1/docs/creating-cases#adding-artifacts-to-a-case).
- **Notes**: (Optional) Enter a [Note](https://knowledge.threatconnect.com/docs/case-notes), either in plain text or in [Markdown](https://www.markdownguide.org/). If using Markdown, click the **Preview Markdown**link to preview the text with the rendered Markdown formatting.NoteThe **Note**text box supports the Marked library ([https://marked.js.org/](https://marked.js.org/)).
4. Click **SAVE**to create the Case.
### Adding Artifacts to a Case
Follow these steps to add Artifacts to a Case you are creating:
1. Click **ADD ARTIFACT**on the upper right of the **Artifacts** section of the **New Case**drawer (Figure 1).
2. Fill out the fields in the **Add Artifact** section of the **New Case**drawer (Figure 2) as follows:
- **Type**: (Required) Select the Artifact’s type. Available Artifact types include all ThreatConnect [Indicator types](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model#indicator-types) and other data types by ThreatConnect and your System Administrator.
- **Summary**: (Required) Enter the Artifact's summary. This field dynamically adjusts based on the data type and UI element the Artifact type supports. Possible UI elements for this field include a text box, a date selector, a date and time selector, a dropdown, and an area to upload a file.
- **Source**: (Optional) Enter the name of the user providing the Artifact’s details. Your username is the default value of the Artifact’s source and can be modified as desired.
- **Use to potentially associate cases.**: (Optional)Select this checkbox to allow ThreatConnect to use the Artifact to generate potential associations for [Cases](https://knowledge.threatconnect.com/v1/docs/potential-associations-card-for-cases), [Groups, and Indicators](https://knowledge.threatconnect.com/docs/the-associations-tab#potential-associations).NoteIf multiple Cases contain an Artifact with the same summary and type, and the **Use to potentially associate cases.**checkbox is selected for each copy of the Artifact, those Cases will be displayed in the **Cases**section of the [**Potential Associations** card](https://knowledge.threatconnect.com/v1/docs/potential-associations-card-for-cases) for each Case****and in the **CASES**dropdown in the [**Links**column of the **Artifacts**card](https://knowledge.threatconnect.com/v1/docs/artifacts-card#links) for the Artifact.ImportantThe default setting for this checkbox may vary across Artifact types. Also, if a System Administrator has disallowed the Artifact type from being used to potentially associate Cases, then selecting this checkbox will have no effect.
3. Click **CREATE** to create the Artifact and return to the rest of the New Case drawer.
### Applying a Workflow After Creating a Case
You can apply a Workflow to a Case that was created without a Workflow if no Tasks have been added to the Case yet. Follow these steps to apply a Workflow to an existing Case:
1. [Navigate to a case.](https://knowledge.threatconnect.com/docs/parts-of-a-case#viewing-a-case) If a Workflow has not been applied to the Case and no Tasks have been added to it, the [**Phases and Tasks**section](https://knowledge.threatconnect.com/docs/phases-and-tasks-section) will display a****message stating that no Workflow has been applied to the Case (Figure 3).
2. Click the **No Workflow** message.
3. Select a Workflow from the dropdown in the **Assign Workflow**window (Figure 4) and click **ASSIGN**to assign the selected Workflow to the Case.
.png)
4. If no user is assigned to the Case but the selected Workflow has a default assignee, you will be prompted to make a selection in the **Keep Unassigned?**window (Figure 5).
- **KEEP UNASSIGNED**: Click this button to keep the Case unassigned.
- **CHANGE TO ****: Click this button to assign the Workflow’s default assignee to the Case.
5. If a user is assigned to the Case and that user is different from the selected Workflow’s default assignee, the **Keep Current Assignee?**window will be displayed (Figure 6).
- **CHANGE TO ****: Click this option to assign the Workflow's default assignee (user or user group) to the Case.
- **KEEP ****: Click this option to keep the Case unassigned.
6. If a user is assigned to the Case and that user is different from the selected Workflow’s default assignee, you will be prompted to make a selection in the **Keep Current Assignee?** window (Figure 7).
- **CHANGE TO ****: Click this option to change the Case’s assignee to the Workflow’s default assignee (user or user group.
- **KEEP ****: Click this option to keep the current assignee of the Case.
After applying a Workflow to a Case, the **Phases and Tasks**section will be populated with the Phases and Tasks in the Workflow, and the Workflow’s name will be added to the Case’s header.
---
*ThreatConnect® is a registered trademark of ThreatConnect, Inc.* *MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.*
20122-03 v.05.A