Overview
Cases are a collaborative interface where you can investigate, remediate, and report on incidents all in real-time.
Whether you're running down a security incident, managing a support request, triaging a flood of alerts, or coordinating an operational task, cases can flex to your needs.
Best practices
Case templates & data capture
Creating cases at the earliest point in your detection pipeline ensures no context is lost and reduces the time between detection and response. When an alert fires from your SIEM, EDR, or other security tools, immediately create a case with all relevant context. By using templates, you can standardize the look and feel of cases for analysts.
Use the Create Case action immediately after receiving alerts from your detection sources.
Design templates with consistent field structures across similar alert types (e.g., all phishing cases should have the same fields: sender email, subject line, reported by, etc.).
Pre-populate fields with data from the alert using formulas to extract and format information automatically.
Include rich context like timestamps, affected assets, alert severity, and raw event data.
Use markdown formatting in case descriptions to make information scannable with headers, bullet points, and code blocks.
Create separate templates for different incident types (phishing, malware, data exfiltration, insider threat) to ensure analysts see relevant fields for each scenario.
Teams & least privilege
Implementing proper access controls protects sensitive data, prevents accidental modifications to automation logic, and ensures analysts only see cases relevant to their role.
Use team-based case routing to automatically assign cases to the appropriate team based on alert type or classification.
Limit story access to automation engineers and senior analysts who need to modify workflows.
Implement role-based permissions where junior analysts can view and comment, while senior analysts can close cases and execute sensitive actions.
Audit access regularly to ensure team membership reflects current organizational structure.
Case actions
Case actions empower analysts to execute complex workflows with a single click, reducing response time and ensuring consistent execution of playbooks.
Create action buttons for common response tasks:
"Block IP" → Add to firewall blocklist
"Quarantine user" → Disable account and revoke sessions
"Isolate endpoint" → Trigger EDR isolation
"Request manager approval" → Send approval form to user's manager
"Escalate to Tier 2" → Reassign case and notify senior analyst
"Run full investigation" → Execute comprehensive enrichment workflow
Use deterministic actions for tasks that don't require judgment (e.g., "Gather user activity logs").
Metrics and dashboard
Tracking the right metrics enables you to measure performance, identify bottlenecks, and demonstrate value to leadership. Capture important case metrics in case fields or records.
Store metrics in records for historical analysis and trend identification.
Create dashboard visualizations:
Case volume by day/week/month
Average resolution time by severity
False positive rate by alert source
Top alert types and their outcomes
Analyst workload distribution
SLA compliance rates
Records
Records act as a persistent data store within Tines. Use records for capturing IOCs, correlating events, and reducing alert noise & case volume.
Learn more about records here.
Reduce alert noise:
Maintain a "known good" list of benign indicators that frequently trigger false positives
Track alert frequency per source and suppress high-volume, low-value alerts
Implement dynamic thresholds based on historical data
Build allowlists and blocklists:
Store approved third-party IPs/domains to filter out false positives
Maintain internal asset inventories to enrich alerts with context
Track case outcomes:
Record which IOCs led to true positives vs. false positives
Use this data to tune detection rules and improve alert quality
Cases webhook
Use your cases notification webhook to monitor for specific events, escalate cases, kick off workflows, and send notifications.
Monitor critical case events:
Case created with high/critical severity → Immediate notification to senior analysts
Case assigned → Send notification to assigned analyst via Slack/Teams/email
Case updated with specific field changes → Trigger additional workflows
Case closed → Log metrics and update dashboards
Case reopened → Alert management to potential recurring issue
Implement escalation workflows:
If case open > 1 hour without acknowledgment → Notify team lead
If high-severity case open > 4 hours → Escalate to management
If case marked as "needs help" → Assign to senior analyst and notify
Trigger downstream automation:
When case closed as "true positive" → Add IOCs to blocklists
When case involves specific asset → Trigger vulnerability scan
When case indicates compromise → Initiate forensic data collection
Send contextual notifications:
Include case summary, severity, and direct link in notifications
Route notifications based on case team, type, or severity
Aggregate low-priority notifications to avoid alert fatigue
Integrate with external systems:
Create tickets in ITSM platforms when cases require IT involvement
Update CMDB with incident information
Log case data to SIEM for correlation with other security events
Build feedback loops:
When analyst marks alert as false positive → Update detection rules
When case identifies new threat → Trigger threat hunting workflows
When case resolution involves new procedure → Update runbooks