Login
Contents x
Linked cases
  • 20 Nov 2023
  • 2 Minutes to read
  • Dark
    Light
Contents

Linked cases

  • Updated on 20 Nov 2023
  • 2 Minutes to read
  • Dark
    Light
Article Summary

Improve incident response efficiency by linking cases, enabling effective identification and tracking of related incidents. Links are created between two cases, and the relation between them can be specified within the link data.

For example, multiple cases may be created in response to a phishing campaign, possibly with different observables. Linking these cases during the investigation (based on common attributes or investigation findings) aids in gaining a comprehensive understanding of the broader context.

Linked cases tab

How to use

You can manage case links with the available steps: link cases, unlink cases, list case links, and update a link, or from the Cases page. When creating or updating a link you can specify the relation between the two cases: parent of, child of, duplicate of, duplicate by, blocking, blocked by, or other. You can also provide a free text description for the link.

Note

When two cases are linked, the link is associated with both of them.

Link cases automatically (example)

The example below shows how cases can be linked based on shared tags. 

  1. Use the Tags updated workflow trigger to execute a workflow whenever a tag is added to a case or an existing tag is updated.

  2. Loop over the added/updated tags and use the Query cases step to retrieve a list of all cases that have each tag.

  3. Loop over the cases that have the added/updated tag and link them to the updated case.

  4. Once the workflow execution finishes, all cases that have the added/updated tag will be listed in the updated case Linked cases tab.

null

Link cases from the Cases portal

Manage the case links from the case itself.

  1. Go to the Cases page, select and expand the case you would like to link.

  2. Go to the case Linked cases tab.

  3. Click Link a related Case and select the cases you would like to link.

  4. Specify the link relation.

  5. Click Link.

  6. You can use the Relations filter at the bottom right to display only cases linked with a particular relation.

  7. Select a link to delete it or edit the link relation. You can click each linked case to easily get to it.

Trigger a workflow when a link is updated

Use the Link updated workflow trigger to execute a workflow whenever a link is created, updated, or deleted. 

Below is an example showing how additional information can be retrieved when cases are linked.

  1. Add a trigger condition for the workflow to execute only when a link is created.

  2. When cases A and B are linked, use the List case links step to retrieve the cases linked to each of them.

  3. Notify the assignee of case A about the other cases linked to case B since they may also be related to case A. Similarly, notify the assignee of case B about the cases related to case A.

Link updated trigger example

Was this article helpful?
What's Next
Change password!
Changing your password will log you out immediately. Use the new password to log back in.
Change profile
Success!
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
Logout