- 12 Mar 2024
- 2 Minutes to read
- DarkLight
Create, update, and resolve cases
- Updated on 12 Mar 2024
- 2 Minutes to read
- DarkLight
Torq cases are designed to be created, updated, and investigated automatically using the available Torq Cases steps as part of workflow logic. The different properties of a case are described below, in addition to how cases can be created and updated by using Torq steps or manually from the Cases page.
Create a case
Create cases automatically during workflow executions when incidents are detected.
For example, you can create a workflow that's triggered when an identity and access management service, such as Okta, detects suspicious user activity. After initial preprocessing, a case is created as part of the workflow execution, by using the Create a case step.
These are the case parameters:
Parameter | Description |
---|---|
Title | Provide a meaningful name for the case for easy retrieval. For example, you can include the incident type and the associated vendors. |
Resolution SLA | Resolution Service Level Agreement. The duration in which the case should be resolved or closed.
|
Severity | Possible values:
The case severities correspond to the OCSF schema event severity identifier. Contact Torq support if you require additional severities from the list. |
Description (optional) | Provide information that should be available to anyone reviewing the case. You can apply formatting to the case description by using markdown syntax. To include a markdown-supported table in the case description, use the Create ASCII table step with the optional parameter Markdown set to true. |
State | Select the state in which the case will be created from the options available in the workspace. The default states are: New, In progress, On hold, Resolved, and Closed. Additionally, you can create custom states. |
Reporter | The entity that created the case:
|
Assignee | The email address of the team member to whom the case is assigned. |
Category | Choose from the suggested categories listed below or create your own by typing it in.
|
You also have the option to create a case manually by going to the Cases page and selecting Create Case.
Update a case
Use the many steps available under Torq Cases to update cases automatically. This is a partial list of what you can do with the available steps:
- Update case properties: title, description, SLA, state, category, reporter, assignee, and severity.
- Add observables, associate observables with cases, mark them as key observables, remove observables from the key observables group, and disassociate observables from cases (read more about observables).
- Update the description or the reputation of an observable (can also be done outside the scope of a case).
- Add comments.
- Add attachments, get download links for the attachments, and remove attachments.
Resolve or close a case
The Resolved status indicates that the issue has been addressed but may have some follow-up tasks remaining, while the Closed status suggests that all actions have been completed.
Resolution summary
When updating the case state to Resolved or Closed, you must provide a resolution reason.
- By default, you're offered to select a reason from the dropdown or type a new one. You can also provide additional information on top of the resolution reason to have it available in the case context.
- Customize case state transitions.
You can use the Query cases step to retrieve cases based on their resolution reasons by using the Resolution reasons optional parameter.