Case Workflow

1. Upload Evidence

Add evidence containers or individual artifact files to the case. Supported Windows artifacts include EVTX event logs, Registry hives, MFT data, runtime process data, and runtime network connection data.

2. Review Processing Status

Track planning, discovery, processing, maintenance, and finishing tasks. Resolve failed tasks, approve pending work when auto discovery is disabled, or ignore evidence that should not be processed.

3. Review Threat Detections

Use the Threat Detections page to review Sigma matches, filter by evidence source, and drill into detections by rule, technique, or source system.

4. Review Windows Artifacts:
   • Windows Event Logs
   • Windows Registry
   • Windows MFT
   • Runtime Information

   Inspect parsed artifact data directly when you need file-level, host-level, or source-specific context beyond detections.

5. Review the Timeline

Use the timeline to correlate events, detections, file activity, and artifact records in chronological order.

6. Export Data

Export processed detections and case data for reporting, handoff, or follow-up analysis.