--- title: "Parts of a Case | ThreatConnect" slug: "parts-of-a-case" description: "This article describes how to view and manage a Case, as well as the various components and elements included in a Case. When applicable, links to articles with more detailed information about these Case components and elements will be provided." tags: ["Getting Started", "Case Management"] updated: 2024-11-07T21:37:26Z published: 2024-11-07T21:37:26Z canonical: "knowledge.threatconnect.com/parts-of-a-case" --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # Parts of a Case ## Overview A [Workflow Case](/v1/docs/workflow-cases) in ThreatConnect® is a single instance of an investigation, inquiry, or other procedure. It contains all required elements of a notable event in a logical structure. Cases can be used to capture key evidence to enable security teams to decide if the Case should be escalated. This article describes how to view and manage a Case, as well as the various components and elements included in a Case. When applicable, links to articles with more detailed information about these Case components and elements will be provided. ## Before You Start | Minimum Role(s) | - Organization role of Read Only User (for viewing Cases) - Organization role of Standard User (for updating a Case’s visibility settings, assignees, resolution, status, and severity) - Organization role of Organization Administrator (for deleting Cases) | | --- | --- | | Prerequisites | - Workflow enabled by a System Administrator - A [Workflow Case created in your Organization](https://knowledge.threatconnect.com/v1/docs/creating-cases) | ## Viewing a Case After you [create a Case](https://knowledge.threatconnect.com/docs/creating-cases), a card for the Case will be displayed on the [**Cases**tab of the **Workflow** screen](/v1/docs/the-cases-screen) (Figure 1). ![Figure 1_Parts of a Case_7.1.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%201_Parts%20of%20a%20Case_7.2.0.png) Click on the card to view the Case (Figure 2). ![Figure 2_Parts of a Case_7.1.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%202_Parts%20of%20a%20Case_7.7.1.png) ## Case Name, Number, and Workflow The name of the Case and a unique identification number (**270**in this example) are displayed next to the **Cases**tab at the top left of the screen and just below that, at the top left of the Case itself (Figure 3). ![Figure 3_Parts of a Case_7.1.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%203_Parts%20of%20a%20Case_7.1.0.png) If a Workflow has been applied to the Case, the Workflow’s name (**Email Investigation**in this example) will be displayed to the right of the **Workflow**text, below the name of Case’s assignee. NoteIn addition to the **Cases** screen, you can search for a Case with the [ThreatConnect search engine](https://knowledge.threatconnect.com/docs/search-and-analyze). If you use the [legacy **Search**drawer](https://knowledge.threatconnect.com/docs/searching-in-threatconnect-legacy), you can search for a Case by name or ID number. If you use the **[](https://knowledge.threatconnect.com/docs/searching-in-threatconnect)** [](https://knowledge.threatconnect.com/docs/searching-in-threatconnect)[**Search**screen](https://knowledge.threatconnect.com/docs/searching-in-threatconnect) [](https://knowledge.threatconnect.com/docs/searching-in-threatconnect)**[](https://knowledge.threatconnect.com/docs/searching-in-threatconnect)**, you can search for a Case by name only. When searching for a Case by name on the legacy **Search**drawer, you must enter the entire, exact name of the Case for it to be returned as an [exact match](https://knowledge.threatconnect.com/docs/search-results-legacy#exact-matches). ## Assignee and Users with Viewing Access ### Assignee The user or user group assigned to the Case is displayed under the Case number (Figure 3). A Case’s assignee is the user or user group responsible for tracking and monitoring the Case. Users other than the assignee may work in the Case as long as they have viewing access. The assignee receives [notifications](/v1/docs/notifications-and-following) about the Case. Assignee information can also be used to filter metrics on [TQL](/v1/docs/threatconnect-query-language-tql)-based [dashboard](/v1/docs/dashboard) cards. To change a Case's assignee, click on the user or user group name at the top left of the Case (Figure 3). A menu with suggested assignees (individual users followed by user groups) in the Organization will be displayed (Figure 4). ![Figure 4_Parts of a Case_7.1.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%204_Parts%20of%20a%20Case_7.1.0.png) Select a new assignee for the Case from the menu, use the search bar to search for a particular user or user group, or close the menu by clicking anywhere outside of it. NoteNot all users in the Organization will be listed in the dropdown menu, and the dropdown menu is not scrollable. Use the search bar to find users who are not listed in the menu. ### Users with Viewing Access The user(s) with viewing access to the Case are displayed next to the **eye**![Eye icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Eye%20icon.png)icon under the Case number (Figure 3). For multiple users, only the first two names will be listed, followed by the total number of other users with viewing access—e.g., **AMARI JACKSON, AMY POND (+ 12 MORE)**. Click on the username(s) next to the **eye**![Eye icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Eye%20icon.png)icon to view a menu listing all users in the Organization and a radio button indicating their access (Figure 5). ![Figure 5_Parts of a Case_7.1.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%205_Parts%20of%20a%20Case_7.1.0.png) If viewing access is available to all members of the Organization, then the **All**checkbox will be selected. If viewing access is restricted to a subset of Organization members, then the **All**checkbox will be cleared, and Organization members with viewing access will be listed under the **Restrict to selected user(s):**section, as in Figure 5. To add or remove viewing access for a user, select or clear the checkbox next to their name, respectively. To give viewing access to all users in the Organization, select **All**(Figure 6). ![Figure 6_Parts of a Case_7.1.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%206_Parts%20of%20a%20Case_7.1.0.png) NoteA gray checkmark![Gray checkmark icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Gray%20checkmark%20icon.png)designates the Case’s assignee. It is not possible to remove an assignee’s viewing access for a Case. The only way to prevent an assignee from viewing a Case is to select a different assignee and then remove viewing access for the original assignee. If a user who is not assigned to a Case attempts to toggle off their own viewing access for that Case, the **Are you sure** **you want to revoke your own Permissions?** window will be displayed. If the user clicks the **CONFIRM** button, their access to the Case will be removed, and they will be returned to the **Cases**tab of the **Workflow**screen. ## Resolution, Status, and Severity The resolution, status, and severity of the Case are displayed in a row at the top right of the Case (Figure 7). ![Figure 7_Parts of a Case_7.1.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%207_Parts%20of%20a%20Case_7.7.1.png) ### Resolution Resolution is used to communicate the justification for the current status of the Case. To set or change the resolution of a Case, click on the leftmost item in the row (**NOT SPECIFIED**in Figure 7) and select an option from the menu that is displayed. Available Case resolutions include the following: - Containment Achieved - Deferred / Delayed - Escalated - False Positive - In Progress / Investigating - Rejected - Restoration Achieved ### Status To change the status of a Case, click the middle item in the row (**OPEN** in Figure 7) and select the corresponding option from the menu that is displayed: - If a Case’s status is set to **OPEN**, the menu will display only an option of **Close**. - If a Case’s status is set to **CLOSED**, the menu will display only an option of **Re-Open**. ### Severity To change the severity of a Case, click the rightmost item in the row (**MEDIUM SEVERITY**in Figure 7) and select an option from the **CHANGE SEVERITY TO:**menu. Available severity levels for a Case include the following: - Critical - High - Medium - Low ## Explore In Graph The [Threat Graph****feature](https://knowledge.threatconnect.com/docs/explore-in-graph) in ThreatConnect provides a graph-based interface where you can discover, visualize, and contextualize associations and relationships between Indicators, Groups, Cases, and Tags. Click the **Explore In Graph**button at the upper-right corner of the Case****to [view the Case in Threat Graph](https://knowledge.threatconnect.com/docs/viewing-an-object-in-threat-graph#viewing-cases-in-threat-graph). See [*Pivoting in ThreatConnect in Threat Graph*](https://knowledge.threatconnect.com/docs/pivoting-in-threatconnect-in-threat-graph)**for further instruction on pivoting on Indicators, Groups, Case, and Tag associations for the selected Case in Threat Graph. ## Create Custom Report ThreatConnect’s built-in [reporting feature](https://knowledge.threatconnect.com/docs/reports) lets you collect and organize valuable information and insights about a Case in a document that can be shared with teammates, executives, and stakeholders. Click the **+ Create Custom Report**button at the upper-right corner of the Case to create a report for the Case [from scratch](https://knowledge.threatconnect.com/docs/creating-a-report#creating-a-case-report) or [from a Case report template](https://knowledge.threatconnect.com/docs/creating-a-report#creating-a-report-from-a-case-report-template). ## Case Elements ### Phases and Tasks The [**Phases and Tasks** section](/v1/docs/phases-and-tasks-section), located on the left side of the screen (Figure 2), is where the action of the Workflow feature takes place. This section shows all Tasks in the Case, grouped into Phases, as specified by the [Workflow](/v1/docs/workflow-templates) on which the Case is based. By default, the **Phases and Tasks**section of the screen is displayed in detail view, but can be switched to list view. Detail view provides all details for each Task, including fields for providing inputs that are saved as Artifacts. ### Case Details The [**Case Details**card](/v1/docs/case-details), located at the top right of a Case (Figure 2), displays time-based information related to the Case, Tags that have been applied to the Case, and a description of the Case. ### Attributes The [**Attributes** card](/v1/docs/case-attributes), located below the **Case Details**card, displays all System-level and Organization-level Attributes added to the Case. Case Attributes are key/value data sets that you can use to enrich a Case and aid security teams as they investigate a threat and determine the appropriate escalation path for a Case. ### Associations The [**Associations**card](https://knowledge.threatconnect.com/v1/docs/associations-card-for-cases), located below the **Attributes**card, displays all Indicators, Groups, and Cases associated to the Case. For Indicators and Groups displayed on a Case’s **Associations**card, the Case will be listed as an associated Case on the **[](https://knowledge.threatconnect.com/docs/the-associations-tab#cases)** [](https://knowledge.threatconnect.com/docs/the-associations-tab#cases)[**Case Associations**card of the **Associations** tab](https://knowledge.threatconnect.com/docs/the-associations-tab#case-associations)****on their [**Details**screen](https://knowledge.threatconnect.com/docs/the-details-screen), as well as the **Case Associations**card on their [**Details**drawer](https://knowledge.threatconnect.com/docs/the-details-drawer). If viewing an associated Indicator’s or Group’s [legacy **Details**screen](https://knowledge.threatconnect.com/docs/the-details-screen-legacy), you can view associated Cases in the **[](https://knowledge.threatconnect.com/docs/table-view-associated-cases)** [](https://knowledge.threatconnect.com/docs/table-view-associated-cases)[**Associated Cases** section of the **Associations** card](https://knowledge.threatconnect.com/docs/table-view-associated-cases) [](https://knowledge.threatconnect.com/docs/table-view-associated-cases)**[](https://knowledge.threatconnect.com/docs/table-view-associated-cases)** while the card is in table view. Cases associated to one another will be displayed on each other’s **Associations**card. ### Potential Associations The [**Potential Associations** card](https://knowledge.threatconnect.com/v1/docs/potential-associations-card-for-cases), located below the **Associations**card, displays Indicators, Groups, and Cases suggested as associations that you may want to add to the Case. Some or all of the following objects may be displayed on this card, depending on how your System Administrator configured potential associations for your ThreatConnect instance: - Indicators that match the type and summary of a Case [Artifact](https://knowledge.threatconnect.com/docs/artifacts) that has its [**Use to potentially associate cases.**checkbox](https://knowledge.threatconnect.com/docs/adding-artifacts-to-a-case)****selected - Indicators associated to Groups associated to the Case - Groups associated to Indicators associated to the Case - Groups associated to Indicators that match the type and summary of a Case Artifact that has its **Use to potentially associate cases.** checkbox****selected - Cases that share an Artifact with the Case you are viewing (i.e., both Cases contain an Artifact with the same summary and type, and each copy of the Artifact has its **Use to potentially associate cases.**checkbox****selected) ### Artifacts The [**Artifacts**card](https://knowledge.threatconnect.com/v1/docs/artifacts-card), located below the **Potential Associations**card, displays all Artifacts added to the Case. When [viewing an Artifact’s details](https://knowledge.threatconnect.com/docs/viewing-artifact-details), you can view Indicators and Groups associated or potentially associated to the Artifact and create associations to Indicators and Groups. In addition to viewing these associations on the **Artifacts**card, you can view associated Artifacts on the **[](https://knowledge.threatconnect.com/docs/the-associations-tab#artifacts)** [](https://knowledge.threatconnect.com/docs/the-associations-tab#artifacts)[**Artifact Associations**card of the **Associations**tab](https://knowledge.threatconnect.com/docs/the-associations-tab#artifact-associations) [](https://knowledge.threatconnect.com/docs/the-associations-tab#artifacts)**[](https://knowledge.threatconnect.com/docs/the-associations-tab#artifacts)**on an associated****Indicator’s or Group’s **[](https://knowledge.threatconnect.com/docs/the-details-screen)** [](https://knowledge.threatconnect.com/docs/the-details-screen)[**Details** screen](https://knowledge.threatconnect.com/docs/the-details-screen). I [](https://knowledge.threatconnect.com/docs/the-details-screen)f viewing an associated Indicator’s or Group’s [legacy **Details**screen](https://knowledge.threatconnect.com/docs/the-details-screen-legacy), associated Artifacts are displayed in the **[](https://knowledge.threatconnect.com/docs/table-view-associated-artifacts)** [](https://knowledge.threatconnect.com/docs/table-view-associated-artifacts)[**Associated Artifacts** section of the **Associations** card](https://knowledge.threatconnect.com/docs/table-view-associated-artifacts) [](https://knowledge.threatconnect.com/docs/table-view-associated-artifacts)**[](https://knowledge.threatconnect.com/docs/table-view-associated-artifacts)** while the card is in table view. When viewing an Artifact whose type maps to a ThreatConnect Indicator type, you can enrich the Artifact with data retrieved from [third-party enrichment services](https://knowledge.threatconnect.com/docs/viewing-artifact-details#enrichment) enabled and configured for the corresponding Indicator type. ### Notes The [**Notes**card](/v1/docs/case-notes), located below the **Artifacts**card, displays all Notes added to the Case. A Note in Workflow is freeform information entered by a user (e.g., in a Workflow Case or attached to a Task or Artifact). Notes can be used to provide commentary, directives to another user, additional details, or any information that cannot be captured elsewhere. They enable security teams to journal key data findings in an unstructured format. ### Timeline The [**Timeline**card](/v1/docs/timeline-events), located below the **Notes**card, shows a timeline of all changes made to a Case. When an action is performed in a Case, a Timeline Event is added automatically to its timeline. Timeline Events may also be added manually to a Case’s timeline. ## Managing a Case ### Adding Case Elements Click the **New…![Add button](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Add%20button.png)**button at the top right of a Case to display a menu with the following options: - **Associate Case**: Select this option to [associate a Case to the Case being viewed](https://knowledge.threatconnect.com/v1/docs/associations-card-for-cases#adding-case-associations). - **Associate Group**: Select this option to [associate a Group to the Case](https://knowledge.threatconnect.com/v1/docs/associations-card-for-cases#adding-group-associations). - **Associate Indicator**: Select this option to [associate an Indicator to the Case](https://knowledge.threatconnect.com/v1/docs/associations-card-for-cases#adding-indicator-associations). - **Artifact**: Select this option****to [create a new Artifact](https://knowledge.threatconnect.com/v1/docs/adding-artifacts-to-a-case) in the Case. - **Attribute**: Select this option to [create a new Attribute](https://knowledge.threatconnect.com/v1/docs/case-attributes#adding-attributes-to-a-case) in the Case. - **Case**: Select this option to [create a new Case](https://knowledge.threatconnect.com/v1/docs/creating-cases). - **Note**: Select this option to [add a Note](https://knowledge.threatconnect.com/v1/docs/case-notes#adding-notes) to the Case. - **Run Playbook**: Select this option to [run a Playbook in the Case](https://knowledge.threatconnect.com/v1/docs/artifact-administrative-options#run-playbook). Note that no Artifact will be highlighted in the **Artifacts** table of the **Run Playbook** drawer. - **Task**: Select this option****to [add a Task](https://knowledge.threatconnect.com/v1/docs/adding-tasks-to-a-case) to the Case. - **Timeline Event**: Select this option to [add a Timeline Event](https://knowledge.threatconnect.com/v1/docs/timeline-events#adding-timeline-events) to the Case. ### Removing a Case To remove (delete) the Case, click the **⋮**menu at the top right of the Case and select **Remove**. --- *ThreatConnect® is a registered trademark of ThreatConnect, Inc.* 20121-01 v.05.B ## Related - [Artifacts](/artifacts.md) - [Case Associations](/case-associations.md) - [Case Attributes](/case-attributes.md) - [Case Details](/case-details.md) - [Case Notes](/case-notes.md) - [Phases and Tasks](/phases-and-tasks.md) - [The Cases Screen](/the-cases-screen.md) - [Timeline Events](/timeline-events.md) - [Workflow Overview](/workflow-overview.md)