Documentation

Case Management

Run incident and case workflows from intake through reporting in SandsBytes.

Case Management

Case Management provides a complete workflow to create, investigate, and report incidents through a single case workspace.

Use this guide as a step-by-step walkthrough of common case operations.

Create Case

To create a case, access the Cases page from the sidebar, then click Create.

Create button on the Cases page

  1. Fill the case information.

    Create Case form with case information fields

  2. Click Create Case.

To edit a case, click the Edit icon in the cases table.

Edit icon in the case actions column

After opening a case, the following sections are available:

SectionDescription
Case informationDescription, name, severity, close date, and source of discovered incident.
Member assignmentList of assigned members to the case.
Case statisticsGeneral case metrics, including assigned members, tasks, requirements, alerts, tags from processed files, and total processed files.
Collected triage packagesList of uploaded packages for the case.
Case EvidenceEvidence collected from the environment, such as disk images, memory dumps, and PCAP files.
Case RequirementsRequirements from departments, third parties, or vendors.
Case TasksTasks assigned to internal team members.
FindingsAnalyst-confirmed findings related to suspicious or malicious activity in the case.
IoCsIndicators of Compromise associated with findings in the case.
FilesBrowsing and managing collected case files and package contents.
Case TimelineTimeline of case-related milestones and procedural events.
ReportsGenerated or uploaded case reports for download and sharing.
RemediationsCase remediation actions and response steps tracked for resolution.

Upload New Triage Package

To upload a new triage package, open the case page and click Upload in Triage Packages.

Upload button in the Triage Packages section

Triage packages can be added in two ways:

  • Compressed file (.zip or .tar.gz)
  • Remote shared folder through SMB FTP SFTP NFS NextCloud, or similar sources

Upload Compressed ZIP File

  1. Select the Compressed File tab.

    Upload Triage Package dialog with Compressed File tab selected

  2. Wait until upload finishes.

    Compressed triage package upload progress completed

Note

Provide the password if the file is protected.

Share Triage Package Remotely

  1. In the upload window, select the remote protocol (for example: SMB S3 FTP).

    Upload Triage Package dialog with SMB protocol selected

    Note

    Ensure there is network connectivity between the SandsBytes server and the remote machine. Also, make sure the provided credentials have permission to read from the specified remote share.

    Note

    It is not recommended to enable read/write on the remote mounted share to avoid any overwrite of evidence.

  2. Submit and wait for the package to appear in the Triage Packages table.

    New triage package displayed in the Triage Packages table

The folder-bolt action in the table indicates how many remote shares are mounted for the package.

Share Mounts view showing mounted remote shares for a package

Note

Active/Inactive indicates whether a remote share is currently mounted.

To activate or deactivate a remote share, click the folder-bolt action.

Note

It is not recommended to keep remote shares active after evidence processing is complete and no longer needed. Ensure the remote mount is deactivated or deleted.

Browse Triage Packages

To browse uploaded packages, open the case page and select the Files tab.

Case Files tab showing package and file browsing interface

The interface shows available packages and their contents regardless of storage location:

  • Local files
  • Mounted remote files (shown with a green folder icon)

The system also supports recursive browsing inside .zip archives without requiring extraction.

From the same interface, you can download or delete individual files.

Process Triage Package

Process selected triage packages to run parsers and extract structured records for investigation.

  1. Select one or more packages in the Triage Packages table.

    Selected triage package with Process action highlighted

  2. Click Process.

  3. Select parsers to execute.

    Process dialog with selected parsers and Submit action

  4. Click Submit.

  5. Wait for processing to start.

    Triage package processing started with live progress counters

  6. Monitor progress values:

    StatusDescription
    PendingFiles waiting in the queue to be processed.
    RunningFiles currently being processed.
    DoneFiles that finished processing successfully.
    FailedFiles that could not be processed successfully.
    TotalTotal number of recognized files in the selected package(s).

List Processed Files

Use the Processed Files view to inspect parser outcomes, record counts, and file-level processing details.

  1. Click a triage package in the Triage Packages table.

    Clicking a triage package to open processed files

  2. Review the Processed Files list, including:

    FieldDescription
    StatusPending, Running, Done, or Failed.
    Pushed recordsRecords parsed and pushed to the database.
    Failed recordsRecords processed but failed to be stored in the database (refer to the parser regarding such an issue).

    Processed Files table showing status, pushed records, and failed records

    Note

    Processed files represent the file-parser pair. For example, if multiple parsers are executed on a single NTUSER.DAT file, that file appears multiple times with different parsers.

  3. Click a row to open full file details, including the full stored path.

    Expanded processed file rows showing full stored path details

  4. To upload files to an existing package, click the Upload action in the package Actions column.

    Upload action in triage package actions column

  5. To download files, select the target files and click Download. The browser downloads a compressed package containing the selected files.

    Processed Files table with selected files and Download action

Assign Members to the Case

Assign case members so they can collaborate on case tasks, requirements, findings, and related actions.

  1. Open the case page.

  2. In Assigned Members, click the + button.

    Assigned Members box with plus button highlighted

  3. Select a user to assign.

    Assign Member dialog with selected user

  4. Confirm assignment.

To remove a user from the case, click the x button next to that member in Assigned Members.

Assigned Members box with remove (x) action highlighted

Add Evidence to Case

Add evidence records to document collected artifacts such as images, dumps, captures, and related metadata.

  1. Open the case page.

  2. Open the Evidence tab.

  3. Click Create.

    Evidence tab with Create button highlighted

  4. Fill in the evidence information.

    Create Evidence form with required evidence information fields

  5. Click Create Evidence.

Add Case Requirement

Create requirements to track requests, dependencies, and obligations from internal or external stakeholders.

  1. Open the case page.

  2. Open the Requirements tab.

  3. Click Create.

    Requirements tab with Create button highlighted

  4. Fill in the requirement information.

    Create Requirement form with requirement fields

  5. Click Create Requirement.

Create Case Task and Assign to Member

Create tasks to organize investigation work and assign responsibilities to case members.

  1. Open the case page.

  2. Open the Tasks tab.

  3. In the Kanban board, click Create from the phase column.

    Tasks tab with Kanban columns and Create buttons highlighted

  4. Fill task information, including assigned users.

    Create Task form with assigned users field

    Note

    The assigned users field only displays members assigned to the case.

  5. Save.

Create Case Project Timeline Event

Users can add custom events to the Case Project Timeline to capture milestones in the case lifecycle, such as case opening, request received, analysis start, and analysis end.

Note

The Case Project Timeline is intended to track case-related activities and procedural events, not attacker-related findings or IoCs.

This feature improves auditability and supports accurate reconstruction of the case handling process.

Case Timeline tab showing event milestones across the case lifecycle

Each event can include both start and end dates. If no end date is provided, the event is treated as a single-point milestone.

  1. Open the case page.

  2. Select the Case Timeline tab.

  3. Click Create.

  4. Fill event information and save.

    Create Timeline Event form with event, dates, and notes fields

To edit or delete an event, right-click the target event in the timeline chart and select the required action.

Case Timeline event actions showing edit and delete buttons

Create Case Finding

To manage analyst-confirmed findings related to attacker activities:

  1. Open the case page.

  2. Select the Findings tab.

  3. Review findings in the timeline chart.

  4. Click a finding in the chart to open details and associated IoCs.

    Findings tab timeline with selected finding details and associated IoCs

  5. Click Create to add a new finding.

    Findings tab with Create button highlighted

  6. Fill finding information and save.

    Create Finding form with finding details fields

Create IoC Associated with Finding

Add IoCs to a finding to capture forensic indicators linked to confirmed suspicious or malicious activity.

  1. Open the finding page.

  2. Select the target finding.

  3. In finding details, click Create in the IoCs table.

    Findings details with IoCs table Create button highlighted

  4. Select IoC type (File, Network, or Account).

    Create Indicator of Compromise form with IoC type options

  5. Fill in the IoC information and click Create.

List All IoCs in Case

Review all case IoCs in one place to validate indicators, compare types, and manage entries efficiently.

  1. Open the case page.

  2. Open the Findings tab.

  3. In the IoCs table at the bottom, review all IoCs related to findings in the case.

    Findings tab showing IoCs table listing all case-related indicators

    Note

    If an IoC exists in another case, a yellow badge appears beside it indicating how many other cases contain the same IoC.

  4. To edit or delete an IoC, go to the Actions column.

    IoCs table Actions column with edit and delete buttons

Download IoCs

Export IoCs to CSV for sharing, offline review, or ingestion into other security tools.

  1. Select the required IoC type tab.

  2. Click Download.

    IoCs table with type tabs and Download button highlighted for CSV export Exported IoCs CSV file preview

  3. Save the exported CSV.

Generate Case Report

Generate a structured case report from case data using predefined report templates.

Users can automatically generate case reports from information stored in the system. Reports use predefined templates in the CASE_REPORT category, which helps standardize documentation and reduce manual effort.

  1. Open the case page.

  2. Open the Reports tab.

    Reports tab listing generated case reports

  3. Click Create.

  4. Select the report template and report name (password is optional).

    Create Report dialog with template, name, and optional password fields

    Note

    The report name can use Jinja format. Refer to the Template Management section for more information about Jinja formatting.

  5. Submit generation.

Download Case Report

Download generated reports for distribution, archival, and case documentation.

  1. Open case reports from the Reports tab in the case page.

  2. Find the target report.

  3. Click Download.

    Reports table Actions column showing download button for case report Downloaded case report preview pages

    Note

    Refer to the Template Management section to customize generated report templates.

  4. Save the file locally.

Start Hunting

Execute high-speed searches across parsed artifacts to identify threats and pivot between data points. Hunting is performed against the Elasticsearch index generated during the Processing phase.

Document

Create, manage, and attach files to documents in SandsBytes.

On this page

Case ManagementCreate CaseUpload New Triage PackageUpload Compressed ZIP FileShare Triage Package RemotelyBrowse Triage PackagesProcess Triage PackageList Processed FilesAssign Members to the CaseAdd Evidence to CaseAdd Case RequirementCreate Case Task and Assign to MemberCreate Case Project Timeline EventCreate Case FindingCreate IoC Associated with FindingList All IoCs in CaseDownload IoCsGenerate Case ReportDownload Case Report