TrendAI Vision One cases

Views:

Open cases in TrendAI Vision One™ and manage your organization’s cases in Workflow and Automation → Case Management.

Case Management displays TrendAI Vision One™ cases opened by your security operations center (SOC) team, information technology (IT) team, or risk manager. TrendAI Vision One™ cases are based on incidents, events, and alerts in Cyber Risk Exposure Management, Security Playbooks (using the Automated Response Playbook), Workbench, and Compliance Management. Case Management automatically closes TrendAI Vision One™ cases that are inactive for 60 days.

When TrendAI Vision One™ correlates alerts or insights and merges insights, it also merges any associated cases. Merging closes one case and moves all notes, owners, and history to the remaining case.

The following table outlines the actions available in Case Management.

Action

Description

Find and filter case data

Use these options to locate specific cases.

Case status: The current phase that the case is in
- To do ()
- In progress ()
- Closed ()
Findings: The investigation outcome (only available for cases created in Workbench)
- True positive: The investigation confirmed the occurrence of threats or malicious activities.
- False positive: No malicious activity found.
- Benign true positive: The investigation confirmed the presence of a genuine threat that poses no risk to the organization. Benign true positives are the result of penetration tests or other legitimate activities in your environment.
- Noteworthy: TrendAI Vision One™ detected unusual activity that requires more investigation.
- -: The investigation has no findings.
Owner: The user accounts assigned to the case.
Case search: Quickly locates cases that match entered phrases or terms
Add filter: Additional case filters
- Associated items
- Closed by
- Created
- Created by
- Last updated
- Object name
- Object types
  - AMSI script
  - CLI command
  - Cloud collaboration app
  - Cloud identity
  - Desktop
  - Domain
  - Email address
  - Email message
  - File
  - IAM permission
  - IP address
  - Malware
  - Priority
  - Process
  - Registry
  - Sensitive data
  - Server
  - Text
  - Type
  - URL
  - User account
- Object value
- Priority: The priority that an owner assigned to the case.
- SLA status: Whether the case has breached the service-level agreement
- Type: The kind of case

In addition to the above filters, you can customize the columns that you see in Case Management.

Case ID / Name: The ID and name of the case. Click to view case details.
Priority: The priority that an owner assigned to the case.
- P0: Highest priority
- P1: Lower priority than P0, but higher priority than P2 and P3
- P2: Lower priority than P0 and P1, but higher priority than P3
- P3: Lowest priority
Type: The kind of case
- Compliance Management
- Forensics
- General
- Other
- Risk Event
- Workbench
Associated items: Related objects like alerts, workbench IDs, artifacts, or external tickets
Created: How long ago the case was created
- All
- Last 24 hours
- Last 3 days
- Last 7 days
- Last 30 days
- Custom period
Created by: The TrendAI Vision One™ user, playbook, or third-party app that created the case
Closed by: The TrendAI Vision One™ user, playbook, or third-party app that closed the case.
Last updated: When the case was last changed
- All
- Last 24 hours
- Last 3 days
- Last 7 days
- Last 30 days
- Custom period
SLA status
Case duration: The total time the case remained open
TTC: Time elapsed since opening the case before the case status is Closed
TTC remaining: Time remaining to set the case status to Closed before breaching the service-level agreement
TTR: Time elapsed between opening the case and the last successful response
TTR remaining: Time remaining to perform a response action or run a security playbook before breaching the service-level agreement
TTA: Time elapsed since opening the case before the case status
TTA remaining: Time remaining to set the case status to In progress before breaching the service-level agreement
TTI: Time elapsed between the case status changing to In progress and the last response action
Due date

Change the case status

Select one or more cases and click Change Status to update the progress of the case.

For cases created in Cyber Risk Exposure Management, the case is automatically changed to Closed when all associated risk events are remediated, accepted, or dismissed. If not all risk events have been resolved, you may change risk event status when manually closing the case.

Change the case findings

Select one or more cases and click Change Findings to update the findings of the case.

Change the case priority

Select one or more cases and click Change Priority to update the priority of the case.

Attach files to a case

Click a case name to open the case details and click Attach Files.

Your organization can upload a maximum of one GB of attachment files across all cases in Case Management.

Generate an investigation report

Important

This is a "Pre-release" feature and is not considered an official release. Please review the Pre-release disclaimer before using the feature.

If you enabled generative AI in TrendAI™ Companion, click a case name and go to TrendAI™ Companion → Generate investigation report. TrendAI™ Companion generates a threat investigation and remediation report for the case, which you can preview, edit, and download by going to Dashboards and Reports → Reports.

This action is only available for Workbench cases with true positive findings.

Create a case summary

Important

This is a "Pre-release" feature and is not considered an official release. Please review the Pre-release disclaimer before using the feature.

If you enabled generative AI in TrendAI™ Companion, click a case name and go to TrendAI™ Companion → Summarize case. TrendAI™ Companion summarizes all the notes created in the case since last time a summarized progress note was created.

The summary appears as an entry under Activity. Summarized progress notes are helpful when transferring a case to a new owner.

Assign owners

Select one or more cases and click Assign Owners to assign accounts within your organization to the case.

Assigning owners has the following limitations:

For IdP-only SAML group users:
- You can only assign users who have signed in and are still cached in TrendAI Vision One™.
- User Accounts cannot list all users under the IdP-only SAML group.
IdP-only SAML groups and IdP-only SAML group users cannot get email notifications.

Change impacted assets

For cases created in Cyber Risk Exposure Management, you can select specific impacted assets and move the assets to a different case or remove the assets from the case. You can only move assets between cases involving the same risk event.

Open a sub case

Locate a case, click options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png

and select Open Related Case. The new case is automatically linked with the main case.

Related cases are independent sub cases that give you the flexibility to divide a complex investigation into small sub cases. Related cases supply more information for the main case.

Add a Forensics workspace to a sub case

Select a Forensics case and click Create Forensics Workspace.

The new Forensics workspace is automatically added to the related case as an associated item. The Forensics workspace includes all endpoints that are part of the impact scope of a Workbench alert/insight.

Edit additional notifications

For cases created in Cyber Risk Exposure Management, click

for the Description to specify email addresses to receive notifications.

Enable integration with ServiceNow

Click → Integration Settings to integrate with ServiceNow.

Integrating with ServiceNow lets you send Case Management tickets to ServiceNow ITSM for managing in the ServiceNow portal. Only supported for Workbench cases created from Automated Response Playbooks.

Customize columns

Click

columns=dafaf686-f263-4003-b252-91dbb0ee6fd8.jpg

to choose which columns display in Case Management.

Refresh data

Click

refresh=5bd75452-c2fb-43ed-90e6-7b552fdc5dd2.png

to retrieve the latest case information.

Export cases to a CSV file

Select the cases and click

to create a report of the cases' data. Case Management saves the data to a comma-separated value (CSV) file. You can also view and download the file in the Reports app.

Create a case task

Open a case and create a task to track work that must be completed for the case. Configure the following fields:

Task name: The name of the task
Owner: The user accounts assigned to the task

You can assign one or more owners to a task.
Description: Additional details about the task
Status: The current phase of the task
- All
- To do
- In progress
- Closed
- Reject
Due date: When the task needs to be done

Find and filter tasks

Use these options to locate specific tasks.

Status: The current phase of the task
- To do
- In progress
- Closed
- Reject
Owner: The user accounts assigned to the task

You can assign one or more owners to a task.
- All
- Unassigned
- Specific owners
Task name: Locates tasks that match the entered phrases or terms

View and edit a case task

Use these options to locate specific tasks.

Update tasks in bulk

Select one or more tasks to update the following fields at the same time:

Due date
Status
Owners

You cannot delete tasks in bulk.

Filter tasks by date

Use the date filters to locate tasks by their due date or creation date.

Search for a task

Use the search bar to quickly locate tasks by the following:

Task name
Task ID

View tasks associated with a case

Expand a case to view the tasks associated with it.