You can analyze detailed information about the case in the Overview section of the Case card.
Once you have established the initial context, you can use the case Overview and Timeline to deconstruct the case and understand how its underlying components are connected, and review the full scope of activity.
Overview
Grouping Graph: View a visual mapping of how issues and artifacts are linked together, including details on shared artifacts, to better understand the underlying grouping logic.
Evidence: Trace issue causality chains and recorded events to follow the attack sequence from the initial root cause to the final recorded activity.
Issue feed Review the case’s story in a chronological visualization that maps the case lifecycle and highlights key case information, with the option to group by attribute.
Associated assets and artifacts: Drill down into the specific identities, endpoints, and digital artifacts associated with the case to assess the threat's footprint.
MITRE ATT&CK tactics and techniques: Review the specific tactics and techniques identified in issues linked to the case to align your investigation with industry-standard adversary behaviors.
Note
If you prefer a tabular or legacy layout, switch the case card to the Detailed view.
This view preserves the legacy tab based format and custom layouts, ensuring full backward compatibility. You can switch between the new case experience and the legacy view based on personal workflow preferences. For more information, see Detailed View.
Timeline
View the full lifecycle of a case. You can also add your own records and mark key observations as evidence to be used in formal reporting.