Viewing cases

FortiDLP provides an extended retention period for cases and associated events/detections, storing them indefinitely. This is unless they are deleted (see Deleting cases).

By default, the Cases module displays the cases that were last updated at the top of each category panel. However, you can alternatively sort cases by their name or their severity or filter them using keywords.

When you click a case in the module, you will be directed to the corresponding Case details page. There, you can view case information, such as associated entities and events/detections, and collaborate on the case to accelerate threat analysis. To assist you in sharing information about the case with other operators, you can provide general comments on the case, comment on specific events/detections, and reply to other operators' comments. You can also paste screenshots directly into the Comments panel. You can also quickly access the case's audit log activity from this page.

How to view a case

1. In the FortiDLP Console, on the left-hand sidebar, click .
2. Optionally, do one of the following:
   • To filter by a keyword, such as an operator name, case name, or tag, type into the entry box at the top of the page.
     
   • To change the sort order, select another option from the menu.
     
3. Do one of the following:
   • To view a case being actively investigated by operators within your organization, click a case in the Open cases panel.
   • To view a case that was previously investigated by operators within your organization or Fortinet Cyber Analysts, click a case in the Closed cases panel.
   • To view a case being actively investigated by Fortinet Cyber Analysts, click a case in the By Fortinet Cyber Analysts panel.
4. Optionally, do the following:
   • To view audit log entries for the case, click> View audit log.
   • To view an event more closely, in the Events table, click.
   • To view more information about an event value or perform other actions, click the value and then click the relevant context box button.

   The following list summarizes the buttons that display: Copies a value to your clipboard. Filters by a value within the Investigate module. Filters by a value within the SaaS apps module's Inventory tab. Displays more information about a value. Displays a submenu containing the following options: Filters by a value within the Users module. Filters by a value within the Nodes module (if selected from a user's context box) or takes you to the Node profile page (if selected from a node's context box).

   • To add a general comment to the case:
     1. On the upper right-hand side of the page, click Comments.
     2. In the comment entry box, type or paste your comment.
        
     3. Press Enter or click .
   • To comment on a specific event/detection:
     1. In the Events table, on the row of the relevant event/detection, click .
     2. In the comment entry box, type or paste your comment.
     3. Press Enter or click .
   • To reply to a comment:
     1. On the upper right-hand side of the page, click Comments.
     2. In the Comments panel, hover over the relevant comment and click Reply.
     3. In the comment entry box, type or paste your comment.
     4. Press Enter or click .

If needed, you can edit your own comment. Just hover over it in the Comments panel, click Edit, update your comment, and then click Save. You can also delete your own comment, which will delete all comments in the thread. Just hover over it, click Delete, and then click Delete again in the confirmation dialog box.