Working with Cases

The Cases view brings together all triggered cases in one place. At present, Cases mirror your incidents, meaning each Case represents an event generated by an alert that has fired. This gives you a consolidated view of active and resolved alerts across your environment.

As a user, when you open the Cases view you are seeing the history of a triggered alert, organized with their current status, priority, and category. This allows you to quickly understand what is happening now, what has already been resolved, and which issues require attention.

In the future, Cases will evolve beyond being a direct reflection of incidents. They will provide richer context and investigation tools, making them a central hub for managing and collaborating on operational issues.

For now, the Cases view is your starting point for monitoring and investigating triggered alerts across Availability and Security.

To access Cases, select Alerts, then Cases. The Cases home screen opens, showing all current and past cases.

Cases home

The home screen is where you can see, filter, and prioritize all active and historical Cases. It combines search, filters, and a table view so you can quickly find what matters.

Use the search bar to find a Case by name. Searching is useful when you know the specific alert or system you want to investigate.

Use filters to narrow the list based on metadata that affects triage and workflows. Filters include:

• Status: Active, Pending, Resolved, Acknowledged, Closed
  • Pending Activation: A potential issue has been detected but impact is not yet confirmed. Cases in Pending are created by the system and may auto-resolve without ever becoming Active.
  • Active: Impact is confirmed and the Case is live. This is the main working state for new incidents.
  • Acknowledged: Someone has taken ownership and is actively handling the Case. This step is optional; a Case can go directly from Active to Resolved.
  • Resolved: Underlying indicators are healthy again and there is no more impact. A suppression window may apply so new alerts from the same cause do not immediately open a new Case. Cases may also move to Resolved if someone manually marks them as resolved, even if the underlying system health has not fully recovered. Resolved Cases cannot move back to any other state except Closed
  • Closed: Follow-ups are complete and the Case is fully finished. This is a terminal state; closed Cases cannot move back to another status. Closing a Case typically happens after any required wrap-up work, for example, completing documentation or a post-mortem. Use this to see what needs attention, what is being worked on, and what has completed its workflow.

• Priority: P1–P5

  Quickly surface the highest-impact incidents.

• Category: Availability, Security

  Focus on Cases related to the domain you’re responsible for.

• Assignee: All Cases, unassigned Cases, or Cases assigned to a specific user

  Useful for load balancing during on-call or team-specific views.

• Labels: Filter Cases using alert labels

  Group Cases by attributes such as region, service, or custom metadata.

• Group-by: Filter Cases using any group-by tag shown in the table, such as service name, country, or pod name. To apply this filter, select Add filter, then choose a field from the Group-by tags list.

Group-by tags allow you to organize and cluster Cases that share common attributes. This makes it easier to identify related incidents, detect patterns across services or regions, and understand whether multiple Cases are symptoms of the same underlying issue.

Filters can be collapsed or expanded to reduce visual clutter while remaining easily accessible, allowing you to focus on the table when scanning large numbers of Cases.

The Reset action applies the Active filter automatically so you can immediately see ongoing issues that require attention.

Use the time range picker to control which Cases are displayed. You can select quick ranges, relative ranges, or custom ranges depending on whether you are monitoring in real time or reviewing historical activity. The Cases list supports automatic refresh, allowing results to update continuously at a configurable interval without manual reloads. This is especially useful for on-call, NOC, and monitoring workflows where the Case list needs to stay current.

The cases ****table displays all matching Cases. Each row includes:

• ID: A unique reference you can use when sharing Cases with teammates or searching for a specific Case quickly.
• Name: A short description of the issue, usually based on the alert name. This helps you immediately understand what the Case is about without opening it.
• Group-by tags: Labels such as service name, country, or pod name that help you spot patterns. Use these to identify whether multiple Cases are related or coming from the same source.
• Status: Shows where the Case is in its lifecycle (Pending, Active, Acknowledged, Resolved, Closed). Use this to prioritize what needs action now versus what is already resolved.
• Priority: Indicates impact level from P1 to P5. Sorting by priority helps you focus on the most critical issues first.
• Last updated: Tells you when something last changed in the Case. This is useful for spotting Cases that may be stale or require follow-up.
• Duration: Shows how long the Case has been open. This helps you identify long-running issues that may require escalation or deeper investigation.
• Category: Identifies whether the Case is related to Availability or Security. Use this to filter Cases by the domain you’re responsible for.
• Assignee: Shows who owns the Case. This helps you see unassigned Cases that need attention or confirm if someone else is already handling the issue.

This table helps you scan large alert volumes, identify trends, and route work effectively.

Use the time range picker and refresh controls to update your view as new Cases appear.

Case drill down

The Case drill down view gives you all the information you need to understand why an alert fired, how it evolved, and what actions have been taken. Use the drill down to investigate the alert, track workflow progress, and coordinate response work.

Case names can be edited directly from the Case header. Updated names are reflected consistently across the Cases list, drill-down view, and related references.

If the Case is linked to an external incident management system, such as ServiceNow, the Case header displays a ServiceNow Incident link. Selecting this link opens the associated incident directly in ServiceNow so you can continue investigation, remediation, or coordination without leaving the Case context.

The drill down includes three tabs: Alert, Triage, and Activity. A details panel remains visible so you can see priority, status, timestamps, and category as you work.

Alert tab

The Alert tab provides the full technical details of the alert rule and its evaluation, helping you understand why the alert fired and what systems were involved.

Evaluation graph

A visual representation of the alert behavior over time, including alerting and suppressed periods. Use this to confirm when the anomaly or threshold violation occurred and whether the issue is still ongoing.

Alerting groups

A table showing all alerting groups involved such as applications, sources, or subsystems, along with their status and priority. This helps you:

• identify the specific components affected
• compare severity across groups
• determine whether the issue is isolated or widespread

Query

Shows the exact query used to evaluate the alert. Reviewing the query helps you validate the alert logic and confirm that the evaluation criteria match the intended behavior.

Conditions

Shows the alert thresholds, evaluation frequency, and any deviation values. Use this to see which rule was breached and whether the conditions were met consistently or only once.

Together, these fields help you verify that the alert triggered for the correct reason and understand the scope of the impact.

Triage tab

The Triage tab helps you quickly confirm why a case was triggered and which parts of your system are affected. It provides the key information you need to decide if the alert is valid, how widespread the issue is, and whether immediate action is required.

Time range selection

The Triage tab includes a time picker that lets you control the time range used for triage analysis.

Use the time picker to:

• Review alert evaluation trends over a longer period, such as multiple days or weeks
• Compare current behavior with historical patterns
• Understand whether the issue is recurring, seasonal, or a one-time spike

The time picker applies to drilldown views and signals shown in the Triage tab. It does not apply to the Related cases section.

The evaluation chart does not support sliding or interactive window adjustments. Use the time picker to change the time range instead.

Evaluation graph

The graph shows how the alert condition behaved over the selected time range. You can see when the metric crossed the alert threshold, how long it stayed in an alerting state, and whether the issue is ongoing. This helps you validate that the alert fired for a real signal rather than a brief data spike.

Alerting groups

The Alerting groups table lists every component involved in the alert, such as pods, services, or hosts. Each entry shows its current status and priority. This helps you quickly understand whether the problem is isolated to a single component or affecting multiple parts of your system. Sorting and scanning this list can point you directly to the source of the issue.

Query and conditions

The Query and Conditions sections show exactly how the alert was evaluated. The query tells you what data was used. The conditions show the threshold and evaluation window. Reviewing these helps you confirm that the trigger makes sense and aligns with your expectations for the rule.

Alert logs

This section shows sample data that occurred during the selected time range.

• For log alerts, this section shows sample logs.
• For trace-based alerts, this section shows a table of relevant spans.
• For metric alerts, this section shows both logs and traces, when available.

Use this section to validate symptoms, check for related errors, and open Explore logs to continue investigation.

If no data is available for the selected time range, the section indicates that no results were found.

Collapsible sections

Sections within the Triage tab are collapsible to help you focus on the most relevant information during investigation.

You can expand or collapse drilldown and signal sections to reduce visual noise and prioritize your workflow. Collapsing sections does not affect data selection or the applied time range.

The Related cases section is not collapsible and does not respond to the Triage time picker.

Related cases

The Related cases panel provides historical context by showing recent Cases that share common attributes such as entity labels or alert definitions.

Up to 100 related Cases from the last six months are displayed. This allows you to identify recurring issues, compare current behavior with past incidents, and quickly navigate between related investigations to understand broader patterns.

Why use this tab

The Triage tab gives you the fastest path to understanding what happened and where to focus next. It is the starting point for validating the alert before you move into deeper investigation in the Alert or Activity tab.

Activity tab

The Activity tab shows the complete history of the Case in chronological order. It includes system generated events and user added comments in a single continuous timeline.

Use this tab to understand how the Case progressed and to collaborate during investigation and resolution.

The activity timeline records events such as Case creation, status updates, automatic resolution, and assignment changes. Each entry indicates when the action occurred and whether it was automatic or user initiated.

You can search for activity, filter by activity type, and sort events by oldest or newest.

The comment input at the top of the Activity tab lets you add investigation notes, share findings, and coordinate handoffs. Comments appear inline with timeline events to preserve context. You can mention teammates using @ to notify them.

Details panel (applies across all tabs)

The details panel stays visible across all tabs and shows the key attributes of the Case:

• Status: Shows where the Case currently is in its lifecycle. Use this to understand whether the issue is still ongoing, being worked on, or fully completed.
• Priority: Indicates the severity level (P1–P5). This helps you quickly assess how urgent the Case is and which ones require immediate attention.
• Assignee: Displays who is responsible for the Case. Use this to see unassigned Cases that need ownership or to confirm who is actively handling the issue.
• External incident: Shows a link to the associated ServiceNow Incident when available. Use this link to open the incident in ServiceNow with the relevant context already applied.
• Category: Identifies whether the Case relates to Availability or Security. This helps you focus on the Cases that fall within your team’s responsibilities.
• Opened on: Shows when the Case was created. Use this to understand how long the issue has existed and to spot older Cases that may need review.
• Last updated: Shows the most recent activity on the Case. This helps you track ongoing work and identify Cases that may be stalled or waiting on input.
• Resolved on: Shows when the Case was resolved, if applicable. This helps you confirm when impact ended and whether follow-up actions might still be required.
• Description: Provides extra context or background for the Case. Use this to understand why the alert fired, what the Case refers to, or any details added by the system or team members.
• Labels: Lists tags applied to the Case, such as service name, region, or environment. Labels help you filter, group, and route Cases more effectively. Labels are defined and managed at the alert definition level they cannot be added or edited directly on a Case.

This panel helps you quickly understand severity, ownership, and lifecycle as you investigate the alert.