Seeking Case Management Users

Forum|Forum|2 months ago
September 21, 2025
3 replies
89 views

imaxbr
Bronze 2

We integrated SecOps with other case management solution. Now we are thinking about start using the case management directly on SOAR.

Does anyone can say pros and cons about using SOAR native case management.

Somethings that I've found:

Pros:

- Good escalation options

- SLAs

- Full compatibility with AI features (MCPs, Agentic...).

Cons:

- Limited comment options and features

- Usability is not good (I'm watching the skillboost series to learn more).

- Didn't find a way to correlate cases

Any experiences are welcome.

+12

_K_O
Bronze 5
Forum|Forum|2 months ago
September 23, 2025

[removed by moderator] we made the shift to SecOps case management about a year ago and your pros and cons are spot on. I’d add the following:

Pros:

Centralized Case Management: This was a big one for us, just having all ticket queues go to a central place
Automation with the SOAR: Being able to add automation for different ticket types is very useful
Enrichment: Being able to add enrichment to the tickets has helped reduce manual effort

Cons:

You cannot automatically attach playbooks on case closure which can be annoying
Case closure notes are not in Rich text format which means that you have to use the case wall for notes. This is honestly my biggest issue with the case management solution as it really does not lend itself well to closing out cases from an analyst perspective. This also makes auditing a pain.
The chat functionality is a gimmick
The requests functionality when asking others for help doesn’t have a good way to notify people so it’s basically useless
Modifying the case layout requires dev experience for frontend development
Pending actions do not prevent a case from being closed

Like

imaxbr
Author
Bronze 2
Forum|Forum|2 months ago
October 9, 2025

Thanks for reply KO.

I will use your feedback and discuss with the team.

Like

+13

AymanC
Bronze 5
Forum|Forum|1 month ago
October 23, 2025

Hi @imaxbr,

Secops Case management works for us, there are some true limitations and nice-to-haves that are missing, such as colour tagging, removing tags, removing custom fields, but there are some capabilities that aren’t available out of the box, but using the swagger and intercepting network traffic when performing activity within the GUI, really allows for flexibility to solve a lot of use cases by custom actions.

For example @_K_O mentions the following point:

“Case closure notes are not in Rich text format which means that you have to use the case wall for notes. This is honestly my biggest issue with the case management solution as it really does not lend itself well to closing out cases from an analyst perspective. This also makes auditing a pain.”

We also had this pain point, what we did was used the quick action functionality, custom created an action that would close a case, and add extra ‘fields’ (this was before there were extra fields within the native way to close a case), some of which have automation in the backend, for example we have a tick button box, which allows an analyst to request modification to the rule, if they tick the button it creates a ticket in our ITSM solution. If anyone tries to close a case not from this quick action button, we have a job that runs every minute, checks how the case was closed and re-open the case.

From an auditing perspective, it ensures ALL cases that are closed contain the expected output, and it also allows us to grab this data from SOAR advanced reports, by using the ‘Result Value’ (your action can output the quick action’s input from the analyst), allowing us to report on data, it’s messy, not out of the box but works. This may be a flow of interest for your pain point.

Kind Regards,

Ayman

Like

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded