Cases don't exist in isolation. They're part of a larger ecosystem within Tines designed to help you capture, collaborate on, and visualize the work happening across your workflows. To understand how it all connects, let's follow a realistic scenario from start to finish.
ℹ️Info
Here's how cases, stories, records, and dashboards work together to handle it.
Cases and stories
Stories are your automated workflows in Tines. They handle the predictable, repeatable parts of your processes. In our scenario, you've built a story that receives security alerts, enriches them with threat intelligence, and checks the user's recent activity.
Your story runs, pulls back the data, and determines that this alert has a high-risk score. That's not something automation should handle alone. So the story creates a case and assigns it to your security team for investigation.
Cases step in when automation reaches its limits. The case your story created gives your team a collaborative workspace to review the enriched data, discuss what they're seeing, and decide on next steps.
But the relationship doesn't end there. Inside the case, your team can use case actions to trigger other stories. Maybe they click "Disable user account" or "Request additional context from manager." Those buttons kick off new workflows that execute the team's decision automatically. Your stories can also monitor case changes using webhook notifications, so when the team closes the case as "false positive," another story might automatically update your threat intelligence feed.
💡Note
Cases and records
While the story was running, it wasn't just creating a case. It was also capturing data.
Records are how you structure and store event data from your story runs. In our scenario, every time the alert enrichment story runs, it captures key details into a "Security Alerts" record type: the username, IP address, location, risk score, and timestamp.
When the story creates the case, it attaches that record as an artifact. Now your team doesn't just see a case title. They see the full context; all the enriched data, neatly structured and attached right there in the case. If the story runs additional checks (like pulling the user's recent login history), those might be captured as child records and attached as well.
In short: Records capture what happened, cases help you decide what to do about it.
ℹ️Info
Cases and dashboards
Now let's zoom out. This isn't the only alert your team handles. You're getting dozens, maybe hundreds, every week.
Dashboards let you visualize data from both records and cases in a single view. You might create a dashboard that shows:
A chart of security alerts over time (pulled from your records).
A breakdown of alert types and risk scores (also from records).
A filtered case view showing all open security cases assigned to your team.
Key metrics like mean time to resolve (MTTR) for security incidents.
ℹ️Info
The full picture
Let's bring it all together and see the complete flow:
Your stories run and capture structured data using records.
Cases are created (often automatically by a story) when something needs human attention, with relevant records attached as context.
Your team collaborates in the case, takes action using case actions that trigger stories, and resolves the issue.
Stories respond to case changes and continue automation based on decisions made in the case.
Dashboards visualize the data from records and cases, giving you a real-time view of what's happening and how your team is performing.