Create and manage cases

Learn how to create a case, add files, and manage the case over time.

Required role

The Editor role or higher is required to create and manage cases. To learn more, refer to Assign user roles and privileges.

Open a new case to keep track of issues and share the details with colleagues. To create a case in your Observability project:

  1. In your Observability project, go to Cases.

  2. Click Create case.

  3. (Optional) If you defined templates, select one to use its default field values.

    Technical preview

    This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

  4. Give the case a name, severity, and description.


    In the Description area, you can use Markdown syntax to create formatted text.

  5. (Optional) Add a category, assignees, and tags.

    You can add users who are assigned the Editor user role (or a more permissive role) for the project.

  6. (Optional) Under External incident management system, you can select a connector to send cases to an external system. If you've created any connectors previously, they will be listed here. If there are no connectors listed, you can create one.

  7. After you've completed all of the required fields, click Create case.


You can also create a case from an alert or add an alert to an existing case. From the Alerts page, click the More options icon and choose either Add to existing case or Create new case, and select or complete the details as required.

Add files

After you create a case, you can upload and manage files on the Files tab:

To download or delete the file or copy the file hash to your clipboard, open the action menu (…). The available hash functions are MD5, SHA-1, and SHA-256.

When you upload a file, a comment is added to the case activity log. To view an image, click its name in the activity or file list.


Uploaded files are also accessible under Project settingsManagementFiles. When you export cases as saved objects, the case files are not exported.

You can add images and text, CSV, JSON, PDF, or ZIP files. For the complete list, check mime_types.ts.

File size limits

There is a 10 MiB size limit for images. For all other MIME types, the limit is 100 MiB.

Send cases to external incident management systems

To send a case to an external system, click the button in the External incident management system section of the individual case page. This information is not sent automatically. If you make further changes to the shared case fields, you should push the case again.

For more information about configuring connections to external incident management systems, refer to Configure case settings.

Manage existing cases

You can search existing cases and filter them by attributes such as assignees, categories, severity, status, and tags. You can also select multiple cases and use bulk actions to delete cases or change their attributes.

To view a case, click on its name. You can then:

  • Add a new comment.
  • Edit existing comments and the description.
  • Add or remove assignees.
  • Add a connector (if you did not select one while creating the case).
  • Send updates to external systems (if external connections are configured).
  • Edit the category and tags.
  • Change the status.
  • Change the severity.
  • Remove an alert.
  • Refresh the case to retrieve the latest updates.
  • Close the case.
  • Reopen a closed case.

On this page