Open cases in Trend Vision One apps and manage your organization’s cases in Workflow and AutomationCase Management.

Case Management displays Trend Vision One cases opened by your security operations center (SOC) team, information technology (IT) operations team, or risk manager. Trend Vision One cases are based on incidents, events, and alerts directly within Trend Vision One apps. Apps that can open Trend Vision One cases include:
  • Cyber Risk Exposure Management
  • Security Playbooks (using the Automated Response Playbook)
  • Workbench
Case Management automatically closes Trend Vision One cases that are inactive for 60 days.
The following table outlines the options available in Case Management.
Action
Description
Filter case data
Use the available menus to locate specific cases.
  • Status: The current status of a case.
    Available statuses:
    • Open (case_Open=a774979f-2790-4cd1-8161-b5dc82579473.png)
    • In progress (case_InProgress=4a4e6461-7031-48c5-87b7-683b43ff9da4.png)
    • Closed (case_Closed=ba556e15-9f9e-4e7a-9007-12f89a447dd4.png)
  • Findings: The findings of a case (only available for cases created in Workbench).
    Available values:
    • True positive: The investigation confirmed the occurrence of threats or malicious activities.
    • False positive: No malicious activity found.
    • Benign true positive: The investigation confirmed the presence of a genuine threat that poses no risk to the organization.
      Benign true positives are the result of penetration tests or other legitimate activities in your environment.
    • Noteworthy: Trend Vision One detected unusual activity that requires more investigation.
    • -: The investigation has no findings.
  • Priority: The priority the owner assigned to the case.
    Available values:
    • P0
    • P1
    • P2
    • P3
  • Owners: The Trend Vision One accounts assigned to the case.
Change the case status
Select one or more cases and click Change Status to update the progress of the case.
For cases created in Cyber Risk Exposure Management, the case is automatically changed to Closed when all associated risk events are remediated, accepted, or dismissed. If not all risk events have been resolved, you may change risk event status when manually closing the case.
Change the case findings
Select one or more cases and click Change Findings to update the findings of the case.
Change the case priority
Select one or more cases and click Change Priority to update the priority of the case.
Attach files to a case
Click a case name to open the case details and click Attach Files.
Your organization can upload a maximum of one GB of attachment files across all cases in Case Management.
Generate an investigation report
Important
Important
This is a pre-release sub-feature and is not part of the existing features of an official commercial or general release. Please review the Pre-release sub-feature disclaimer before using the sub-feature.
If you enabled generative AI in Trend Companion click a case name, then go to Trend CompanionGenerate investigation report. Trend Companion generates a threat investigation and remediation report for the case, which you can preview, edit, and download by going to Dashboards and ReportsReports.
This action is only available for Workbench cases whose Findings are True positive.
Create a case summary
Important
Important
This is a pre-release sub-feature and is not part of the existing features of an official commercial or general release. Please review the Pre-release sub-feature disclaimer before using the sub-feature.
If you enabled generative AI in Trend Companion, click a case name, then go to Trend CompanionSummarize case. Trend Companion summarizes all the notes created in the case since last time a summarized progress note was created. The summary appears as an entry under Activity. Summarized progress notes are helpful when transferring a case to a new owner.
Assign owners
Select one or more cases and click Assign Owners to assign accounts within your organization to the case.
Assigning owners has the following limitations:
  • For IdP-only SAML group users:
    • You can only assign users who have signed in and are still cached in Trend Vision One.
    • User Accounts cannot list all users under the IdP-only SAML group.
  • IdP-only SAML groups and IdP-only SAML group users cannot get email notifications.
Change impacted assets
For cases created in Cyber Risk Exposure Management, you can select specific impacted assets and move the assets to a different case or remove the assets from the case. You can only move assets between cases involving the same risk event.
Open a sub case
Related cases are independent sub cases that give you the flexibility to divide a complex investigation into small sub cases. Related cases supply more information for the main case.
Locate a case, click options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png and select Open Related Case. The new case is automatically linked with the main case.
Add a Forensics workspace to a sub case
Select a Forensics case and click Create Forensics Workspace.
The new Forensics workspace is automatically added to the related case as an associated item. The Forensics workspace includes all endpoints that are part of the impact scope of a Workbench alert/insight.
Export cases to a CSV file
Select the cases and click Export to create a report of the cases' data. Case Management saves the data to a comma-separated value (CSV) file. You can also view and download the file in the Reports app.
Enable integration with ServiceNow
Click gear_icon=fc9a51ad-35af-4fe3-92c6-5e41b2dfc5d9.png Integration Settings to turn on integration with ServiceNow.
Integrating with ServiceNow lets you send Case Management tickets to ServiceNow ITSM for managing in the ServiceNow portal. Only supported for Workbench cases created from Automated Response Playbooks.
Edit additional notifications
For cases created in Cyber Risk Exposure Management, click edit_icon=GUID-1F1D1164-5310-4D6D-ACD0-6049C86960AF.png for the Description to specify email addresses to receive notifications.
Related information