Case Management
Cases in AuroraSOC represent structured investigations that group related alerts, evidence, and analyst findings. They provide the audit trail required for compliance and post-incident review.
Case Lifecycle
Creating a Case
Cases can be created in three ways:
- From a single alert — Click "Create Case" on any alert's detail view
- From multiple alerts — Select related alerts and use "Create Case" bulk action
- AI-initiated — The Orchestrator agent automatically creates cases for critical findings
- Via API —
POST /api/v1/caseswith alert IDs
Case Fields
| Field | Description | Required |
|---|---|---|
| Title | Descriptive case name | Yes |
| Severity | Critical / High / Medium / Low | Yes |
| Description | Detailed incident description | No |
| Assigned Agent | AI agent type handling the case | Auto |
| Linked Alerts | Associated alert IDs | Yes (≥1) |
| CPS Involved | Whether CPS/IoT devices are affected | Auto-detected |
| Confidence | AI confidence score (0.0–1.0) | Auto |
| MITRE Techniques | ATT&CK technique IDs | Auto-enriched |
| IOCs | Indicators of Compromise | Auto-extracted |
Case Detail View
Summary Panel
- Case metadata, severity badge, assigned analyst
- Confidence score with explanation
- Current status with time-in-status
Timeline Panel
The timeline shows every action taken on the case chronologically, including:
- Alert associations
- Agent analysis steps
- Playbook executions
- Human approval requests and decisions
- Status changes
- Analyst comments
Evidence Panel
All artifacts collected during investigation:
- Raw log entries from SIEM
- Network flow data
- Endpoint scan results
- Forensic evidence collected
- Screenshots and file attachments
Recommendations Panel
AI-generated recommendations based on investigation:
- Immediate response actions
- Long-term remediation steps
- Policy changes suggested
- Similar past cases reference (via episodic memory)
Human Approval Workflow
For high-impact actions, cases enter AWAITING_APPROVAL:
- Agent determines an action requires human authorization (e.g., isolate host, disable user)
- Approval request created with 4-hour TTL
- Notification sent via WebSocket to authorized analysts
- Analyst reviews context and approves/rejects
- Case continues or alternative path taken
Approval Timeout
Approval requests expire after 4 hours (configurable). Expired approvals are automatically marked as expired and the case returns to IN_PROGRESS for re-evaluation.
Case Metrics at a Glance
The Cases page header shows:
- Open Cases — Total active cases
- Mean Time to Detect (MTTD) — Average time from event to case creation
- Mean Time to Respond (MTTR) — Average time from case creation to resolution
- Cases by Severity — Distribution chart