Views:

View comprehensive information about a case, manage case properties, and perform actions to investigate and resolve security incidents.

When you click a case ID in Workflow and AutomationCase Management or Details icon in Case Viewer, the case details page displays comprehensive information about that case.
The case details page provides a centralized view where you can:
  • View and update case information such as status, priority, findings, and owners
  • Add notes and comments to document your investigation
  • Attach files and evidence
  • Link related cases for complex investigations
  • Generate AI-powered investigation reports and case summaries
Action
Description
View case information
The case information panel displays key details about the case:
  • Case ID: Unique identifier for the case
  • Name: Case name
  • Description: Detailed description
  • Case status: Case progress
    • To do
    • In progress
    • In progress
    • Closed
  • Priority:
    • P0
    • P1
    • P2
    • P3
  • Findings: Investigation outcome
    • True positive
    • False positive
    • Benign true positive
    • Noteworthy
    • None
  • Type: Case types can provide specialized features.
    • Compliance: Track and manage compliance-related incidents and remediation activities
    • Forensics: Create workspaces and manage endpoint capabilities
    • General: Provide flexible cases for independent security operations and investigation
    • Risk event: Manage impacted assets and automatically close when all risk events are resolved
    • Workbench: Support AI-powered investigation reports, case summaries, and Forensics workspace creation
    • Other
  • Trend Vision One case owner:
  • Created: Date and time the case was created
  • Last updated: Date and time of the most recent change
  • Last updated: Date and time of the most recent change
  • Associated items: Related security objects such as alerts, endpoints, files, and other artifacts
  • Related cases: Linked cases for complex investigations
For information about modifying case properties, see Case viewer.
Resize the pane
You can adjust the amount of vertical screen space the tables use.
Generate investigation report
Create an AI-powered threat investigation and remediation report. This feature requires TrendAI™ Companion with generative AI enabled and is available for Workbench cases with true positive findings.
Summarize case
Generate an AI-powered summary of all notes since the last summary. This feature requires TrendAI™ Companion with generative AI enabled.
View and filter case activities
The Activity tab shows the case history.
  • Entry type: The type of activity recorded
    • Case opened
    • Case name changed
    • Case description modified
    • Owner list modified
    • Case status changed
    • Case priority changed
    • Case findings changed
    • Comment added
    • Comment with attachments added
    • Case progress summary
    • Attachments added
    • Other
  • Created:
    • All
    • Last 24 hours
    • Last 3 days
    • Last 7 days
    • Last 30 days
    • Custom period
      • From
        Select the date and time then click Apply.
      • To
        Select the date and time then click Apply.
  • User
    Search and select specific users.
View and manage attachments
The Attachments tab shows files attached to this case.
  • Filter attachments by User.
  • Search for a file by name.
  • Click Download icon to download the file.
  • Click Delete icon to delete the file
  • Select more than one file to download or delete multiple files at once.
View and manage comments
The Comments tab shows all notes left on the case.
  • Filter comments by User.
  • Search comments by keyword.
  • Click Edit icon to modify the comment.
  • Click Delete icon to delete the comment.
  • Type a new Comment then click Add to save the comment.
    • Click Attach files to add an attachment to the comment.
View highlighted objects
The Highlighted objects tab lists highlighted objects.
  • Search for an asset by name.
  • Click Add filter to filters the list.
  • Select the View:
    • All
    • By asset
  • Click Customize columns to show or hide columns.
  • Click the number under Associated assets to view an asset in Workbench.
  • Click the number under Related alerts to open an alert in Workbench.
  • Click Options icon for additional actions.
View and manage impacted assets
The Impacted assets tab displays assets within your visibility scope.
  • Select the Risk status:
    • Accepted
    • Dismissed
    • In progress
    • Remediated
  • Search for an asset by name.
  • Click Go to Threat and Exposure Management for more information about the risk event.
  • Click Refresh icon to refresh the list of assets.
  • Click the asset name to view more information in Attack Surface Discovery.
  • Expand the row to view addition asset information.
Impact scope
The Impacted scope tab shows objects
  • Search for impacted objects.
  • Click the name to view the Detailed profile for the selected asset:
    • Asset risk overview: A risk snapshot of the selected asset
    • Endpoint security information: A security and agent view of the endpoint
    • Endpoint policy information: Security policies applied to the selected endpoint
    • Identity information: User security profile with identity‑related attributes, authentication posture, account activity, and identity‑based risk signals
    • Tags: Any tags associated with the selected asset
  • Click the number under Related alerts to view an alert in the workbench.
  • Click Options icon for additional actions.
Playbook results
The Playbook results tab summarizes all automated actions and workflows executed on the case using security playbooks.
View and manage response actions
The Response actions tab displays a list of response tasks related to the case.
  • Filter by the Task status:
    • All
    • In progress (in_progress=GUID-A55897DB-3DEA-4F5C-B7F9-70B3D7FB9EDE=1=en-us=Low.jpg): TrendAI Vision One™ sent the command and is waiting for a response.
    • Successful (successful=GUID-1E31AD86-DE2E-48B5-85F7-7C78A3E8BB11=1=en-us=Low.jpg): The command was successfully executed.
    • Partially successful (partially_successful_icon=GUID-20230103030733.jpg): One or more commands were unsuccessful.
    • Unsuccessful (error=5cc21722-7ceb-480c-b9c2-a47d420cf1cc.jpg): An error or time-out occurred when attempting to send the command to the managing server, the agent is offline for more than 24 hours, or the command execution timed out.
    • Pending approval (pending_approval=f0525c66-199a-46f5-b40a-902bd498cf53.jpg): The task is pending approval from specified users.
    • Rejected (rejected=bd05fc87-5b5d-4d84-bfb1-3a6dc09ddac5.jpg): The automated response task created in Workbench was rejected.
    • Queued (queued=GUID-65C0DF81-E50D-4D51-9602-2E9B7A0E5F14=1=en-us=Low.jpg): The managing server queued the command because the agent was offline.
    • Manually terminated (ManuallyTerminated=678443aa-f9c6-4f0d-b3e9-9cfc6590c14c.png): The task has been manually terminated.
  • Show only a specific Action:
  • Filter by Target type:
    • All
    • Container
    • Digital evidence
    • Domain / IP
    • Email
    • File
    • Host / Endpoint
    • IAM identity
    • Network
    • Process
    • URL
    • User account
  • Search for response tasks by task ID, target, endpoint, and more
  • Click Refresh icon to refresh the list of response actions.
  • Expand a row to view more information
  • Click the Task ID to view the response action in
  • Click Options icon for additional actions.
View added assets
The Selected assets tab displays any assets included when the case was created.
SLA logs
The SLA logs tab displays activity related to service level agreement metrics for the case.
View and manage tasks
The Tasks tab lists tasks created for the case.
  • Click Create task to add a new task.
    1. Name the task.
    2. Provide a Description of what needs to be done.
    3. Set the Task status.
    4. Select the Due date and time.
    5. Add at least one Owner with the appropriate permissions and management scope.
    6. Click Create.
  • Filter tasks by Status.
  • Click a task name to view the task details.
    • Activity: The task history
    • Comments: A list of any comments made for to the task
    • Attachments: A list of any attachments added to the task
Update Forensics workspace
Update the workspace with current impacted endpoints.