FAQ

Common questions from analysts and administrators.

Alerts and cases

What is the difference between an alert and a case?

An alert is an incoming event from a connected source (SIEM, EDR, email gateway). It represents a signal that may or may not require investigation. A case is the investigation object — it groups tasks, observables, and a timeline. You promote an alert to a case by clicking Yes, Import in the Alert Preview panel.

What happens to an alert after I import it to a case?

The alert status changes to Imported and the linked case number appears in the # Case column. The alert remains visible in the alert list — it is not deleted. You can still view it, but it cannot be imported again.

Can I add an alert to an existing case instead of creating a new one?

Yes. Select the alert in the list, click Merge selection into case in the action bar, enter the target case number, and confirm. The alert status changes to Imported.

Can I merge multiple alerts into one case at once?

Yes. Tick the checkboxes on multiple alert rows, then click New case from selection to create one case from all of them, or Merge selection into case to add them all to an existing case.

Cases and tasks

How do I pick up work that nobody has claimed?

Open Waiting Tasks in the sidebar. The list shows all unassigned tasks with status Waiting across your organisation. Click Take on any row to assign the task to yourself and set it to In Progress.

How do I close a case?

Click the Close case button (checkmark icon) in the case toolbar. Confirm the prompt, handle any open tasks if the platform warns you, then select the outcome Status (True Positive, False Positive, Indeterminate, or Other), enter a Summary, and click Close case.

Can I reopen a closed case?

Yes. Open the case and click Reopen Case in the top-right menu. The case status returns to Open.

How do I see only my own tasks?

Click My Tasks in the sidebar. The page lists all tasks assigned to you with status Waiting or In Progress.

Observables and analyzers

How do I run an analyzer on an observable?

On the Observables tab, tick the checkbox next to one or more observables, then click Run Analyzers in the toolbar. Select the analyzers you want to run and click Run Selected Analyzer. Results appear in the observable row once processing completes.

How do I mark an observable as an IOC?

Tick the checkbox on the observable row, click Edit in the toolbar, enable the Is IOC toggle, and save. Alternatively, open the observable detail and set the flag there. Only IOC-flagged observables are exported to MISP.

How do I bulk-edit observables?

Select multiple observables using the row checkboxes, then click Edit in the toolbar. The Edit Observable(s) dialog lets you change TLP, set or clear flags, and add or remove tags across all selected observables in one operation.

How do I export observables?

Click Export in the Observables tab toolbar. Choose Copy to clipboard or Save to file, select the format, enable Protect if you want a password-protected archive, and confirm.

Sharing and organisations

How do I switch between organisations?

Click the shuffle icon in the top-right header. A dialog lists all organisations your account belongs to. Click one to switch — permissions and data update immediately.

How do I share a case with another organisation?

Open the case, go to the Sharing tab, and click + (Add Share). Select the target organisation and the access profile, then confirm. The target organisation must already be linked to yours by an administrator in Admin > Organisations.

Who can link two organisations?

A user with the manageOrganisation permission in the admin organisation. Linking is done under Admin > Organisations using the link icon on the organisation row.

Administration

How do I create a new user?

Go to Organisation > Users (requires manageUser permission). Click Add User, fill in the login, name, and profile, and save. The user receives an email invitation to set their password.

How do I reset a user’s session?

Go to Organisation > Users, find the user row, and click Kill Session. This immediately invalidates the user’s active session token.

What is the admin organisation?

A reserved organisation created automatically after installation. It is used for platform-wide administration (managing organisations, profiles, tags, custom fields). The admin organisation cannot hold cases or alerts.

How do I generate an API key for myself?

Open the account menu (avatar icon in the top-right header) and go to Settings. Navigate to the API key section and click Create. Copy the key immediately — it is shown only once. To replace an existing key, click Renew in the same section.

Workflows and automation

How do I activate a workflow so it runs on a trigger?

Open the workflow in the editor and click Publish in the top toolbar. Workflows that use a Cron or webhook trigger only fire while active. Newly imported workflows are inactive by default.

How do I retry a failed workflow execution?

Go to the Executions tab in the workflow editor, find the failed run, and click the retry icon in the Status column. Choose Retry with currently saved workflow to use the latest version, or Retry with original workflow to replay the run exactly as it was at the time of failure.

How do I import a built-in workflow example?

Go to Workflows in the top menu and click Import from file. Select the JSON file from /opt/energysoar/lib/playbooks/ on the server, or copy a JSON file from another instance. The imported workflow appears in your workflow list as inactive.