circle-check
Alerts just got an upgrade! Less noise, faster decisions, and a more intuitive experience.
Check it outarrow-up-right
search
ProductBook a demoOpen app
linkedinyoutube

Escalate and Manage Cases

Create cases from alerts, assign ownership, and manage the investigation lifecycle.

The primary way to start an investigation in Radiant is to escalate alerts. You can create a fresh case for a new threat or group related alerts into one existing case. Once a case is created, you can assign it to team members and track its status from the Case header.

In this guide, you'll learn to escalate alerts into new or existing cases, configure their details, assign ownership, and track the investigation status.

hashtag
Escalate alerts to cases

You can escalate a single alert or select multiple related alerts to investigate them together.

hashtag
Option 1: Bulk escalation

This method is ideal for grouping related signals, such as multiple alerts from the same host or user, into a single investigation context.

  1. Navigate to the Alerts tab.

  2. Select the checkboxes next to the alerts you want to escalate.

  3. Click the Add to Case button in the action menu that appears at the upper left side of the page.

  1. A configuration modal will appear. Select one of the following options:

    • New Case: Create a brand new investigation.

    • Existing Case: Add these alerts to an ongoing investigation.

hashtag
Option 2: Single alert escalation

If you are reviewing a specific alert, you can escalate it directly.

  1. Navigate to the Alerts tab.

  2. Select the checkbox next to the single alert you want to escalate.

  3. Click Add to Case.

  4. A configuration modal will appear. Select one of the following options:

    • New Case: Create a brand new investigation.

    • Existing Case: Add these alerts to an ongoing investigation.

  5. (Optional) You can add a single alert to a Case directly from the alert view.

hashtag
Configure case details

When you create or update a case, accurate details help your team prioritize effectively.

hashtag
Create a new case

If you select New Case in the modal, configure the following fields:

  • Case title: Enter a concise, descriptive name (e.g., "Defense Evasion Investigation").

  • Case summary: Optionally, add a description to explain what happened and why it matters.

  • Severity: Select the threat level (None, Low, Medium, High, or Critical) from the drop-down menu.

circle-info

Note: This severity setting determines the color of the case tag in the Alerts feed, making critical cases easy to spot. (dark red = Critical, light red = High, orange = Medium, yellow = Low, and grey = Informational).

  • Select the alert assignee from the Assign case drop-down.

  • Click Create Case.

hashtag
Add alerts to an existing case

If you select Existing case, use the drop-down menu to search for and select it (e.g.,[CASE-123 - Case name]). You can also append a note at this stage to provide context on why this new finding is being merged into the ongoing case.

hashtag
Identify case associations

Once an alert is added to a case, Radiant clearly links it to its parent case so you never lose context. You can identify which case an alert belongs to in two main ways:

  1. In the Alerts tab: A colored tag (e.g., CASE-242) appears directly the alert row. The tag's color corresponds to the current severity of the case.

circle-info

Note: You can hover over the tag to display the full case name. Click the tag to navigate directly to that Case.

  1. In alert details: If you are viewing the specific details of an alert, the associated Case ID is displayed prominently, right next to the alert title.

hashtag
Manage open cases

You can manage the lifecycle and ownership of an investigation directly within the case view, ensuring the status always reflects current progress.

hashtag
Assign ownership

To prevent duplicate work, every active case should have a clear owner.

  1. Navigate to the Cases tab.

  2. Open the case.

  3. In the header, click the Assigned to drop-down menu.

  4. Select yourself or a team member to claim the case.

hashtag
Update Status and Severity

As the investigation evolves, keep the case metadata up to date:

  • Severity: If an investigation reveals a higher impact than expected, use the Severity drop-down in the header to upgrade the case (e.g., from Medium to High).

  • Status: Use the Status drop-down to track progress:

    • Open: Active investigation

    • Pending: Waiting on external input

    • Closed: Investigation complete

    • False Positive: Investigation complete

hashtag
Refine Case Scope (Coming Soon)

circle-info

Note: The following features are currently in development.

You can adjust the contents of a case at any time:

  • Remove Alerts: Future updates will allow you to remove alerts directly from the case view to keep the investigation focused.

  • Add Alerts: You will be able to add new findings to an existing case from the Alerts feed or directly from within the Case interface.

PreviousRadiant CasesNextRadiant Response Actions

Last updated

Was this helpful?