Cognna Logo white.png
←Back to COGNNA
Find the insights and best practices about our product.
Getting Started
COGNNA Detect and Response Installation Guide
Getting Started with Asset Management
Getting Started with the Case Management
Getting Started with Log Discovery
Getting Started with Manage Sensors
Troubleshooting
Troubleshoot COGNNA Sensors Installation Errors
Home
Getting Started
Getting Started with...
Getting Started with the Case Management


What is “Respond”?
Respond includes Case Management. Use Case Management to create and track cases from detection to closure. You can assign an owner, set priority and status, add comments and attachments, link related threats and assets, and coordinate with analysts until the case is resolved.

How to use Case Management?
To get started, navigate to Respond > Case Management  from the top menu.

  • Case Management

This is the main dashboard where you can see an overview of all your cases.

  1. All Cases: This number represents the full inventory of all security incidents currently or previously tracked in the system.
  2. On-Hold: These are the cases where active work is temporarily paused. They are typically waiting for an external factor, such as information from another department or vendor.
  3. Open : The default initial status for a newly created case, which necessarily has an assigned owner (a Guardians analyst or customer admin)
  4. In-Progress : Cases where an analyst is actively investigating and working toward a resolution.
  5. Closed: This shows the cases where the investigation and remediation process is complete and verified.

Pro-Tip:

The Case Management interface uses interactive filtering: clicking a status card (like On-Hold or Open) auto-updates the table to show only cases with that status, simplifying access.


  1. Search by (Case ID, Title, or Description), Allows analysts to quickly locate a specific case by entering key identifying details like the unique Case ID, the case title, or any keywords found in the description.
  2. Export, Enables the user to download the visible list of cases for external reports, audits, or offline analysis (e.g., CSV).
  3. Manage table columns(Icon) ,You can customize the table to show only the information most relevant to their needs.
  4. Date, Filters the case list to show only those incidents that were created or last updated within the defined date range, which is currently set to the Last 7 days.
  5. + New Case , A button to manually create a new security case in the Case Management system.


There are two primary methods for creating a new case: either by using the form opened via the "+ New Case" button or by triggering the creation workflow directly from the Threat Detection page:

  1. Click the "+ New Case" button.
  2. Fill out the sections with the required details:

2.1 Case Details:

  • Case Title:Short name describing the issue.
  • Description: Brief summary of the case.
  • Assigned to:The analyst or administrator responsible for the investigation, which can be any available Guardians analyst or one of your own internal admins (for client users)
  • Severity : Sets the urgency level (e.g., High, Medium, Low) for the response.
  • Threat(s) Included: An optional field that links the case to specific threats for reporting.
  • Tags: Allows adding custom keywords for easier searching and filtering.

2.2 Attachments: Drag and drop any evidence files.


3. Once all required fields are filled, the analyst uses the Save button.




Creating a Case from the Threat Detection Page


The second way to create a case is by triggering the creation workflow directly from the Threat.

  1. Navigate to Detect >the Threat Detection page from the top menu
  2. Click the “Start new case
  3. Select (check the box next to) the one or more threats(alerts) you wish to bundle into a single case.
  4. Click the "Open New Case" button
  5. After clicking "Open New Case" the Case Creation Form will open.

Fill out the form sections with the required details, such as the Case Title*, Description*, Severity * and Assigned to*, and upload any necessary attachments to complete the case creation process.

Case List Table: This is the main table displaying individual security incidents, organized by columns like Case ID, Status, Case Title, Created date, Assigned to, and Severity and Action.


6.Column Controls: Use the column headers to filter or sort your cases. This is useful for focusing investigations, for example, by filtering for assets with Critical criticality or Status.



7. To modify a case, locate the pencil icon under the Actions column in the case list. Clicking this icon will instantly open for quick updates.

  • The Edit Case Interface
    Once the Edit Case window appears, you can update all primary case information in one place. This view allows you to refine the title, description, and severity, as well as manage assigned to and tags.
  • 8.For further management options, click the three dots icon (More Actions) next to the pencil. This menu provides specialized tools for handling the case beyond basic editing.
    Once the menu is open, you can perform the following actions:
  • View Details: Opens the complete case workspace for a deep-dive investigation.
  • Mark as False Positive: Categorizes the case as a non-threat or incorrect alert.
  • Export: Downloads the case information for external reporting or sharing.
  • Delete Case: Permanently removes the case (use with caution).


View Details: Case Overview

Selecting View Details opens a comprehensive side panel that provides a deep dive into the case, organized into the following tabs:

  • Overview Tab: This is the primary view, providing a high-level summary including the Case Description, Threats Included, Created by, Assigned to, and Timeline (Created/Modified times).
  • Comments Tab: Provides detailed case analysis from the SOC team(Guardians), where you can click Show More to view full investigation details.additionally, you can use the text box at the top to write inquiries or provide clarifications directly to the Guardians team.
  • Attachments Tab: To view or upload relevant evidence and files.
  • Timeline Tab: To track every action taken on the case since its creation.
  • Summarize Case: Utilize the AI-powered Summarize Case button to get a quick, concise analysis of the entire case.

  • Case Title Link: Clicking the case title (indicated by the external link icon) opens the Full Case Workspace in a new tab. This provides a dedicated, full-page view of all investigation details, evidence, and management tools for a more comprehensive review.

  • Case Severity: Allows you to view and manage the current severity level (e.g., Low, Medium, High, or Critical) directly at the top of the panel

  • Modifying Severity: Clicking the severity button opens a confirmation window, allowing you to select a new level and click Confirm to apply the update.

  • Case Status View: Displays the current progress of the investigation (e.g., OPEN, ON HOLD, or CLOSED) directly from the header.

  • Updating Status: By clicking the status button, a dropdown menu appears allowing you to transition the case to a different state, such as IN PROGRESS or CLOSED, to keep the team informed of the current workflow.

Status Options:

  1. OPEN ⏳: The initial status assigned when a case is first created.
  2. IN PROGRESS ⏯️: Indicates that an analyst is actively investigating and working to resolve the incident.
  3. ON HOLD ⏸️: The case is temporarily paused while the SOC team (Guardians) is waiting for a response or further clarification from your side.
  4. CLOSED ✅: The investigation is complete, and the case has been fully resolved and remediated.

Pro-Tip:
If you review a case and determine that it does not require further investigation (e.g., expected activity), you can close it directly from your side. Simply add your justification or findings in the Comments text box, then change the status to CLOSED. You do not need to wait for the SOC team to perform the closure for you.

  • Case ID & Watcher Options:
    • Case ID Copying: Clicking on the Case ID (e.g., CASE-4166) will instantly copy the ID number to your clipboard for easy sharing.
    • Watcher Icon (Eye Symbol): Clicking the eye icon allows you to add yourself as a Watcher for the case. Once added, you will receive real-time email notifications regarding any updates, comments, or changes made to that specific case
  • Case Details Actions
    While viewing the full case details, the three dots icon ... appears again in the top right corner, providing immediate access to the same management tools without needing to return to the main list.



Did this answer you question?