Radiant Cases

Radiant Cases provide a centralized workspace designed specifically for security analysts to investigate, track, and resolve complex threats by grouping related alerts. While the Alerts feed is optimized for rapid triage and immediate decision-making, it is not designed to track long-running issues. Cases bridge this gap, giving you a dedicated environment to assign ownership, manage the investigation lifecycle, and coordinate response actions across your team.

When to create a Case

The Radiant workflow distinguishes between short-lived reviews and longer investigations:

• Alerts: Intended for a quick review to determine if the activity should be escalated for deeper investigation or dismissed as benign. Once an alert is triaged, it typically does not require formal assignment or long-term tracking.

• Cases: If an alert involves a confirmed threat or requires deeper analysis and response, it should be escalated to a Case. This ensures the investigation is not lost in the Alerts feed and allows for formal assignment, such as handing off a complex threat to a senior analyst for further review.

Key Capabilities

Unified Threat Context

Attacks rarely consist of a single signal. Radiant Cases allow you to group multiple alerts, from different sources and timestamps, into a single investigation. This includes combining malicious findings with earlier "benign" anomalies. Often, an attack begins with activity that initially appears harmless; by grouping these early indicators with later malicious alerts, you can reconstruct the full story of how a breach evolved, rather than treating each signal in isolation.

Automated Artifact Consolidation

When you add multiple alerts to a case, Radiant automatically consolidates the most critical information. It extracts artifacts such as Users, IPs, Devices, FQDNs and IOCs from every alert and deduplicates them into a unified Artifacts view.

Prioritization and Context

Keep your team aligned on what matters most. You can assign Severity levels (None to Critical) to ensure urgent threats are addressed first, and use Case Notes to document findings, share hypotheses, or manage hand offs between analysts.

Clear Ownership and Assignment

In a busy SOC, it is easy for threats to be overlooked. Cases enforce accountability by allowing you to assign specific analysts to investigations. This prevents duplicate work and ensures every active threat has a clear owner.

Investigation Lifecycle

Cases support a full workflow to track your progress. You can track the state of an investigation from Open (active analysis), to Pending (waiting on IT or external dependencies), False Positive (resolved), to Closed (resolved).

Coordinated Response Actions

The Case view is not just for reading, it's for acting! You can execute response actions on specific artifacts directly from the case (such as blocking a URL or isolating an endpoint) and audit exactly who took those actions and when.

Next Steps

Ready to start investigating? Now that you understand the basics of Radiant Cases, dive into the practical guides below:

• Escalate and Manage Cases: Learn how to turn alerts into cases, assign ownership, and manage the investigation lifecycle.

• Radiant Response Actions: Explore the automated remediation capabilities powered by Radiant Security, from containment to remediation.

• Response Actions in Cases: See how to execute response actions directly from your investigation to neutralize threats.

• Audit Response Actions: Learn how to use the Audit Logs to track, verify, and report on every remediation action taken by your team.

• Artifact Reference Guide: Explore a complete dictionary of every artifact type (Users, IPs, Devices) you might encounter during an investigation.