Axonius Documentation
Start typing to search…

Viewing and Editing Case Details

From the Case Management table, you can click any Case to open its Case drawer. The drawer provides two main tabs for managing the Case:

  • Case - Displays case details, tracks progress, and links to related assets.
  • Case Assets - Lists all assets associated with the case.

Viewing Case Details

In the Case drawer of a selected Case, the Case tab enables you to:

  • Track the Case progress.

    • A Progress bar shows the progress of the Case according to the assets resolved or the ticket-associated assets that are resolved. This is provided that you have enabled the Show Case progress by tickets status UI setting(Settings> GUI> UI). In this case, the two buttons - Case Progress By Assets and Case Progress By Tickets appear above the Progress bar in the Case tab. You can switch between the two views.
    • If this option is not enabled, the Progress bar shows the Case progress by assets, and no buttons appear above the bar.

  • View the Case details.

  • Pivot to the assets resulting from the Base query at the time of Case creation.

  • Pivot to the list of resolved assets or unresolved assets.

  • Pivot to the assets resulting from any Additional query.

  • Pivot to the configuration of any Enforcement Set linked to the Case and view its main Enforcement Action.

To view Case details

  1. In the Case Management page, click a Case. The Case drawer - Case tab opens. The Progress bar shows the case progress by assets (the default).

    • You can click Case Progress by Tickets for the progress bar to show the case progress by ticket-associated assets.

  2. In the Case progress section, you can see the progress of the Case, refresh the progress calculation, and pivot to the initial list of Case assets, resolved assets, or unresolved assets. See below how to track the Case progress.

  3. View the Case information that you set when creating or editing the Case, including Due Date, Status, Status Update (Auto-update status), Priority, Created On, Case Title, Description, Type, Assignee, Base Query, Additional Queries, and Enforcements Links. An explanation of these fields is provided in Creating a New Case.

    • The number of days until the Due Date is displayed in color next to the date, only if it is coming up in 1-10 days or is Overdue.

    • For Cases created using the Create a new case enforcement action, the following notification appears under Base Query: This case was created on assets from an Enforcement Center action with this query . For example:

      CaseECactionBaseQuery

  4. To see the assets resulting from the base query, under Base Query, click the base query. The Assets page opens in a new tab. Click the Queries tab. The following screen shows an example of Users resulting from the unclear admin status query.

  5. To see the assets resulting from an additional query, click a query under Additional Queries. The Assets page opens in a new tab, displaying the assets resulting from the selected query.

  6. To view the configuration of an Enforcement Set linked to the Case, under Enforcements Links, click the Enforcement Set name. The Enforcement Set configuration page opens. Learn more about the Enforcement Set fields. Note that you can hover over the icon on the Enforcement Set row to view its main Enforcement Action.

Tracking Case Progress

The progress bar at the top of the Case drawer tracks the case progress (also displayed in the Case Management table under the Case Progress column).

  • Progress Bar - The green portion shows the percentage of resolved assets; the gray portion shows unresolved assets..

  • Progress Updates - Progress is updated automatically each time Asset Investigation is performed or every Discovery Cycle. Click the Refresh icon to manually recalculate the progress at an earlier time.

📘

Note

When pivoting to assets after the date of Case creation, it is likely that there are fewer assets than were in the initial query, as they may have since been removed from the system (as assets are constantly being correlated and deleted in the system over time). If you want to display on the Assets page all assets that existed at the time that the Case was created, you can change Display by Date on the Assets page to that date.

Progress Calculation Methods

You can switch between two views using the buttons that appear above the progress bar:

  • Case Progress by Assets (default) - Calculated by dividing the number of resolved assets by the total number of assets returned from the initial query, and then multiplying that result by 100 to get a percentage. An asset is resolved when it no longer meets the original query criteria. For example, if a query linked to a case returns 200 assets and 20 of those assets become resolved, the progress is 20/200 = 0.1 = 10%.

Click the View Query Results link to pivot to the list of assets that were returned by the Base query on the date of Case creation. This initial list of assets is compared to resolved assets in order to determine the progress of the Case.

  • Case Progress by Tickets - Calculated by dividing the number of resolved ticket-associated assets by the total number of ticket-associated assets returned from the initial query, and then multiplying that result by 100 to get a percentage. A ticket-associated asset is resolved when the linked ticket moves to a final status such as Done, Solved, Resolved, or Closed. For example, if a Case has 10 assets with two tickets, and the first ticket (linked to four assets) is In-progress while the second ticket (linked to six assets) is Closed, the Case progress by ticket is 60%. 6/10= 0.6 = 60%.

Click the View Query Results link to pivot to the list of ticket-associated assets returned by the Base query on the date of Case creation. This initial list is compared to resolved ticket-associated assets to determine the Case's progress.

Editing Case Details

You can modify most of the Case's configuration directly from the Case tab. You cannot modify the Created On date or the Base Query.

To edit Case information

  1. In the Case drawer (see screen in Viewing Case Details above), click a field's value to open the editing options..

  2. Modify any of the following fields, as required:

    • Due Date - Click the x near the date to remove it and then click Select Date to open the calendar, or click the current date to open the calendar. Then, from the calendar, select a new date, and optionally a new time, and click Ok. The badge changes accordingly or is removed if the new date is more than 10 days away.

    • Status, Priority, Type - Hover over the field value, click it to open its dropdown list, and then select a new value. Learn more about Case status and using an action to change it.

    • Auto-update Status - Hover over the field value and select the checkbox to enable auto-update status; clear to allow only manual status updates.

    • Case Title, Description - Hover over the field value, and when a blue frame encloses the field value, click inside the field and type or overtype a new value.

    • Assignee - Hover over the field value, click it to open its dropdown list, and then select or replace an assignee. Or, click the trashcan icon to delete the assignee. You can choose one later on.

    • Additional Queries, Enforcements Links - To modify, add, or remove an Additional Query / Enforcement Set, hover over the Additional Queries / Enforcement Links title and click the Pencil icon that appears. Replace a Query / Enforcement Set by choosing a different one from the dropdown, remove a Query / Enforcement Set link by clicking the adjacent Trashcan icon, or add a new one by clicking the + icon for each one that you want to add.

  3. After making an edit to at least one field in the Case drawer, the Cancel and Save buttons appear on the bottom of the Case drawer. After making changes, you can do either of the following:

    • Click Save to save all your changes to the Case information. The Case drawer closes, and the Case Management page is updated with the edited Case information.

    • Click Cancel to erase all your changes. The Case drawer closes, and the Case Management page opens with no change to the Case information displayed.

Viewing Case Assets

Within the Case Assets tab of the Case drawer, you can view a list of assets associated with a Case that was opened and pivot to the main Assets page for detailed information on these assets.

To view Case assets

  1. On the Case Management page, click a specific Case to see.
  2. In the Case drawer that opens, click the Case Assets tab. The Case Assets page opens, with the relevant Case assets listed under the tab corresponding to their main Asset Type (e.g., Devices, Users, Vulnerabilities).

Case Assets Table Details

The table within the Case Assets drawer presents a list of assets (displaying the maximum number that fits in the drawer) on which the Case was created, along with the following fields:

  • Adapter Connections - Icons representing the adapter connections. Click the arrow at the start of an Asset row to expand and view details per adapter connection.

  • Resolved Date - The date an asset was identified as handled within this Case. This date reflects when the Case's progress percentage increased due to this asset being resolved. This field remains empty if the asset has not yet been resolved as part of this Case.

  • Asset Name - The field in the column after the Adapter Connections column in the Assets page default view. Each Asset Type has its own default view, and the first field after Adapter Connections varies. For example, for Device assets, it is Asset Name; for Users, it is User Name; for Vulnerability assets, it is Vuln ID, and so on.

  • Total - Displayed above the table, this displays the total count of assets resulting from the Base query configured in the Case. If the number of results exceeds what can be shown in the drawer, hovering over the info icon displays the tooltip: Showing partial results in drawer.

  • Click the Open in Asset Page link to pivot to the Assets page, listing the complete list of Case assets (with all fields). See the documentation of the relevant Assets page for a description of the fields in the table.

Viewing Case Assets on the Assets Page

From the Case Assets tab in the Case drawer, click the Open in Asset Page link to pivot to the Assets page showing the list of assets related to the Case. The Assets page opens, listing the complete list of assets related to the Case.

  • Click the Refresh icon near the Last updated date and time to ensure that you are seeing the most current list of assets.
  • In this dedicated Assets page, there are two additional columns to the right of Asset Name, beyond the standard columns found on any Assets page:
    • Linked Tickets: Case Name - Shows the name of the Case related to the asset.
    • Linked Tickets: Case ID - Shows the unique ID of the Case connected to the asset.
📘

Note

These fields only contain values if the Case is part of a Cases Set.

📘

Note

  • Verify that Historical Snapshot Retention Settings are enabled.

  • When you pivot to the assets list, it lists the assets at the time that the Case was created (based on a historical snapshot from the time of the alert). As assets are constantly added, deleted, and correlated over time in the system, it is possible that some assets that were in the original list may no longer be in the system. Change the date to the current date from the Display by Date field (above figure - enclosed in red rectangle) to view a current up-to-date asset list.

Updated 2 days ago