Skip to main content

Threat CenterThreat Center Guide

Threat Center Cases

A case represents a response to a threat.

A case is a record of how you respond to a threat. As you investigate the threat, you collect all information and evidence and add them to the case. You assign a case to someone to respond and track their progress through the response stages.

You create a case automatically based on conditions you define using Automation Management playbooks or manually from an alert.

View cases under the Cases tab. By default, you see open cases created in the last week sorted by risk score, from highest to lowest, then age, from newest to oldest. To view other cases of interest, search for them. To view and update information about the case, select the case under the Cases tab. When you select an alert with an associated case, you are automatically redirected to the case.

A case highlighted with red rectangles and callouts.

1 View and copy the case ID.

2 View the case name.

3 Ask a security-trained AI assistant questions about the case.

4 Navigate to the timeline view in Search to view all events associated with the attribute by which detections are grouped.

5 Update case attributes, including case name, description, stage, queue, assignee, priority, MITRE ATT&CK® tactics and techniques, use cases, and tags.[1]

6 Document your investigation and remediation using case notes.

7 Send case information to email or webhook.

8 In the Overview tab, get an overview of core case information, including:

  • Copilot Threat Summary – An AI-generated summary of the case and recommended next steps. This summary is updated every time detections are added to the case.

  • Risk Score – The case risk score and associated priority.

  • User Description – The case description.

  • Grouped By – The attribute by which detections are grouped.

  • Timeframe – Important markers of time associated with the case, including:

    • First Detection – The date and time the first detection was added to the alert.

    • Duration – The days, hours, and minutes elapsed between when the first and last detection was added to the alert.

    • Case Creation – The date and time the case was created.

    • Age – For an open case, the days, hours, and minutes elapsed between when the case was created and the current time; or, for a closed case, the days, hours, and minutes between when the case was created and last closed.

  • Users – Users associated with related detections.

  • Devices – The source and destination hosts associated with related detections.

  • Rules Triggered – The triggered rules from which associated detections are created and the number of times they created associated detections.

  • Latest Notes – The notes most recently added to the case.

  • MITRE TTPs – The ATT&CK tactics and techniques that best describe the case.

  • Use Cases – The Exabeam use cases that best describe the case.

  • Tags – Related tags you created.

  • Attachments – Files attached to the case.

9 In the Threat Timeline tab, view a timeline of related detections and key response moments, including when the alert was created, when the associated case was created, when the investigation started, when remediation ended, and when the associated case was closed.

10 In the Attachments tab, add, download, and remove attachments.

11 In the History tab, view a history of all changes made to the case.




[1] MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation ("MITRE"). Exabeam is not affiliated with or sponsored or endorsed by MITRE. Nothing herein is a representation of the views or opinions of MITRE or its personnel.