- Elastic Cloud Serverless
- Elasticsearch
- Elastic Observability
- Get started
- Observability overview
- Elastic Observability Serverless billing dimensions
- Create an Observability project
- Quickstart: Monitor hosts with Elastic Agent
- Quickstart: Monitor your Kubernetes cluster with Elastic Agent
- Quickstart: Monitor hosts with OpenTelemetry
- Quickstart: Unified Kubernetes Observability with Elastic Distributions of OpenTelemetry (EDOT)
- Quickstart: Collect data with AWS Firehose
- Get started with dashboards
- Applications and services
- Application performance monitoring (APM)
- Get started with traces and APM
- Learn about data types
- Collect application data
- View and analyze data
- Act on data
- Use APM securely
- Reduce storage
- Managed intake service event API
- Troubleshooting
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure a Synthetics project
- Multifactor Authentication for browser monitors
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Scale and architect a deployment
- Synthetics Encryption and Security
- Troubleshooting
- Application performance monitoring (APM)
- Infrastructure and hosts
- Logs
- Inventory
- Incident management
- Data set quality
- Observability AI Assistant
- Machine learning
- Reference
- Get started
- Elastic Security
- Elastic Security overview
- Security billing dimensions
- Create a Security project
- Elastic Security requirements
- Elastic Security UI
- AI for Security
- Ingest data
- Configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Identify antivirus software on your hosts
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- Cloud Security
- Explore your data
- Dashboards
- Detection engine overview
- Rules
- Alerts
- Advanced Entity Analytics
- Investigation tools
- Asset management
- Manage settings
- Troubleshooting
- Manage your project
- Changelog
Create and manage cases
editCreate and manage cases
editYou can create and manage cases using the UI or the cases API.
Open a new case
editOpen a new case to keep track of security issues and share their details with colleagues.
- Go to Cases, then click Create case. If no cases exist, the Cases table will be empty and you’ll be prompted to create one by clicking the Create case button inside the table.
-
(Optional) If you defined templates, select one to use its default field values. . Give the case a name, assign a severity level, and provide a description. You can use Markdown syntax in the case description.
If you do not assign your case a severity level, it will be assigned Low by default.
You can insert a Timeline link in the case description by clicking the Timeline icon (
). - Optionally, add a category, assignees and relevant tags. You can add users only if they meet the necessary prerequisites.
- If you defined custom fields, they appear in the Additional fields section.
- Choose if you want alert statuses to sync with the case’s status after they are added to the case. This option is enabled by default, but you can turn it off after creating the case.
-
From External incident management, select a connector. If you’ve previously added one, that connector displays as the default selection. Otherwise, the default setting is
No connector selected. -
Click Create case.
If you’ve selected a connector for the case, the case is automatically pushed to the third-party system it’s connected to.
Manage existing cases
editFrom the Cases page, you can search existing cases and filter them by attributes such as assignees, categories, severity, status, and tags. You can also select multiple cases and use bulk actions to delete cases or change their attributes. General case metrics, including how long it takes to close cases, are provided above the table.
To explore a case, click on its name. You can then:
- Review the case summary
-
Comments can contain Markdown. For syntax help, click the Markdown icon (
) in the bottom right of the comment. - Examine alerts and indicators attached to the case
- Add files
- Add a Lens visualization
- Modify the case’s description, assignees, category, severity, status, and tags.
- Manage connectors and send updates to external systems (if you’ve added a connector to the case)
- Add observables
- Copy the case UUID
- Refresh the case to retrieve the latest updates
Review the case summary
editClick on an existing case to access its summary. The case summary, located under the case title, contains metrics that summarize alert information and response times. These metrics update when you attach additional unique alerts to the case, add connectors, or modify the case’s status:
- Total alerts: Total number of unique alerts attached to the case
- Associated users: Total number of unique users that are represented in the attached alerts
- Associated hosts: Total number of unique hosts that are represented in the attached alerts
- Total connectors: Total number of connectors that have been added to the case
- Case created: Date and time that the case was created
- Open duration: Time elapsed since the case was created
-
In progress duration: How long the case has been in the
In progressstate - Duration from creation to close: Time elapsed from when the case was created to when it was closed
Manage case comments
editTo edit, delete, or quote a comment, select the appropriate option from the More actions menu (
).
Examine alerts attached to a case
editTo explore the alerts attached to a case, click the Alerts tab. In the table, alerts are organized from oldest to newest. To view alert details, click the View details button.
Each case can have a maximum of 1,000 alerts.
Add files
editTo upload files to a case, click the Files tab:
You can add images and text, CSV, JSON, PDF, or ZIP files. For the complete list, check mime_types.ts.
There is a 10 MiB size limit for images. For all other MIME types, the limit is 100 MiB.
To download or delete the file, or copy the file hash to your clipboard, open the Actions menu (…). The available hash functions are MD5, SHA-1, and SHA-256.
When you add a file, a comment is added to the case activity log. To view an image, click its name in the activity or file list.
Add a Lens visualization
editThis functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
Add a Lens visualization to your case to portray event and alert data through charts and graphs.
To add a Lens visualization to a comment within your case:
- Click the Visualization button. The Add visualization dialog appears.
-
Select an existing visualization from your Visualize Library or create a new visualization.
Set an absolute time range for your visualization. This ensures your visualization doesn’t change over time after you save it to your case, and provides important context for others managing the case.
-
Save the visualization to your Visualize Library by clicking the Save to library button (optional).
- Enter a title and description for the visualization.
- Choose if you want to keep the Update panel on Security activated. This option is activated by default and automatically adds the visualization to your Visualize Library.
- After you’ve finished creating your visualization, click Save and return to go back to your case.
- Click Preview to show how the visualization will appear in the case comment.
- Click Add Comment to add the visualization to your case.
Alternatively, while viewing a dashboard you can open a panel’s menu then click More actions () → Add to existing case or More actions () → Add to new case.
After a visualization has been added to a case, you can modify or interact with it by clicking the Open Visualization option in the case’s comment menu.
Add observables
editAn observable is a piece of information about an investigation, for example, a suspicious URL or a file hash. Use observables to identify correlated events and better understand the severity and scope of a case.
To create an observable:
-
Click the Observables tab, then click Add observable.
Each case can have a maximum of 50 observables.
-
Provide the necessary details:
- Type: Select a type for the observable. You can choose a preset type or a custom one.
- Value: Enter a value for the observable. The value must align with the type you select.
- Description (Optional): Provide additional information about the observable.
- Click Add observable.
After adding an observable to a case, you can remove or edit it by using the Actions menu (…).
Go to the Similar cases tab to access other cases with the same observables.
Copy the case UUID
editEach case has a universally unique identifier (UUID) that you can copy and share. To copy a case’s UUID to a clipboard, go to the Cases page and select Actions → Copy Case ID for the case you want to share. Alternatively, go to a case’s details page, then from the More actions menu (), select Copy Case ID.
Export and import cases
editCases can be exported and imported as saved objects using the Saved Objects project settings UI.
Before importing Lens visualizations, Timelines, or alerts, ensure their data is present. Without it, they won’t work after being imported.
Export a case
editUse the Export option to move cases between different Elastic Security instances. When you export a case, the following data is exported to a newline-delimited JSON (.ndjson) file:
- Case details
- User actions
- Text string comments
- Case alerts
- Lens visualizations (exported as JSON blobs).
The following attachments are not exported:
- Case files: Case files are not exported. However, they are accessible in Project Settings → Stack Management → Files to download and re-add.
- Alerts: Alerts attached to cases are not exported. You must re-add them after importing cases.
To export a case:
- Go to Project Settings → Stack Management → Saved objects.
- Search for the case by choosing a saved object type or entering the case title in the search bar.
- Select one or more cases, then click the Export button.
-
Click Export. A confirmation message that your file is downloading displays.
Keep the Include related objects option enabled to ensure connectors are exported too.
Import a case
editTo import a case:
- Go to Project settings → Management → Saved objects.
- Click Import.
- Select the NDJSON file containing the exported case and configure the import options.
- Click Import.
-
Review the import log and click Done.
Be mindful of the following:
- If the imported case had connectors attached to it, you’ll be prompted to re-authenticate the connectors. To do so, click Go to connectors on the Import saved objects flyout and complete the necessary steps. Alternatively, open the main menu, then go to Project Settings → Stack Management → Connectors to access connectors.
- If the imported case had attached alerts, verify that the alerts' source documents exist in the environment. Case features that interact with alerts (such as the Alert details flyout and rule details page) rely on the alerts' source documents to function.
On this page