Casesedit

Cases are used to open and track security issues directly in the Elastic Security app. All cases list the original reporter and all users who contribute to a case (participants). Comments support Markdown syntax and allow linking to saved Timelines. Additionally, you can send cases to these external systems from within Elastic Security:

  • ServiceNow ITSM
  • ServiceNow SecOps
  • Jira (including Jira Service Desk)
  • IBM Resilient
  • Swimlane

Configure external connections describes how to set up external integrations. When configuring case fields, note that data from mapped fields can be pushed to external systems but cannot be pulled in.

You can create and manage cases via the UI or the Cases API.

To send cases to external systems, you need the appropriate license and your role needs All privileges for the Action and Connectors feature. For information about the base role privileges you need to view or update cases, see Cases prerequisites.

Case UI Home

Open a new caseedit

Open a new case to keep track of security issues and share their details with colleagues.

  1. Go to CasesCreate new case.
  2. Give the case a name, and add a description and any relevant tags.

    In the Description area, you can use Markdown syntax and insert a timeline link (click the icon in the top right corner of the area).

  3. Choose whether you want alert statuses to sync with the case’s status after they are added to the case. This option is enabled by default, but you can still turn it off after creating the case.
  4. When ready, create the case.
  5. If external connections are configured, you can:

    • Select which connector is used to send the case to an external system (External incident management system).
    • Send the case to an external system. You can send the case to more than one external system.
Shows an open case

Manage existing casesedit

You can search existing cases and filter them by tags, reporter, and status (open, in-progress, or closed).

To view a case, click on its name. You can then:

  • Add a new comment
  • Add a Lens visualization
  • Edit existing comments and the case’s description
  • Add a connector (if you did not select one while creating the case)
  • Send updates to external systems (if external connections are configured)
  • Close the case
  • Reopen a closed case
  • Edit tags
  • Refresh the case to retrieve the latest updates

Comments can also contain Markdown syntax and Timeline links.

Add a Lens visualizationedit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

Add a Lens visualization to your case to portray event and alert data through charts and graphs.

Shows how to add a visualization to a case

To add a Lens visualization to a comment within your case:

  1. Click the Visualization button. The Add visualization dialog appears. 
  2. Select an existing visualization from your Visualize Library or create a new visualization.

    Set an absolute time range for your visualization. This ensures your visualization doesn’t change over time after you save it to your case and provides important context for other viewers.

  3. Save the visualization to your Visualize Library by clicking the Save to library button (optional).

    1. Enter a title and description for the visualization. 
    2. Choose whether you want to keep the Update panel on Security activated. This option is activated by default and automatically adds the visualization to your Visualize Library.
  4. After you’ve finished creating your visualization, click Save and return to go back to your case.
  5. Click Preview to see how the visualization will appear in the case comment.
  6. Click Add Comment to add the visualization to your case. 

Once a visualization has been added to a case, it cannot be modified or deleted. However, you can interact with the visualization by clicking the Open Visualization option in the comment menu.  

Shows where the Open Visualization option is

Export and import casesedit

Cases can be exported and imported as saved objects through the Kibana Saved Objects UI.

Before importing Lens visualizations, Timelines, or alerts into a space, ensure their data is present. Without it, they won’t work after being imported.

Export a caseedit

Use the Export option to move cases between different Kibana instances. When you export a case, the following data is exported to a newline-delimited JSON (.ndjson) file: case details, user actions, text string comments, case alerts, and lens visualizations (which are exported as JSON blobs).

To export a case:

  1. Open the main menu, click Stack Management → Kibana, then select the Saved Objects tab.
  2. Search for the case by choosing a saved object type or entering the case title in the search bar.
  3. Select one or more cases, then click the Export button.
  4. Click Export. A confirmation message that your file is downloading displays.

    Keep the Include related objects option enabled to ensure connectors are exported too.

Shows the export saved objects workflow

Import a caseedit

To import a case:

  1. Open the main menu, click Stack Management → Kibana and then select the Saved Objects tab.
  2. Click Import.
  3. Select the NDJSON file containing the exported case and configure the import options.
  4. Click Import.
  5. Review the import log and click Done.

    Be mindful of the following:

    • If the imported case had connectors attached to it, you’ll be prompted to re-authenticate the connectors. To do so, click Go to connectors on the Import saved objects flyout and complete the necessary steps. Alternatively, open the main menu, then go to Stack Management → Alerts and Insights → Rules and Connectors → Connectors to access connectors.
    • If the imported case had attached alerts, verify that the alerts’ source documents are present in the environment. Case features that interact with alerts (such as the Alert Details flyout and rule details page) rely on the alerts’ source documents to function.