Cases are resources that let you build longer-term investigations.

Cases can be built from alerts or created from scratch. As with alerts, you can configure your own custom actions to resolve cases.

From the dashboard, you can view and act on cases from the Cases pane.


Overview of the Cases page

The Case page is the second step in the workflow for an agent. Cases are used by agents to throughly investigate alerts.

1600 1600

The main page is a blank case that can be created by hand.

On the left hand side menu, you will find a list of open cases by default. You can search for specific cases in the search bar.

Overview of a Case

Case are the second step in the case management component of the Unit21 platform. During the investigation, agents can add watchers, add notes, create reports, update entities and more.

Each case is identifiable by a case_id (Case ID).

Cases are data objects that contain all data from their associated alerts, including:

  • associated Alerts
  • associated Events (transactions)
  • associated Entities

As an agent investigates the case, they can:

  • Review associated entities and alerts
  • Add watchers to the case
  • Add alerts, entities, and events to the case
  • Add documents to the case
  • Add notes to the case
  • Add tags to the case
  • Work through the investigation checklist
  • Re-assign the case
  • Resolve (dispose, escalate, transfer, close...) the case through workflow buttons
  • Create and file a report (SAR, STR)

Case Assignment -- Cases are manually assigned.

Case State -- Cases have two states: open and closed. If needed, a closed case can be reopened.

Case Investigation Checklist -- The investigation checklist is programmable by an investigator and forces an investigative workflow for agents (steps they must take and check-off before a case is resolved).

Case Disposition -- Cases can have dispositions such as "false positive".

Case Deadline -- Cases can have deadlines so that agents have a clear due date for their investigation.

Case Workflow and Resolution -- Cases can be escalated, transferred between agents, closed, opened, turned into a report, de-escalated, tagged and more using workflow buttons.

Case Audit Trail -- Whenever an agent updates a case, the action is logged automatically in the cases' audit trail.


Case Administrators

Administrators can view all alerts in all queues under the Admin tab of the Alert page:

Administrators can create and delete alert queues in the Alert tab of the Alert page: