Incidents
Incidents are the core unit of work in CasePack. Each incident represents a security event that needs documentation, evidence collection, and reporting. Incidents are scoped to the current tenant.
Creating an Incident
Section titled “Creating an Incident”- Click “New Incident” in the header or press Cmd+I
- Fill in the form:
- Title — Concise, descriptive name (e.g., “Phishing campaign targeting finance team”)
- Severity — Low, Medium, High, or Critical
- Description — Initial details, IOCs, or ticket reference (optional)
- Click “Create Incident”
The incident is created with status Open.
The “New Incident” button is disabled when your subscription is in read-only or export-only mode. See Licensing & Access States.
Incident List
Section titled “Incident List”The incident list shows all incidents for the current tenant with rich filtering:
- Status chips — Filter by All, Open, In Progress, Closed, Resolved (with count badges)
- Search — Filter by title, ID, or reported-by (
/focuses the search field) - Time filter — All time, Last 24 hours, Last 7 days, Last 30 days
- Columns — Title (with truncated ID prefix), Status, Created, Evidence count, Last activity
Keyboard shortcuts on this page:
N— Navigate to create new incident/— Focus the search input
Sidebar: On large screens, a sidebar shows Triage Tips and an Export Card.
Incident Detail
Section titled “Incident Detail”Click any incident to view its detail page with editable fields and tabbed sections.
Editable Fields
Section titled “Editable Fields”- Title — Click to edit inline (max 255 characters). Confirm with Enter, cancel with Escape.
- Description — Click to edit inline (max 4000 characters). Save with Cmd/Ctrl+Enter or the Save button; Escape cancels.
- Root Cause — Click to edit inline (max 4000 characters). Capture what caused the incident once your investigation has concluded.
- Lessons Learned — Click to edit inline (max 4000 characters). Document follow-ups, process changes, and detection gaps.
- Severity — Inline dropdown: Low, Medium, High, Critical.
- Status — Dropdown: Open, In Progress, Resolved, Closed.
- Affected Users — Numeric input (≥ 0) on the metadata card. Press Enter or click outside to save; Escape reverts; clear the value to set it back to unknown.
Metadata Cards
Section titled “Metadata Cards”- Created — Relative and absolute timestamp
- Reported by — The user who created the incident (or “Unknown”)
- Severity — Current severity with inline edit
- Affected Users — Inline numeric editor; left blank when unknown
- Resolved — Shown once the incident is resolved; relative + absolute timestamp
- Last Updated — Relative + absolute timestamp of the most recent change
| Tab | Feature Gate | Content |
|---|---|---|
| Evidence | evidenceVault | Upload and manage evidence files |
| NIS2 Milestones | nis2Timeline | NIS2 reporting milestones (opt-in) |
| Reports | incidentReports | Generate structured reports from templates |
| Exports | evidencePackExport | Generate and download evidence packs |
| Timeline | incidentTimeline | Chronological event feed with CRUD |
Each tab shows a badge with the item count. The Milestones tab shows an overdue count badge in red when applicable.
Tabs for features not included in your plan show an upgrade prompt. See Licensing & Access States.
More Actions (⋯ Menu)
Section titled “More Actions (⋯ Menu)”- Enable NIS2 Reporting — Opt-in to NIS2 milestone tracking for this incident (requires
nis2Timelinefeature) - Delete Incident — Soft-deletes the incident (data can be recovered)
Evidence Upload Shortcut
Section titled “Evidence Upload Shortcut”Ctrl+U / Cmd+U — Opens the file picker to upload evidence directly from the detail page.
Status Workflow
Section titled “Status Workflow”Open → In Progress → Resolved → Closed- Open — New incident, not yet triaged
- In Progress — Team is actively documenting and collecting evidence
- Resolved — Investigation complete, awaiting final review
- Closed — Fully documented and archived
All four statuses are available from the status dropdown — transitions are not restricted.
Tips & Best Practices
Section titled “Tips & Best Practices”- Use consistent naming conventions for incident titles
- Add a description referencing the PSA ticket ID for cross-reference
- Capture Root Cause and Lessons Learned before closing — these power post-incident reviews and report templates
- Track Affected Users as soon as you have an estimate; refine it as the investigation progresses
- Upload evidence early and often — don’t wait until the end
- Use
Non the incident list andCtrl+Uon the detail page for speed
Related Features
Section titled “Related Features”- Evidence — Uploading and managing artifacts
- Milestones — Deadline tracking
- Incident Reports — Generating structured reports from templates
- Incident Timeline — Building the response record
- Evidence Pack Export