Cases are used to open and track security issues directly in the Elastic Security app. All cases list the original reporter and all users who contribute to a case (participants). Comments support Markdown syntax, and allow linking to saved Timelines. Additionally, you can send cases to these external systems from within Elastic Security:

  • ServiceNow ITSM
  • ServiceNow SecOps
  • Jira (including Jira Service Desk)
  • IBM Resilient

Configure external connections describes how to set up external integrations.

You can create and manage cases via the UI or the Cases API.

To send cases to external systems, you need the appropriate license. To ensure you can view and open cases, see Cases prerequisites.

Case UI Home

Open a new caseedit

Open a new case to keep track of security issues and share their details with colleagues.

  1. Go to CasesCreate new case.
  2. Give the case a name, and add a description and any relevant tags.

    In the Description area, you can use Markdown syntax and insert a timeline link (click the icon in the top right corner of the area).

  3. Choose whether you want alert statuses to sync with the case’s status after they are added to the case. This option is enabled by default, but you can still turn it off after creating the case.
  4. When ready, create the case.
  5. If external connections are configured, you can:

    • Select which connector is used to send the case to an external system (External incident management system).
    • Send the case to an external system. You can send the case to more than one external system.
cases ui open

Manage existing casesedit

You can search existing cases, and filter them by tags, reporter, and status (open, in-progress, or closed).

To view a case, click on its name. You can then:

  • Add a new comment
  • Edit existing comments and the case’s description
  • Send updates to external systems (if external connections are configured)
  • Close the case
  • Reopen a closed case
  • Edit tags
  • Refresh the case to retrieve the latest updates

Comments can also contain Markdown syntax and Timeline links.