Views:

Open cases in Trend Vision One apps and manage your organization’s cases in Case Management.

You can open Trend Vision One cases based on incidents, events, and alerts directly within Trend Vision One apps. Apps that currently support opening Trend Vision One cases include:
  • Security Playbooks (using the Automated Response Playbook)
  • Attack Surface Risk Management
  • Workbench
The Trend Vision One tab in Case Management displays the cases opened by your organization's SOC team, IT operations team, or risk manager.
The following table outlines the options available in the Trend Vision One tab of Case Management (Workflow and AutomationCase Management).
Action
Description
Filter case data
Use the available dropdown menus to locate specific cases.
  • Status: The current status of a case.
    Available statuses:
    • Open (case_Open=a774979f-2790-4cd1-8161-b5dc82579473.png)
    • In progress (case_InProgress=4a4e6461-7031-48c5-87b7-683b43ff9da4.png)
    • Closed (case_Closed=ba556e15-9f9e-4e7a-9007-12f89a447dd4.png)
  • Findings: The findings of a case (only available for cases created in Workbench).
    Available values:
    • True positive: The investigation confirmed the occurrence of threats or malicious activities.
    • False positive: No malicious activity found.
    • Benign true positive: The investigation has confirmed the presence of a genuine threat that poses no risk to the organization.
      Benign true positives are the result of penetration test or other legitimate activities in your environment.
    • Noteworthy: Unusual activity that requires more investigation has been detected.
    • -: The investigation has no findings.
  • Priority: The priority the owner assigned to the case.
    Available values:
    • P0
    • P1
    • P2
    • P3
  • Owners: The Trend Vision One accounts assigned to the case.
Change the case status
Select one or more cases and click Change Status to update the progress of the case.
For cases created in Attack Surface Risk Management, the case is automatically changed to Closed when all associated risk events are remediated, accepted, or dismissed. If not all risk events have been resolved, you may change risk event status when manually closing the case.
Change the case findings
Select one or more cases and click Change Findings to update the findings of the case.
Change the case priority
Select one or more cases and click Change Priority to update the priority of the case.
Attach files to a case
Click a case name to open the case details and click Attach Files.
Important
Important
Your organization can upload a maximum of 1 GB of attachment files across all cases in Case Management.
Summarize investigation report
Important
Important
This is a pre-release sub-feature and is not part of the existing features of an official commercial or general release. Please review the Pre-release sub-feature disclaimer before using the sub-feature.
Click a case name to open the case details. From the Trend Companion list, select Summarize investigation report.
Trend Companion generates a threat investigation and remediation report for the case, which you can preview, edit, and download by going to Dashboards and ReportsReports. This action is only available for Workbench cases with a “True positive” finding.
Important
Important
You must enable generative AI capabilities in Trend Companion to access this feature. For more information, see Trend Companion.
Summarize progress notes
Important
Important
This is a pre-release sub-feature and is not part of the existing features of an official commercial or general release. Please review the Pre-release sub-feature disclaimer before using the sub-feature.
Click a case name to open the case details. From the Trend Companion list, select Summarize progress notes.
Trend Companion summarizes all the notes created in the case since last time a summarized progress note was created. Summarized progress notes are helpful when transferring a case to a new owner.
Important
Important
You must enable generative AI capabilities in Trend Companion to access this feature. For more information, see Trend Companion.
Assign owners
Select one or more alerts and click Assign Owners to assign accounts within your organization to the case.
Important
Important
Assigning owners has the following limitations:
  • For IdP-only SAML group users:
    • You can only assign users who have signed in and are still cached in Trend Vision One.
    • The User Accounts screen cannot list all users under the IdP-only SAML group.
  • IdP-only SAML groups and IdP-only SAML group users cannot get email notifications.
Change impacted assets
For cases created in Attack Surface Risk Management, you can select specific impacted assets and move the assets to a different case or remove the assets from the case. You can only move assets between cases involving the same risk event.
Open a sub case
Related cases are independent sub cases that give you the flexibility to divide a complex investigation into small sub cases. Related cases supply more information for the main case.
Locate a case, click the options icon (options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png) at the end of the row, and click Open Related Case. The new case is automatically linked with the main case.
Add a Forensics workspace to a sub case
Locate a Forensics case and click Create Forensics Workspace.
The new Forensics workspace is automatically added to the related case as an associated item. All endpoints that are part of the impact scope of a Workbench alert/insight are added to the workspace.
Enable integration with ServiceNow
Click the settings icon (gear_icon=fc9a51ad-35af-4fe3-92c6-5e41b2dfc5d9.png) in the upper-right corner and turn on the integration with ServiceNow.
Integrate with ServiceNow to send Case Management tickets to ServiceNow ITSM to be managed in the ServiceNow portal. Only Workbench cases created from Automated Response Playbooks are supported.
Edit additional notifications
For cases created in Attack Surface Risk Management, click Edit under the additional notifications information to specify webhooks or email addresses to use when sending notifications about the case. Configure webhooks in Notifications.
For actions available when opening a case, see
Related information