MicrosoftDocs
diff --git a/‎unified-secops-platform/cases-overview.md‎
Lines changed: 1 addition & 1 deletion b/‎unified-secops-platform/cases-overview.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎unified-secops-platform/media/mto-manage-cases/mto-cases-queue.png‎
121 KB b/‎unified-secops-platform/media/mto-manage-cases/mto-cases-queue.png‎
121 KB
diff --git a/‎unified-secops-platform/media/mto-manage-cases/mto-create-case.png‎
39.5 KB b/‎unified-secops-platform/media/mto-manage-cases/mto-create-case.png‎
39.5 KB
diff --git a/‎unified-secops-platform/mto-manage-cases.md‎
Lines changed: 19 additions & 89 deletions b/‎unified-secops-platform/mto-manage-cases.md‎
Lines changed: 19 additions & 89 deletions
@@ -33,7 +33,7 @@ Case management enables you to manage SecOps cases natively in the Defender port
 - Assign tasks to collaborators and configure due dates
 - Handle escalations and complex cases by linking multiple incidents to a case
 - Manage access to your cases using RBAC
-- Manage cases spanning multiple tenants using multitenant management (Preview)
+- [Manage cases from multiple tenants using the multitenant portal (Preview)](mto-manage-cases.md)
 
 As we build on this foundation of case management, we're prioritizing these additional robust capabilities as we evolve this solution:
 
 
@@ -1,6 +1,6 @@
 ---
-title: Manage cases across multiple tenants in the Microsoft Defender portal
-description: Learn about case management features for unified security operations across multiple tenants in the Microsoft Defender portal.
+title: View and manage cases across multiple tenants in the Microsoft Defender multitenant portal
+description: Learn how to use the Microsoft Defender multitenant portal to manage cases across multiple tenants.
 search.appverid: met150
 ms.service: unified-secops-platform
 ms.author: yelevin
@@ -14,115 +14,45 @@ ms.collection:
 - usx-security
 ms.topic: conceptual
 
-# customer intent: As a business decision maker for a security operations center, I want to learn about the multi-tenant case management tools available in the Microsoft Defender portal so I can unify security tickets and increase visibility across multi-tenant environments, both hybrid and multicloud; and disrupt attacks on identities, endpoints, email, cloud apps, and data in real time.
+# customer intent: As an analyst or an engineer in a security operations center, I want to learn how to use the multi-tenant capabilities of the case management tools available in the Microsoft Defender portal. This knowledge will help me unify security tickets and increase visibility across multi-tenant environments, both hybrid and multicloud; and disrupt attacks on identities, endpoints, email, cloud apps, and data in real time.
 ---
 
-# Manage multi-tenant security operations cases in the Microsoft Defender portal
+# View and manage cases across multiple tenants in the Microsoft Defender multitenant portal
 
-Case management is the first installment of new capabilities for managing security work when you onboard to Microsoft's unified security operations (SecOps) platform.
-
-This initial step toward delivering a unified, security-focused case management experience centralizes rich collaboration, customization, evidence collection, and reporting across SecOps workloads. SecOps teams maintain security context, work more efficiently, and respond faster to attacks when they manage case work without leaving the Defender portal.
-
-<a name="what-is-case-management-preview"></a>
-
-## What is case management?
-
-Case management enables you to manage SecOps cases natively in the Defender portal. Here's the currently supported set of scenarios and features.
+Case management in the [**Microsoft Defender multitenant portal**](https://mto.security.microsoft.com) allows you to view and manage security operations (SecOps) cases from multiple tenants in a single queue. Case management supports a number of use cases:
 
 - Define your own case workflow with custom status values
 - Assign tasks to collaborators and configure due dates
 - Handle escalations and complex cases by linking multiple incidents to a case
 - Manage access to your cases using RBAC
-- Manage cases spanning multiple tenants using multitenant management (Preview)
-
-As we build on this foundation of case management, we're prioritizing these additional robust capabilities as we evolve this solution:
-
-- Multi-tenant support *(now added, in Preview)*
-- Automation
-- More evidence to add
-- Workflow customization
-- More Defender portal integrations
-
-## Requirements
-
-Case management is available in the Defender portal, and to use it, you must have a Microsoft Sentinel workspace connected. Cases are accessible only from the Defender portal; you can't see them in the Azure portal.
-
-For more information, see [Connect Microsoft Sentinel to the Defender portal](microsoft-sentinel-onboard.md).
-
-Use Defender XDR unified RBAC or Microsoft Sentinel roles to grant access to case management features.
-
-| Cases feature | Microsoft Defender XDR Unified RBAC | Microsoft Sentinel role |
-|---|---|---|
-| View only</br>- case queue</br>- case details</br>- tasks</br>- comments</br>- case audits | Security operations > Security data basics (read)| Microsoft Sentinel Reader |
-| Create and Manage</br>- cases and case tasks</br>- assign</br>- update status</br>- link and unlink incidents | Security operations > Alerts (manage) | Microsoft Sentinel Responder |
-| Customize case status options | Authorization and setting > Core Security settings (manage)| Microsoft Sentinel Contributor |
-
-For more information, see [Microsoft Defender XDR Unified role-based access control (RBAC)](/defender-xdr/manage-rbac).
-
-## Case queue
-
-To start using case management, select **Cases** in the Defender portal to access the case queue. Filter, sort, or search your cases to find what you need to focus on.
+- Manage cases from multiple tenants (Preview)
 
-:::image type="content" source="media/cases-overview/cases-queue-view.png" alt-text="Screenshot of case queue.":::
+## View cases in the multitenant portal
 
-The maximum allowed per tenant is 100,000 cases.
-
-## Case details
-
-Each case has a page which allows analysts to manage the case and displays important details.
-
-In the following example, a threat hunter is investigating a hypothetical "Burrowing" attack that consists of multiple MITRE ATT&CK techniques and IoCs.
-
-:::image type="content" source="media/cases-overview/case-details.png" alt-text="Screenshot of case details." lightbox="media/cases-overview/case-details-large.png":::
-
-Manage the following case details to describe, prioritize, assign, and track work:
-
-| Displayed case feature | Manage case options | Default value |
-|:---|:---|:---|
-| Priority| `Very low`, `Low`, `Medium`, `High`, `Critical` | none |
-| Status | Set by analysts, customizable by admins | Default statuses are `New`, `Open`, and `Closed`</br>Default value is `New`|
-| Assigned to | A single user in the tenant | none |
-| Description | Plain text | none |
-| Case details | Case ID | Case IDs start at 1000 and aren't purged. Use custom statuses and filters to archive cases. Case numbers are automatically set.|
-| | Created by</br>Created on</br>Last updated by</br>Last updated on | automatically set |
-| | Due on</br>Linked incidents | none |
+The cases experience in the multitenant portal is just like [that in the regular, single-tenant portal](cases-overview.md), but with a few extra features:
 
-Manage cases further by setting customized status, assigning tasks, linking incidents, and adding comments.
+- The **Cases** queue contains columns for **Tenant** and **Tenant ID**, so you can see which tenant each case belongs to.
 
-### Customize status
+- If you are managing many tenants, you can search, sort, or filter the case queue by tenant. The existing sort, filter, and search capabilities also work across multiple tenants in one combined view.
 
-Architect case management to fit the needs of your security operations center (SOC). Customize the status options available to your SecOps teams to fit the processes you have in place.
+- Role-based access control (RBAC) settings are applied at the tenant level, so you only see cases from the tenants you have access to.
 
-Following the burrowing attack case creation example, the SOC admins configured statuses enabling threat hunters to keep a backlog of threats for triage on a weekly basis. Custom statuses such as *Research phase* and *Generating hypothesis* match this threat hunting team's established process.
+:::image type="content" source="media/mto-manage-cases/mto-cases-queue.png" alt-text="Screenshot of cases queue in Microsoft Defender multitenant portal.":::
 
-:::image type="content" source="media/cases-overview/customize-status.png" alt-text="Screenshot showing default status options and customized statuses.":::
+For more information, see [Manage security operations cases natively in the Microsoft Defender portal](cases-overview.md).
 
-### Tasks
+## Create a case in the multitenant portal
 
-Add tasks to manage granular components of your cases. Each task comes with its own name, status, priority, owner, and due date. With this information, you always know who is accountable to complete which task and by what time. The task description summarizes the work to do and some space for describing the progress. Closing notes provide more context about the outcome of completed tasks.
+1. In the multitenant portal, select **Cases**.
 
-:::image type="content" source="media/cases-overview/add-task-small.png" alt-text="Screenshot showing the task pane with tasks populated for the case and statuses available." lightbox="media/cases-overview/add-task.png":::
-</br>*Image shows the following task statuses available: New, In progress, Failed, Partially completed, Skipped, Completed*
+1. Select **+ Create** on the **Cases** queue page.
 
-### Link incidents
+1. In the **Create case** pane, select the desired tenant from the drop-down at the top, then proceed as in the single-tenant experience.
 
-Linking a case and an incident helps your SecOps teams collaborate in the method that works best for them. For example, a threat hunter who finds malicious activity creates an incident for the incident response (IR) team. That threat hunter links the incident to a case so it's clear they're related. Now the IR team understands the context of the hunt that found the activity.
+:::image type="content" source="media/mto-manage-cases/mto-create-case.png" alt-text="Screenshot of case queue.":::
 
-:::image type="content" source="media/cases-overview/link-incidents.png" alt-text="Screenshot showing linked incidents for the hypothetical burrowing attack case." lightbox="media/cases-overview/link-incident-chooser.png":::
-
-Alternatively, if the IR team needs to escalate one or more incidents to the hunting team, they can create a case and link the incidents from the **Investigation & response** incident details page.
-
-:::image type="content" source="media/cases-overview/link-incident-from-incident-graph.png" alt-text="Screenshot showing the link incident option from ellipses menu in the incident view.":::
-
-Each case has a threshold of 100 linked incidents.
-
-### Activity log
-
-Need to write down notes, or that key detection logic to pass along? Create plain text comments and review the audit events in the activity log. Comments are a great place to quickly add information to a case.
-
-:::image type="content" source="media/cases-overview/informal-comments.png" alt-text="Screenshot showing informal comments between analysts.":::
+The maximum allowed per tenant is 100,000 cases.
 
-Audit events are automatically added to the activity log of the case and the latest events are shown at the top. Change the filter if you need to focus on comments or audit history.
 
 ## Related content