Actions
Case Actions
All the Case Management Case Actions.
Create Case
Create a new case in case management by filling in the following parameters in the step.Create Case: Required and Optional Fields
Create Case: Required and Optional Fields
| Parameter | Description |
|---|---|
| Case Name | The name of the case. |
| Status | The case’s status. |
| Case Type | The case type defines the classification or category assigned to the case. |
| Case Manager | The user or group assigned to handle the case |
| Severity | The severity rank of your Case. It can be: Low, Medium, High or Critical. |
| SLA | The duration of time within which a task pertaining to the case must be completed before the SLA time period is reached. |
| Tags | Tags linked to the case. |
| Vendors | The Vendor associated with the case. |
| Overview | A brief summary of the case. |
| Collaborators | Users who collaborate on the case. |
| Custom Fields (JSON Format) | Add a Custom Field in JSON format. Please note that this applies only if you have manually added a custom record column to the subject table. |
| Advanced- Dedup Table | The selected table to evaluate the duplicated condition (Dedup Condition) against. |
| Advanced- Dedup Condition | The duplicate condition to check whether to insert the record or not. When the condition is met, the record will not be inserted. |
| Advanced- Linked Observables | The Name and ID of the Observable you want to link to the Case. |
| Advanced- Linked Alerts | The Name and ID of the Alert you want to link to the Case. |
| Advanced- Linked Attachments | The Name and ID of the Attachment you want to link to the Case. |
| Advanced- Linked Tasks | The Name and ID of the Tasks you want to link to the Case. |
| Advanced- Linked Cases | The Name and ID of a different Case you want link to the Case |
Case Deduplication
The Case Deduplication action relies on defined conditions—such as matching observables (e.g., usernames, file hashes, IP addresses) and their relationships— defined in the Deduplication Rules section to determine if a new alert is part of an existing investigation. When a match is found, the alert and its observables are linked to the existing case, enabling more efficient triage, investigation, and response. If no match is found, a new case is created entirely.| Parameter | Description |
|---|---|
| Alert ID | The Alert’s ID |
| Create a case for unique alerts | When checked, a new case will be created if no duplicate is found. |
| Status | The current status of the case |
| Case Type | The case type defines the classification or category assigned to the case. |
| Case Manager | The user or group assigned to handle the case |
| Severity | The severity rank of your Case. It can be: Low, Medium, High or Critical. |
Share Case
Share a Case with a selected user or group- You can only share a Case if a user has a Blink account
- If a Case is shared with a user who has only Viewer permissions for Case Management, but their overall user role (e.g., “Owner” with full access) allows for more permissions, they will still be able to edit the Case. In this scenario, their higher role permissions override the “Viewer” restriction on the shared Case.
| Parameter | Description |
|---|---|
| Share Action | 1. Add Shared Users and Groups: Adds the selected users and groups to the existing list of shared users without removing any current access permissions. or 2.Overwrite shared users and groups: Replaces all previously shared users and groups with the new selection, removing access permissions for anyone not included in this update |
| Case ID | The ID of the Case. It can be the id or the case_id field of the Case. |
| Share Scope | Determines whether a user with whom the case is shared has Viewer orEdit RBAC permissions. |
| Users and Groups | The internal user or group to share the selected case with. |
Unshare Case
This action will unshare a case with the selected user or groups| Parameter | Description |
|---|---|
| Case ID | The ID of the Case. It can be the id or the case_id field of the Case. |
| Users and Groups | The internal user or group to share the selected case with. |
Append to Case Overview
This action appends a text to the overview of a Case.| Parameter | Description |
|---|---|
| Case ID | The ID of the Case. It can be the id or the case_id field of the Case |
| Overview | text to append to the case overview |
Append Attachment to Case Overview
This action appends an attachment to the overview of a Case.Ensure that the attachment is an image; otherwise, it will appear as a broken file icon in the case overview.
| Parameter | Description |
|---|---|
| Case ID | The ID of the Case. It can be the id or the case_id field of the Case |
| Attachment ID | The ID of the attachment. It needs to use the attachment field of the attachment |
| Width | The width of the attachment in pixels. The height will automatically adjust to maintain the image’s proportions |
Append Tags to Case
This action appends tags to your Case. The new tags are in addition to the existing case tags.| Parameter | Description |
|---|---|
| Case ID | The ID of the Case. It can be the id or the case_id field of the Case |
| Tags | Tag Options |
Delete Case
Deleting a Case from the Case Management interface by filling in the case ID. The ID can be the display ID e.g. INC-00001 or the GUID of the case, obtainable from the case object.| Parameter | Description |
|---|---|
| Case | The ID of the Case. It can be the id or the case_id field of the Case |
Update Case
Updating Case in the Case Management interface by filling in the following parameters, This action overwrites the existing data of the case.Update Case: Required and Optional Parameters
Update Case: Required and Optional Parameters
| Parameter | Description |
|---|---|
| Case ID | The ID of the Case. It can be the id or the case_id field of the Case |
| Case Name | The name of the case. |
| Case Type | The case type defines the classification or category assigned to the case. |
| Case Manager | The user or group assigned to handle the case |
| Severity | The severity rank of your Case. It can be: Low, Medium, High or Critical |
| SLA | The duration of time within which a task pertaining to the case must be completed before the SLA time period is reached |
| Tags | Tags linked to the case |
| Vendors | Vendors involved in the case |
| Overview | A brief overview of the case. |
| Case Summary | A brief summary of the case. |
| Status | The case’s status. |
| Collaborator | Email Address of people collaborating on the case with you |
| Custom Fields (JSON Format) | Add a Custom Field in JSON format. Please note that this applies only if you have manually added a custom record column to the subject table. |
Update Case Status SLA
Changing the Case Status SLA by filling in the following parameters in the step. Use the variable picker to select either the
id or the case_id of the case to be updated from a previous step or the Workflows inputs. Alternatively, you can choose a specific case directly from the dropdown menu. | Parameter | Description |
|---|---|
| Case ID | The ID of the Case. It can be the id or the case_id field of the Case |
| Status | The case’s status |
| SLA | The time duration in Days, Hours, or Minutes. |
Close Case
Changing the status of a Case to Closed by filling in the following parameters in the step.| Parameter | Description |
|---|---|
| Case | The ID of the Case. It can be the id or the case_id field of the Case. |
| Close Reason | Reason for closing the Case - Automatically Resolved, Completed, False Positive, Duplicate or No action needed. |
| Close Details | Details about closing the Case |
| Close Linked Tasks | Close all non-blocking tasks linked to the case |
Get Case URL
Get a specific Case’s URL address.| Parameter | Description |
|---|---|
| Case ID | The ID of the Case It can be the id or the case_id field of the Case |
Add Comment to Case
Add a comment to a chosen Case| Parameter | Description |
|---|---|
| Case ID | The ID of the Case. It can be the id or the case_id field of the Case |
| Comment | The Content of the Comment to add to the Case |
Export Case
Exports the given case and its relevant data as aZIP containing:
PDFfile containing case details (metadata and overview).CSVfile containing the case timeline. -CSVfiles for all related case management tables.- Attachment files associated with the case.
The maximum size of a file created by a step is
500 MB.For more information, see Files Limitations and Workflow Runtime Limitations.| Parameter | Description |
|---|---|
| Case ID | Use the variable picker to select either the id or the case_id of the case to be updated from a previous step or the workflow inputs.Alternatively, you can choose a specific case directly from the dropdown menu. |
| File Identifier | The identifier of the file. This will be used as input for subsequent steps. Please ensure the file identifier ends with .zip. |
List Timeline Events
List a case’s timeline events.| Parameter | Description |
|---|---|
| Case ID | Use the variable picker to select the id of the case to be updated from a previous step or the automation inputs. Alternatively, you can choose a specific case directly from the dropdown menu. |
| Event Type | Filter the timeline events by specific event types. Multiple event types can be selected. |
| From | The start date for filtering timeline events. |
| To | The end date for filtering timeline events. |
| Limit | Limit the number of results. |
| Offset | The offset of the results. |
