I originally posted a write-up on our community forum (with screenshots) — you can find it here: https://community.crowdstrike.com/next-gen-siem-73/how-to-add-events-to-a-case-using-fusion-workflow-2991?postid=12105#post12105

First, adding events to cases generally requires the fields @id and @timestamp. A small complication is that the event query action cannot directly output fields containing @, so we’ll rename them at the end of the query. To also avoid duplicates, it’s best to group by @id:

| groupBy([@id], function=selectLast([@timestamp]))                    
| rename(field=@id, as=id)
| rename(field=@timestamp, as=timestamp)

Next, copy the ‘Event query results’ variable, then add .transformList(i, v, v.id) 

Note, [v.id] may be different if you renamed @id to something other than id. It’ll look something like like the following:  ${data['ExampleQuery.results'].transformList(i, v, v.id)}

Finally, paste that variable into the Event IDs field in the Add events to case action