Over the last few modules, you've learned how to navigate, manage, and design records. Now it's time to see how records integrate with another powerful Tines feature: Cases.
A case is a collaborative workspace in Tines designed for work that requires human judgment, investigation, or decision-making. While your stories handle automated execution and your records store structured data, cases provide the space where your team analyzes what happened, decides on next steps, and drives issues to resolution.
How records and cases work together
If records are your team's structured data storage, cases are your team's collaborative workspace.
Records answer the question: "What happened?"
Cases answer the question: "What should we do about it?"
Let's walk through a realistic scenario to see how they complement each other.
ℹ️Info
Step 1: Your story captures a record. Your workflow enriches the alert with threat intelligence and user context, then captures a record with the details: username, IP address, location, risk score, timestamp, and enrichment data. This record is now stored and queryable, even after the story run completes.
Step 2: Your story creates a case. Because the risk score is high, your workflow automatically creates a case and assigns it to your security team for investigation.
Step 3: The record is attached to the case. Your workflow attaches the record to the case. Now your security team sees all the enriched data, neatly structured and attached right there in the case.
Step 4: Your team investigates and resolves. Your team reviews the attached record, sees the risk score and location data, and uses that context to make an informed decision. They might click a case action to disable the user account, add notes documenting their investigation, link related records if they find additional alerts, or close the case once the issue is resolved.
Step 5: The data remains queryable. After the case is closed, the record remains in your records table. You can query it to analyze the number of high-risk alerts over time, measure resolution times, or identify patterns in login anomalies. The case provided the workspace for investigation. The record provided the data that informed the decision.