Case Management
Case Management
Case Management
Case Management is the central hub for SOC analysts to investigate, triage, and respond to security incidents. Inspired by Google SecOps, nano's case management system provides a case-centric workflow where alerts automatically flow into cases for streamlined investigation.
Key Features
Case-Centric Workflow
- Alerts flow into Cases: Detection alerts are automatically grouped into cases based on configurable rules
- Single pane of investigation: All related alerts, entities, and context in one place
- AI-powered triage: Get AI-generated summaries and recommendations
Automatic Alert Grouping
- Group alerts by host, user, IP, or detection rule
- Configurable time windows prevent case fragmentation
- Smart grouping reduces alert fatigue
Entity Extraction & Visualization
- Automatic extraction of users, hosts, IPs, domains, and file hashes
- Interactive entity relationship graph
- One-click pivot to search for any entity
Integrated Investigation Notebooks
- Every assigned case gets an investigation notebook automatically
- Case lifecycle events (status changes, assignments, merges) are mirrored into the notebook
- The Investigation tab shows a unified timeline — searches, notes, AI analysis, and case events in one place
- AI summaries include case metadata for richer context
SOC Metrics & Audit Trail
- Every case action is logged for compliance and metrics
- Query audit events to build dashboards showing MTTD, MTTR, analyst workload
- Full audit trail of who did what, when
Case Workflow
┌──────────────────────────────────────────────────────────────────────────┐
│ CASE LIFECYCLE │
├──────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────┐ ┌─────────────┐ ┌─────────┐ ┌──────────┐ │
│ │ Open │────▶│ In Progress │────▶│ Pending │────▶│ Resolved │ │
│ └─────────┘ └─────────────┘ └─────────┘ └──────────┘ │
│ │ │ │ │ │
│ │ │ │ ▼ │
│ │ │ │ ┌─────────┐ │
│ │ │ └─────────▶│ Closed │ │
│ │ │ └─────────┘ │
│ │ │ │ │
│ │ │ │ │
│ └────────────────┴───────────────────────────────────┘ │
│ (Reopen) │
│ │
└──────────────────────────────────────────────────────────────────────────┘Case Statuses
| Status | Description |
|---|---|
| Open | New case awaiting investigation |
| In Progress | Actively being investigated by an analyst |
| Pending | Waiting for external input or action |
| Resolved | Investigation complete, disposition assigned |
| Closed | Case fully closed and archived |
Dispositions
When resolving or closing a case, analysts assign a disposition:
| Disposition | Description |
|---|---|
| True Positive | Confirmed security incident |
| False Positive | Detection fired incorrectly |
| Benign | Real activity but not malicious |
| Inconclusive | Unable to determine with certainty |
Quick Start
- View Cases: Navigate to Cases in the sidebar
- Create Case: Click New Case or press
C - Assign: Assign to an analyst — a notebook is auto-created for the investigation
- Investigate: Use the Investigation tab to search, add notes, and track entities
- Resolve: Set disposition and close — an AI summary is generated with full case context
Keyboard Shortcuts
nano's case management is keyboard-first for maximum efficiency:
| Shortcut | Action |
|---|---|
C | Create new case |
J / K | Navigate down/up in list |
Enter | Open selected case |
V | Toggle table/kanban view |
R | Refresh cases |
/ | Focus search |
Cmd+K | Open command palette |
Documentation Sections
- Case Workflow - Detailed case lifecycle, status transitions, and investigation notebooks
- Auto-Grouping - Configure automatic alert grouping rules
- Entities - Entity extraction and the entity graph
- Audit Events & SOC Metrics - Build dashboards from case audit data
- Investigation Notebooks - AI-powered notebooks, @ commands, and case integration