Views:

Open cases in Trend Vision One apps and manage your organization’s cases in Case Management.

The Trend Vision One section in Case Management (Workflow and AutomationCase Management) displays the cases opened by your organization's SOC team, IT operations team, or risk manager.
You can open Trend Vision One cases based on incidents, events, and alerts directly within Trend Vision One apps. Apps that currently support opening Trend Vision One cases include:
  • Security Playbooks (using the Automated Response Playbook)
  • Cyber Risk Exposure Management
  • Workbench
Important
Important
Case Management automatically closes Trend Vision One cases that are inactive for 60 days. Learn more.
The following table outlines the options available in Workflow and AutomationCase Management.
Action
Description
Filter case data
Use the available menus to locate specific cases.
  • Status: The current status of a case.
    Available statuses:
    • Open (case_Open=a774979f-2790-4cd1-8161-b5dc82579473.png)
    • In progress (case_InProgress=4a4e6461-7031-48c5-87b7-683b43ff9da4.png)
    • Closed (case_Closed=ba556e15-9f9e-4e7a-9007-12f89a447dd4.png)
  • Findings: The findings of a case (only available for cases created in Workbench).
    Available values:
    • True positive: The investigation confirmed the occurrence of threats or malicious activities.
    • False positive: No malicious activity found.
    • Benign true positive: The investigation confirmed the presence of a genuine threat that poses no risk to the organization.
      Benign true positives are the result of penetration tests or other legitimate activities in your environment.
    • Noteworthy: Trend Vision One detected unusual activity that requires more investigation.
    • -: The investigation has no findings.
  • Priority: The priority the owner assigned to the case.
    Available values:
    • P0
    • P1
    • P2
    • P3
  • Owners: The Trend Vision One accounts assigned to the case.
Change the case status
Select one or more cases and click Change Status to update the progress of the case.
For cases created in Cyber Risk Exposure Management, the case is automatically changed to Closed when all associated risk events are remediated, accepted, or dismissed. If not all risk events have been resolved, you may change risk event status when manually closing the case.
Change the case findings
Select one or more cases and click Change Findings to update the findings of the case.
Change the case priority
Select one or more cases and click Change Priority to update the priority of the case.
Attach files to a case
Click a case name to open the case details and click Attach Files.
Your organization can upload a maximum of one GB of attachment files across all cases in Case Management.
Generate an investigation report
Important
Important
This is a pre-release sub-feature and is not part of the existing features of an official commercial or general release. Please review the Pre-release sub-feature disclaimer before using the sub-feature.
If you enabled generative AI in Trend Companion click a case name, then go to Trend CompanionGenerate investigation report.
Trend Companion generates a threat investigation and remediation report for the case, which you can preview, edit, and download by going to Dashboards and ReportsReports.
This action is only available for Workbench cases with a “True positive” finding.
Create a case summary
Important
Important
This is a pre-release sub-feature and is not part of the existing features of an official commercial or general release. Please review the Pre-release sub-feature disclaimer before using the sub-feature.
If you enabled generative AI in Trend Companion, click a case name, then go to Trend CompanionSummarize case.
Trend Companion summarizes all the notes created in the case since last time a summarized progress note was created. Summarized progress notes are helpful when transferring a case to a new owner.
Assign owners
Select one or more alerts and click Assign Owners to assign accounts within your organization to the case.
Important
Important
Assigning owners has the following limitations:
  • For IdP-only SAML group users:
    • You can only assign users who have signed in and are still cached in Trend Vision One.
    • User Accounts cannot list all users under the IdP-only SAML group.
  • IdP-only SAML groups and IdP-only SAML group users cannot get email notifications.
Change impacted assets
For cases created in Cyber Risk Exposure Management, you can select specific impacted assets and move the assets to a different case or remove the assets from the case. You can only move assets between cases involving the same risk event.
Open a sub case
Related cases are independent sub cases that give you the flexibility to divide a complex investigation into small sub cases. Related cases supply more information for the main case.
Locate a case, click the options icon (options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png) at the end of the row, and click Open Related Case. The new case is automatically linked with the main case.
Add a Forensics workspace to a sub case
Locate a Forensics case and click Create Forensics Workspace.
The new Forensics workspace is automatically added to the related case as an associated item. All endpoints that are part of the impact scope of a Workbench alert/insight are added to the workspace.
Enable integration with ServiceNow
Click the settings icon (gear_icon=fc9a51ad-35af-4fe3-92c6-5e41b2dfc5d9.png) in the upper-right corner and turn on the integration with ServiceNow.
Integrate with ServiceNow to send Case Management tickets to ServiceNow ITSM to be managed in the ServiceNow portal. Only Workbench cases created from Automated Response Playbooks are supported.
Edit additional notifications
For cases created in Cyber Risk Exposure Management, click Edit under the additional notifications information to specify webhooks or email addresses to use when sending notifications about the case. Configure webhooks in Notifications.
For actions available when opening a case, see