Working with Cases (Including Case Queues)

Learn more at Stellar Cyber Academy.

The following links take you to courses on the Stellar Cyber Academy technical training portal where you can learn more about a topic by watching the suggested lessons.

J03 Investigations and Workflows (05h:48m)

The first time you access a link on the portal during a session, you must log in to access content.

The Cases view lets you manage cases generated by Stellar Cyber. A case is a set of multiple correlated alerts and entities constituting a potential unified security attack, ranked by a dynamically updated score indicating the severity of the attack. Stellar Cyber uses its machine-learning capabilities to generate cases automatically, grouping related alerts into a unified case for improved attack resolution. In addition, you can also create your own cases from any table that includes alerts (for example, Threat Hunting or Dashboards | PREDEFINED | Analyst View).

Case Queues is an Early Access Program (EAP) feature. If you do not see Case Queues on the Cases page in your UI, the feature is not enabled in your environment. For information about the standard Cases page without Case Queues, see Working with Cases.

Cases offer the following benefits:

Streamlined workflows matching standard security analyst procedures.
Enact case-specific responses recommended by Stellar Cyber (for example, blocking an IP address) directly within the Case interface.
Use Case Queues to focus the case displays on just those cases matching a specific workflow or role.
Evidence Locker lets you store emails, PDFs, CSV files, and links to bolster your case.
Full export capabilities let you share cases with executive staff, including AI-generated summaries, if enabled.
Case Activity log tracks all events related to a case, providing a detailed audit trail.
Optional integration with ServiceNow lets you use Stellar Cyber cases and alerts together with your existing help desk and ticket management solution.
When AI Case Analysis is enabled in Global Settings, Stellar Cyber uses AI to add new details to the tabs in the Case Detail view:
- Case Detail view's Detection tab includes AI-generated summaries once analysis has been run to accelerate investigations.
- Case Detail view's Analysis tab includes a new Hypothesis panel and adds AI-generated summaries to the existing Timeline, and Observables panels, helping summarize alerts into a case-level story, reconstructing timelines, and explaining relationships between entities.
- Case Detail view's Response tab provides tailored response recommendations, giving you clear context and next steps without the need to stitch alerts together manually.
Alert Auto Triage is available through the purchase of an add-on license (a 7-day trial is also offered for evaluation). This feature automatically investigates alerts and assigns verdicts before you review them, helping you focus on the most relevant cases and reduce manual triage effort.

Cases evolve in real time as new alerts are discovered and associated with an attack, either automatically by machine learning or manually by a user. You can use cases as part of your standard SOC workflows to direct a proactive response to ongoing security issues, ensuring they are assessed, assigned, tracked, and resolved.

This article covers the following subjects related to cases in Stellar Cyber:

Introducing the Cases Display
Using Case Queues
- Configuring Case Queues
- Working with Case Queues
Using the Cases Table
Configuring Case Settings
Drilling to the Case Detail Page
Displaying Cases from Event Details
About Case Retention

Refer to Understanding Cases for a detailed discussion of how cases are created and correlated.

Introducing the Cases Display

The Cases display consists of the following main components:

Case Queues – The Case Queues panel is at the left of the Cases display and lists the configured case queues. A case queue is a display filter that focuses the case displays on just those cases that match specified criteria (tenancy, status, severity, tags, and so on), ensuring that teams see the cases that matter to them without being overwhelmed by those that do not.
Cases Table – The Cases table is your starting point for working with cases. It provides a table of all cases in the selected Case Queue and time range with sortable and customizable columns. You can select any case to drill to its detail page. You can also use the filters at the left of the page to focus your work on cases that meet specified criteria.

The figure below illustrates the organization of the Cases display:

Using Case Queues

Case Queues is a feature in the Early Access Program. For information about other early access features, contact your Stellar Cyber account representative.

Case management queues let you organize cases into logical groups based on configurable rules or manual assignment. Each queue can represent a grouping by tenant, region, severity, SOC team, shift, subject matter expertise, and similar criteria. Analysts are assigned to specific queues and see only the cases within those queues, which reduces noise and helps them focus. A case can appear in multiple queues if it matches the conditions defined for each queue.

Configuring Case Queues

The following procedure describes how to create, define, and manage case queues. These steps are typically performed by administrators who need to segment case visibility and assign cases to analysts or teams based on specific operational requirements.

Go to Cases and open the Case Settings panel by selecting the gear icon located near the top of the narrow left panel on the Cases page.
In the Case Settings panel that appears, select the Queues tab and then select New Queue to open the queue builder.
Name the queue, choose the tenant scope and date range to define which cases the queue evaluates, and, optionally, enter a description.
- For custom queues, you can configure the date range used to define which cases the queue evaluates. Default queues use a fixed date range of the past year and cannot be modified.
- If you choose a date range longer than one month for a custom queue, a warning appears to indicate that the larger time span might affect performance. The maximum supported date range depends on your active data retention policy.
- When a queue is created or updated, Stellar Cyber performs re-indexing, which means it re-evaluates all existing cases in the selected time frame to determine which ones match the defined conditions. Selecting a longer time range increases the number of cases that must be re-evaluated, which can result in longer indexing times. When this occurs, a system message appears to notify you that the queue might take additional time to complete.
Define the queue conditions and then select Save to add the queue:
- Select Add condition and choose from the same case fields available in case filters.
  
  When you include an assignee as a condition in a case queue definition, be careful that the field is appropriate for the value you enter. Use assignee_name when you enter the assignee’s display name, such as a name or email address shown in the UI. Use assignee when you enter the assignee’s internal user ID. If you choose assignee_name and then enter a user ID, or if you choose assignee and then enter a display name, the queue will not return any results because the field and value are mismatched.
- By default, new queues include the condition status is New OR In Progress OR Escalated.
- You can modify or remove this condition as needed. This default ensures that initial queue results focus on cases that require attention—new, actively investigated, or escalated—so analysts can prioritize triage and response.
- Use Add inner group to create grouped conditions (inner groups) that act as logical subfilters for more complex matching.
- You can combine conditions and inner groups with AND/OR/NOT logic.
Repeat for additional queues as needed, up to the system limit of 20.

To increase this limit, contact Stellar Cyber Customer Success.
Wait for the indexing process to complete.

After a queue is created, Stellar Cyber indexes existing cases to identify which ones meet the defined conditions before displaying counts. The indexing process ensures the queue view reflects all eligible cases within the defined time range. When queue conditions are later modified, re-indexing occurs when related case data changes, such as when alerts are added or case attributes are updated. The queue count updates automatically once indexing is finished.
Communicate to analysts which queues they should use and their intended purpose.

This is often done through SOC team briefings, documentation, or messaging.

Working with Case Queues

This procedure describes how analysts interact with queues to find, prioritize, and process the cases assigned to them. Following these steps can help analysts reduce distractions, maintain focus, and process their case workload efficiently.

On the Cases page, use the left-side panel to view the list of queues.
- Default queues (All Open Cases and All Closed Cases) always appear.
- Custom queues appear according to user configuration.
Pin the queues you use frequently so they appear at the top of your list.

Pins are per-user and do not affect other users.
Select a queue to display all cases matching its conditions.

The number shown beside each queue in the side panel is the total number of cases in that queue.

When viewing cases in the queue, case names with numbers such as Application Usage Anomaly and 2 others indicate related alerts within the case. The number (for example, 2) is the number of other alerts in the case besides the one shown. Selecting the link opens a filtered case view showing only those related alerts.

If a user modifies a case name, Stellar Cyber no longer updates the name automatically. In this situation, numbers in the case name (such as the count of related alerts) might not match the data shown in the Associated Alerts table.
Work on cases in order of priority, as determined by score or other operational criteria, and close or resolve them when appropriate.

Additional Information

This section provides supplementary details about how queues behave and which factors might affect what you see when working with them.

Identifying Your Queues: You can use pins to focus on your assigned queues.
Multi-Match Cases: A case can appear in more than one queue if it matches multiple queue conditions.
Performance LimitsLonger date ranges can affect performance when queues include large case sets. If you configure a custom queue with a date range longer than one month, Stellar Cyber displays a warning so you can decide whether to continue.
Case Addition to Queues: Cases are evaluated for inclusion in a custom queue when a case is created or updated. In addition, changing queue conditions causes existing cases in the queue’s configured time range to be checked again for a match.
Case and Queue Counts: The number beside a queue in the side panel is the total number of cases in that queue. The number of cases in the main table might be smaller because of the required Created At filter. The date range selector in the queue view filters the cases displayed in the table; it does not change the date range used by the queue itself.

Using the Cases Table

Cases matching the selected Case Queue and time range are shown in a sortable Cases table with customizable columns. By default, the All Open Cases queue is selected. The name of the Cases table changes to match the selected Case Queue.

You can select any case to drill to its detail page. You can also use the filters at the left of the table to focus your work on cases that meet specified criteria.

The tabular view lists each case on its own row with the following default columns:

Tenant – The tenant with which this case is associated.
Case ID – The system-assigned number for the case.
Case Name – Stellar Cyber automatically assigns a name to each case it reports. You can either accept the default name or supply your own in the Case Detail view.
Score – Stellar Cyber assigns scores to cases based on how critical they are. A case score updates in real time as events and entities are added to or removed from the case. Scores are color-coded to indicate the seriousness of the case.
Severity – The severity of a case: Critical (75 and higher), High (50–74), Medium (25–49), or Low (1–24). Severity automatically changes with the case score until it is changed manually in the Case Detail view. Once you manually edit the severity of a case, it no longer updates automatically based on the case score. Severity indicators are color-coded to direct your attention to more serious cases.
Creator – The user account that created the case. Cases created by Stellar Cyber are listed with a creator of System.
What – The Tactic or Technique for the alert with the highest severity associated with this case.
Who – The users and hosts associated with the case. You can find details on the observables for the case in the Analysis tab on the Case Detail page.
Assignee – The assignee for the case, if any. Cases can be assigned to resources in the Case Detail view or by selecting the check box for a case at the left of the table and using the bulk edit controls that appear at the top of the table.

You can change the columns in the Cases table using the Column selector described in Changing the Columns in the Cases Table.

Searching the Cases Table

The Cases table includes a Search tool at the top of the display that lets you perform a text-based search using Lucene syntax for a specified value. Keep in mind the following when searching Cases:

The data returned by the search is limited to just those entries that pass the current Case filters.
The search is performed across all available pages of cases, not just the currently displayed page. For example, if there are three pages of 20 cases available in the Current Cases table, matches can be found on any of the three available pages, regardless of the sort order.

Not All Fields Supported for Searching

Filtering the Cases Table

Select the standard Filters icon at the left of the Cases table to open the Filters panel, where you can set display filters that focus the display on just those cases matching the criteria you supply.

Applied filters are summarized at the top of the Cases table and can be cleared by clicking the X in their entries. You can also use the Clear All button to clear all applied display filters.

Click here to learn about the available display filters for the Cases table.

Use the following filters to control the information that's displayed in the Cases table:

Tenant – Use the dropdown to check the boxes for the tenants from which to display cases.
Case ID – Use the Min and Max fields to specify the range of Case IDs to display.
Case Name – Supply a case name on which to filter.
Score – Use the slider bar to specify the range of case scores from 0-100 to display.
Severity – Check one or more of the boxes for the case priorities to display (Critical, High, Medium, and Low).
Creator – Use the dropdown to check the boxes for the Creators from which to display cases.
Created At – Use the date controls to specify a range for the creation times of the cases to display.

By default, the Created At filter is automatically set to the last 24 hours. If you select Clear All, the Created At filter resets to the last 24 hours. You can set a range manually if you need a larger range.
Modified By – Cases modified by checked user accounts are displayed.
Last Modified – Use the date controls to specify a range for the modification dates of the cases to display. Modifications include changes to the alerts, severity, status, comments, or evidence of a case.

The dates you specify for both the Created and Last Modified filters are specified in terms of the browser's local time zone.
Size – Use the Min and Max fields to specify the range of case sizes to display. A case's size is the number of alerts associated with the case.
Assignee – Start typing in the Search field to see a list of matching user accounts that can be selected as a filter or choose one of the listed users. Users only appear for selection if they have the Edit Cases privilege assigned in Role-Based Access Control and belong to the logged-in tenant. You can select multiple users for the filter.
Closed At – Use the date controls to specify a range for the closure times of the cases to display.
Acknowledged At – Use the date controls to specify a range for the acknowledgment times of the cases to display.
Status – Select one or more case statuses to display: Escalated, New, In Progress, Resolved, and Cancelled.

By default, the Cases page has the Escalated, New, and In Progress Status filters enabled. You can deselect these filters and/or add additional Status filters. However, if you clear all the Status filters, the page automatically enables the default Escalated, New, and In Progress filters again.
Resolution – Select one or more case resolutions to display: None, False Positive, Benign, True Positive.
Tags – Start typing in the Search field to see a list of matching tags that can be selected as a filter or choose one of the listed tags. You can select multiple tags for the filter.

Changing the Columns in the Cases Table

You can change the columns in the Cases table by selecting the Columns button at the left of the table to toggle open a panel where you can choose the columns to display.

The Tenant, Case ID, and Case Name columns always appear in the Cases table. You can check the boxes for any additional columns to include in the table.

Click here to learn about the available columns for the Cases table.

You can toggle the display of any of the columns listed below by checking or unchecking the corresponding boxes in the Column selector:

Score – Stellar Cyber assigns scores to cases based on how critical they are. A case's score updates in real time as events and entities are added to or removed from the case. Scores are color-coded to indicate the seriousness of the case.–
Severity – The severity of the case (Critical, High, Medium, or Low). Severity automatically changes with a case's score until it is changed manually in the Case Detail view. Once you manually edit a case's severity, it no longer updates automatically based on the case score. Severity indicators are color-coded to direct your attention to more serious cases.
Creator – The user account that created the case. Cases created by Stellar Cyber are listed with a creator of System.
Created At – The time at which the case was created.
Modified By – The user account that last modified the case.
Last Modified – The last time the case was modified. A case is considered to have been modified whenever there are changes to its alerts, severity, status, comments, or evidence.
What – The Tactic or Technique for the alert with the highest severity associated with this case.
Who – The users and hosts associated with the case. You can find details on the observables for the case in the Analysis tab on the Case Detail page.
Size – The number of alerts associated with the case.

A case can have a maximum of 5,000 associated alerts.
Assignee – The assignee for the case, if any. Cases can be assigned to resources in the Case Detail view or by selecting the check box for a case at the left of the table and using the bulk edit controls that appear at the top of the table.
Closed At – The time at which the case was closed. Cases are closed when their status is set to either Resolved or Cancelled.
Acknowledged At – The time at which the case was acknowledged. A case is considered acknowledged when a user makes a change to its Severity, Status, or Assignment.
Status – The status associated with this case. This can be either New, In Progress, Resolved, Cancelled, or Escalated. Changing the status of a case helps you track your team's response to it over time. You can change a the status in the Case Detail view or by selecting the check box for a case at the left of the table and using the bulk edit controls that appear at the top of the table.
Resolution – The resolution given to a case when its status was set to Resolved. Resolutions can be None, False Positive, Benign, or True Positive. The default is None. See Suggested Usage for the Case Resolution Tags for more information on the available resolution tags.
Tags – The tags assigned to the case, if any. You can assign tags to a case in the Case Detail view or by selecting the check box for a case at the left of the table and using the bulk edit controls that appear at the top of the table.
InSyncs – For cases that are synchronized with an associated ServiceNow installation using an InSync, you can hover over mouse over the NOW icon in the InSyncs column and see the following information on the synchronization for the case:
- The name of the InSync performing the synchronization between Stellar Cyber and a third-party application such as ServiceNow.
- The status of the InSync (Synced, Paused, or Error).
- The ticket number for the synchronized case in ServiceNow.
- The last time the case was synchronized, expressed in the time zone of the browser.

Not All Columns Supported for Sorting

Performing Bulk Actions in the Cases Table

The Cases table supports bulk edits to the Status, Tags, or Assignee of multiple cases. Use the following procedure:

Select one or more cases in the Cases table by checking their boxes at the left of the table.

New Bulk Edit controls appear at the top of the table, as illustrated below:
Select the type of Bulk Action want to perform from the dropdown:
- Status – The adjacent dropdown lets you select any of the standard Case statuses (Escalated, New, In Progress, Resolved, or Cancelled).
  
  Once the status of a case has been changed to either Resolved or Cancelled, Stellar Cyber no longer associates new alerts with it. Instead, new alerts are either used to create a new case or associated with a different open case.
- Tags – The adjacent dropdown lets you select from any existing tags. You can also type in a new tag.
- Assignee – The adjacent dropdown lets you select any existing user available to your tenancy.
Select Apply to apply your bulk action to the selected cases.

Keeping Track of Bulk Actions

Once you apply a bulk action to one or more cases, Stellar Cyber displays a success or failure message at the top of the display and keeps track of its progress in the Task List.

Here's an example of a Bulk Action that was successfully applied:

You can display the Task List using its icon at the top of the display, as illustrated below. The Task List keeps track of the progress, success, or failure of any bulk actions performed from the Current Cases table, as well as any other ongoing Stellar Cyber activities. Depending on the number of cases affected by a bulk action, it make take a few seconds for the action to complete. The Task List is useful in these situations, letting you see the progress of the action. Here's how you display the Task List, complete with some successful bulk actions:

You can clear individual tasks from the list using the standard close button at the upper right of their entries in the list. Clear all of the tasks using the Clear all link at the top of the list.

Standard Functionality in the Cases Table

The Cases table offers standard table functionality, including the ability to sort on a column, pin columns, autosize columns, reset column sizes, Export as CSV, or Change Columns.

Export of cases is limited to the first 100,000 records.

Configuring Case Settings

Users with a root user scope and RBAC privileges to change user interface settings can select the Settings icon at the top of the Case Queues panel and make global changes that affect all cases. You can set Case Settings in the following tabs:

Case Properties - Set case visibility and alert closure options.
Correlation – Configure case correlation behavior.
Case Filters – Configure case suppression logic to determine which cases are created.
Queues – Configure customizable case queues that use detailed filter criteria to display cases specific to different roles, departments, workflows.

Setting Case Properties

Use the Case Properties settings to control which case elements are visible to partner and tenant users and whether related alerts are automatically closed when a case is resolved or cancelled. These settings apply globally and are only available to users with root scope.

Hide Assignee/Hide Comments

The Hide Assignee and Hide Comments options let root users specify whether partner and tenant users can see case assignees and comments:

Hide Assignee – Hide case assignees from partner and tenant users.
Hide Comments – Hide case comments from partner and tenant users.

Users with root scope can still see case assignees and comments regardless of the settings of these options.

Close All Related Alerts

This option specifies whether all alerts related to a case are closed by default when the parent case's status changes to either Resolved or Cancelled. Alerts in cases closed through the API or InSyncs are also closed automatically when this option is enabled. This option is enabled by default.

You can override this default setting for individual cases in the confirmation dialog box that appears when cancelling or resolving a case. The Update the status of all alerts to Closed option is automatically set according to whatever you specify for this global default, but you can reverse the setting in the confirmation dialog for an individual case, as illustrated below:

Setting Correlation Options

The Correlation tab lets you configure the following options:

Correlation Timeout
Alerts per Case

Setting the Correlation Timeout

The Correlation tab let you set a global Correlation Timeout for your organization. The Correlation Timeout specifies the time window within which new alerts are considered for correlation into both new and currently open cases.

An alert can be correlated into an existing case if it occurs within a specific time window of the case. This time window is determined by Correlation Timeout, which is the amount of time that has passed after the latest alert that was correlated into the case or before its earliest correlated alert. The figure below illustrates how this works:

As summarized in the figure above:

A new alert is not considered for correlation if it occurs after the amount of time specified by the Correlation Timeout has passed since the last correlated alert for the case. An alert such as this has occurred too late for correlation.
A new alert is not considered for correlation if it occurs earlier than the amount of time specified by the Correlation Timeout before the earliest alert associated with the case. An alert such as this has occurred too early for correlation into the case.

The default Correlation Timeout is three hours; the maximum is 24 hours.

Use the drop-down lists to specify the Correlation Timeout for your organization in hours and minutes. The user interface does not let you specify a value greater than 24 hours. You can always use the Reset to default option to restore the default value.

Changes to the Correlation Timeout apply only to open and new cases. Closed cases are not updated with additional alerts based on a change to the Correlation Timeout. However, it is possible that a change to the Correlation Timeout can result in additional alerts being correlated to an open case that took place before the previously reported earliest alert.

Refer to Understanding Cases for a detailed discussion of how cases are created and correlated.

Adjusting the Maximum Alerts per Case

Only root users with the privilege to edit Settings can change this value. The change applies globally to all system-created cases.

The Alerts Per Case setting lets you define the maximum number of alerts that can be grouped into a single case. By default, the value is set to 5,000 alerts, but you can adjust the limit anywhere between 1 and 5,000.

When the specified maximum is reached, additional alerts that would normally be added to the case are instead placed in a new case. This prevents individual cases from becoming too large and consuming unnecessary computation resources.

Changing this value can help you balance case manageability with correlation accuracy:

Lowering the value breaks up large cases into smaller ones, improving performance and making them easier to investigate. This is especially useful in environments with noisy alerts, such as custom ATH detections.

Be cautious when reducing the maximum. If the value is set too low, related alerts may be split across multiple cases, which can obscure the full context of an incident.
Raising the value allows more alerts to be grouped together, preserving context across a large attack campaign, but can result in slower performance and more difficult case triage.

When you change the Alerts Per Case setting, the new maximum takes effect immediately. The new alert-per-case maximum only applies to cases going forward, so that any existing cases that exceed the new maximum remain unaffected by the change. For example, if there is an existing case with 4,500 alerts and you change the maximum to 4,000 alerts per case, this case continues to hold 4,500 alerts, even though it exceeds the new maximum. However, any new alerts that would otherwise have gone into this case are placed in a new case instead.

Configuring Case Filters

You can use case filters to control the automatic creation of cases by defining specific conditions under which Stellar Cyber suppresses their creation. Instead of generating a case for every group of related alerts, you can use case filters to prevent the creation of cases that are low risk, expected, or otherwise unimportant. This reduces case volume and helps you focus attention and resources on the alerts that matter most. This targeted suppression allows your team to maintain a streamlined, relevant case queue and reduce alert fatigue.

In the Case Settings section, you can create new filters, edit existing ones, or delete filters that are no longer needed. For detailed information about case filters, see Using Case Filters and the Filter Builder.

Drilling to the Case Detail Page

You can select a case entry in the Cases table to drill to the Case Detail view for the corresponding Case.

Displaying Cases from Event Details

In addition to accessing the Cases table from the Cases menu, you can also display a filtered Cases table from the Cases list in the Event Details view for an alert.

The Cases list shows cases associated with the selected alert in descending order by score, up to a maximum of five. You can select the View All (x) link at the upper right of the list to open a new tab with a filtered view of the Case summary page showing just those cases associated with the selected alert. You can also select the entry for an individual case in the list to open its associated Case details page. The figure below shows the Cases list from the Event Details view of an alert:

About Case Retention

To control the number of stored cases and improve the overall performance of case queries, Stellar Cyber stores a case for a maximum of one year from the time of its last update.