# Radiant Cases

Radiant Cases provide a centralized workspace designed specifically for security analysts to investigate, track, and resolve complex threats by grouping related alerts. While the Alerts feed is optimized for rapid triage and immediate decision-making, it is not designed to track long-running issues. Cases bridge this gap, giving you a dedicated environment to assign ownership, manage the investigation lifecycle, and coordinate response actions across your team.

<figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2Fg2pkGcCFrU6prpSgZmrl%2FRadiant_Cases_01.png?alt=media&#x26;token=4534dd7a-6897-4e30-99d7-c99e3a462b37" alt=""><figcaption></figcaption></figure>

### When to create a Case

The Radiant workflow distinguishes between short-lived reviews and longer investigations:

* **Alerts:** Intended for a quick review to determine if the activity should be escalated for deeper investigation or dismissed as benign. Once an alert is triaged, it typically does not require formal assignment or long-term tracking.
* **Cases:** If an alert involves a confirmed threat or requires deeper analysis and response, it should be escalated to a Case. This ensures the investigation is not lost in the Alerts feed and allows for formal assignment, such as handing off a complex threat to a senior analyst for further review.

### Key Capabilities

#### **Unified Threat Context**&#x20;

Attacks rarely consist of a single signal. Radiant Cases allow you to group multiple alerts, from different sources and timestamps, into a single investigation. This includes combining malicious findings with earlier "benign" anomalies. Often, an attack begins with activity that initially appears harmless; by grouping these early indicators with later malicious alerts, you can reconstruct the full story of how a breach evolved, rather than treating each signal in isolation.

#### **Automated Artifact Consolidation**

When you add multiple alerts to a case, Radiant automatically consolidates the most critical information. It extracts artifacts such as Users, IPs, Devices, FQDNs and IOCs from every alert and deduplicates them into a unified **Artifacts** view.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2Fv5yQi2zgrLMd9v9JCBZy%2FRadiant_Cases_02.png?alt=media&#x26;token=2d541441-4b90-4e19-aca3-346e75678ef2" alt="" width="252"><figcaption></figcaption></figure></div>

#### **Prioritization and Context**

Keep your team aligned on what matters most. You can assign Severity levels (None to Critical) to ensure urgent threats are addressed first, and use Case Notes to document findings, share hypotheses, or manage hand offs between analysts.

#### **Clear Ownership and Assignment**&#x20;

In a busy SOC, it is easy for threats to be overlooked. Cases enforce accountability by allowing you to assign specific analysts to investigations. This prevents duplicate work and ensures every active threat has a clear owner.

#### **Investigation Lifecycle**&#x20;

Cases support a full workflow to track your progress. You can track the state of an investigation from Open (active analysis), to Pending (waiting on IT or external dependencies), False Positive (resolved), to Closed (resolved).

#### **Coordinated Response Actions**&#x20;

The Case view is not just for reading, it's for acting! You can execute response actions on specific artifacts directly from the case (such as blocking a URL or isolating an endpoint) and audit exactly who took those actions and when.

<figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FcYe8h0zQric3KHn6ozQP%2FRadiant_Cases_03.png?alt=media&#x26;token=aadf05a4-c3f3-4a7d-8e5c-e1ae916a3722" alt=""><figcaption></figcaption></figure>

### Next Steps

Ready to start investigating? Now that you understand the basics of Radiant Cases, dive into the practical guides below:

{% columns %}
{% column width="33.33333333333333%" %}
[escalate-and-manage-cases](https://help.radiantsecurity.ai/radiant-cases/radiant-cases/escalate-and-manage-cases "mention")\
Learn how to turn alerts into cases, assign ownership, and manage the investigation lifecycle.
{% endcolumn %}

{% column width="33.33333333333333%" %}
[response-actions](https://help.radiantsecurity.ai/radiant-cases/radiant-cases/response-actions "mention")\
Explore the automated remediation capabilities powered by Radiant Security, from containment to remediation.
{% endcolumn %}

{% column width="33.33333333333336%" %}
[response-actions-in-cases](https://help.radiantsecurity.ai/radiant-cases/radiant-cases/response-actions-in-cases "mention")\
See how to execute response actions directly from your investigation to neutralize threats.
{% endcolumn %}
{% endcolumns %}

{% columns %}
{% column width="50%" %}
[audit-response-actions](https://help.radiantsecurity.ai/radiant-cases/radiant-cases/audit-response-actions "mention")\
Learn how to use the Audit Logs to track, verify, and report on every remediation action taken by your team.
{% endcolumn %}

{% column width="50%" %}
[artifact-reference-guide](https://help.radiantsecurity.ai/radiant-cases/radiant-cases/artifact-reference-guide "mention")\
Explore a complete dictionary of every artifact type (Users, IPs, Devices) you might encounter during an investigation
{% endcolumn %}
{% endcolumns %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-cases/radiant-cases.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.