MicrosoftDocs
diff --git a/‎unified-secops-platform/cases-overview.md‎
Lines changed: 45 additions & 1 deletion b/‎unified-secops-platform/cases-overview.md‎
Lines changed: 45 additions & 1 deletion
diff --git a/‎unified-secops-platform/media/cases-overview/attach-file-to-comment-send.png‎
35.1 KB b/‎unified-secops-platform/media/cases-overview/attach-file-to-comment-send.png‎
35.1 KB
diff --git a/‎unified-secops-platform/media/cases-overview/attach-file-to-comment.png‎
30.9 KB b/‎unified-secops-platform/media/cases-overview/attach-file-to-comment.png‎
30.9 KB
diff --git a/‎unified-secops-platform/media/cases-overview/delete-case-confirm.png‎
14.9 KB b/‎unified-secops-platform/media/cases-overview/delete-case-confirm.png‎
14.9 KB
diff --git a/‎unified-secops-platform/media/cases-overview/delete-case.png‎
82.4 KB b/‎unified-secops-platform/media/cases-overview/delete-case.png‎
82.4 KB
diff --git a/‎unified-secops-platform/media/cases-overview/link-indicator-from-intel-management.png‎
122 KB b/‎unified-secops-platform/media/cases-overview/link-indicator-from-intel-management.png‎
122 KB
diff --git a/‎unified-secops-platform/media/cases-overview/link-indicators.png‎
113 KB b/‎unified-secops-platform/media/cases-overview/link-indicators.png‎
113 KB
@@ -116,7 +116,11 @@ Add tasks to manage granular components of your cases. Each task comes with its
 
 *Image shows the following task statuses available: New, In progress, Failed, Partially completed, Skipped, Completed*
 
-### Link incidents
+### Link objects
+
+Linking a case to other objects in your environment helps your SecOps teams understand the broader context of a threat. You can link cases to incidents or [indicators of compromise (IoCs)](/defender-endpoint/indicators-overview).
+
+#### Link incidents
 
 Linking a case and an incident helps your SecOps teams collaborate in the method that works best for them. For example, a threat hunter who finds malicious activity creates an incident for the incident response (IR) team. That threat hunter links the incident to a case so it's clear they're related. Now the IR team understands the context of the hunt that found the activity.
 
@@ -126,6 +130,18 @@ Alternatively, if the IR team needs to escalate one or more incidents to the hun
 
 :::image type="content" source="media/cases-overview/link-incident-from-incident-graph.png" alt-text="Screenshot showing the link incident option from ellipses menu in the incident view.":::
 
+#### Link indicators
+
+Linking a case to relevant indicators of compromise (IOCs) helps your SecOps teams understand the broader context of a threat.
+
+To link the case to IOCs, go to the **Linked Objects** tab in the Case page and select **Indicators**. Then, select the **Add** button and the workspace the TI Indicator is in. Select the wanted TI Indicator and click on **Link**.
+
+:::image type="content" source="media/cases-overview/link-indicators.png" alt-text="Screenshot showing the linked indicators for the hypothetical burrowing attack case.":::
+
+Alternatively, you can create a case and link the indicators from the Intel management indicators details page. Select your TI Indicator and then on **Link Cases**.
+
+:::image type="content" source="media/cases-overview/link-indicator-from-intel-management.png" alt-text="Screenshot showing the link indicator option from the TI Indicator view.":::
+
 ### Activity log
 
 Need to write down notes, or that key detection logic to pass along? Create rich text comments and review the audit events in the activity log. Comments are a great place to quickly add information&mdash;including such things as queries, tables, links, and structured content&mdash;to a case.
@@ -140,8 +156,36 @@ Share reports, emails, screenshots, log files, and more, all centralized in the
 
 :::image type="content" source="media/cases-overview/case-attachments.png" alt-text="Screenshot of the details of the Attachments tab of a case.":::
 
+#### Add attachment to a case
+
 To add attachments to your case, go to the **Case details** page, select the **Attachments** tab, select **Upload**, select your file, and wait for the upload to complete. Once uploaded, the file is scanned in the background for malware. When the scan is complete, anyone with access to the case can download the file. If the file you want to upload is actually a malware sample, you can wrap it in a password-protected ZIP file.
 
+#### Add attachment to a comment
+
+To add an attachment to a comment:
+
+1. Go to the comment area of the *Case* page.
+1. Go to the text editor at the bottom of the screen, and select the paperclip icon to attach a file.
+1. Select the file you want to attach from your computer.
+1. Select **Send** to save the comment.
+
+  :::image type="content" source="media/cases-overview/attach-file-to-comment-send.png" alt-text="Screenshot showing the Send button to save the comment.":::
+
+- To attach a screenshot to your comment, paste it into the text editor.
+- To delete an attached file from the comment, select the bin icon while hovering over it.
+
+### Delete Case
+
+To delete a case:
+
+1. Open the Cases screen, select the case you want to remove, and select **Remove**.
+
+    :::image type="content" source="media/cases-overview/delete-case.png" alt-text="Screenshot showing the Remove option in the case details pane.":::
+
+1. In the pop-up window, check the consent box and then select **Confirm**.
+
+    :::image type="content" source="media/cases-overview/delete-case-confirm.png" alt-text="Screenshot showing the confirmation dialog for deleting a case.":::
+
 ## Limitations
 
 See [Case management limits](/azure/sentinel/sentinel-service-limits#case-management-limits).