Create, update, and resolve cases
  • 12 Mar 2024
  • 2 Minutes to read
  • Dark
    Light

Create, update, and resolve cases

  • Dark
    Light

Article Summary

Torq cases are designed to be created, updated, and investigated automatically using the available Torq Cases steps as part of workflow logic. The different properties of a case are described below, in addition to how cases can be created and updated by using Torq steps or manually from the Cases page.

Create a case

Create cases automatically during workflow executions when incidents are detected.

For example, you can create a workflow that's triggered when an identity and access management service, such as Okta, detects suspicious user activity. After initial preprocessing, a case is created as part of the workflow execution, by using the Create a case step.

These are the case parameters:

ParameterDescription
TitleProvide a meaningful name for the case for easy retrieval. For example, you can include the incident type and the associated vendors.
Resolution SLAResolution Service Level Agreement. The duration in which the case should be resolved or closed. 
  • You can create custom SLA timers for the case to track additional durations and deadlines.
  • You can set the Resolution SLA (or any custom SLA) with no target duration, allowing you to monitor durations without enforcing a deadline.
SeverityPossible values:
  • Informational
  • Low
  • Medium
  • High
  • Critical

The case severities correspond to the OCSF schema event severity identifier. Contact Torq support if you require additional severities from the list.

Description (optional)Provide information that should be available to anyone reviewing the case. You can apply formatting to the case description by using markdown syntax. To include a markdown-supported table in the case description, use the Create ASCII table step with the optional parameter Markdown set to true.
StateSelect the state in which the case will be created from the options available in the workspace. The default states are: New, In progress, On hold, Resolved, and Closed. Additionally, you can create custom states.
ReporterThe entity that created the case:
  • User email if the case was manually created.
  • Workflow execution ID if the case was automatically created.
AssigneeThe email address of the team member to whom the case is assigned.
CategoryChoose from the suggested categories listed below or create your own by typing it in.
  • Cloud Security
  • Application Security
  • Identity & Access Management
  • Email Security
  • Data Security
  • Malware

Create a case step

You also have the option to create a case manually by going to the Cases page and selecting Create Case.
Create a case manually

Update a case

Use the many steps available under Torq Cases to update cases automatically. This is a partial list of what you can do with the available steps:

  • Update case properties: title, description, SLA, state, category, reporter, assignee, and severity.
  • Add observables, associate observables with cases, mark them as key observables, remove observables from the key observables group, and disassociate observables from cases (read more about observables).
  • Update the description or the reputation of an observable (can also be done outside the scope of a case).
  • Add comments.
  • Add attachments, get download links for the attachments, and remove attachments.

Resolve or close a case

The Resolved status indicates that the issue has been addressed but may have some follow-up tasks remaining, while the Closed status suggests that all actions have been completed.

Resolution summary

When updating the case state to Resolved or Closed, you must provide a resolution reason. 

  • By default, you're offered to select a reason from the dropdown or type a new one. You can also provide additional information on top of the resolution reason to have it available in the case context.
  • Customize case state transitions.
Note
When updating the case state to Resolved/Closed using the Change case state step, you have to add the Resolution reason optional parameter and provide a corresponding value for the step to execute successfully.

You can use the Query cases step to retrieve cases based on their resolution reasons by using the Resolution reasons optional parameter.

Resolution summary



Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.