You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/cases/cases-manage-settings.asciidoc
+25-1Lines changed: 25 additions & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@
5
5
:frontmatter-tags-content-type: [how-to]
6
6
:frontmatter-tags-user-goals: [analyze]
7
7
8
-
To change case closure options and add custom fields, templates, and connectors for external incident management systems, find **Cases** in the navigation menu or search for `Security/Cases` by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then click **Settings**.
8
+
To change case closure options, add custom fields, templates, and connectors for external incident management systems, and create custom observable types, find **Cases** in the navigation menu or search for `Security/Cases` by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then click **Settings**.
9
9
10
10
[role="screenshot"]
11
11
image::images/cases-settings.png[Shows the case settings page]
@@ -123,3 +123,27 @@ image::images/cases-add-template.png[Add a template in case settings]
123
123
When users create cases, they can optionally select a template and use its values or override them.
124
124
125
125
NOTE: If you update or delete templates, existing cases are unaffected.
126
+
127
+
[float]
128
+
[[cases-observable-types]]
129
+
=== Observable types
130
+
131
+
.Requirements
132
+
[sidebar]
133
+
--
134
+
To use observables, you must have a https://www.elastic.co/pricing[Platinum subscription] or higher.
135
+
--
136
+
137
+
Create custom observable types for enhanced case collaboration.
138
+
139
+
. In the **Observable types** section, click **Add observable type**.
140
+
. Enter a descriptive label for the observable type, then click **Save**.
141
+
142
+
After creating a new observable type, you can remove or edit it from the **Settings** page.
143
+
144
+
NOTE: You can create up to 10 custom observable types.
145
+
146
+
IMPORTANT: Deleting a custom observable type deletes all instances of it.
147
+
148
+
[role="screenshot"]
149
+
image::images/cases-observable-types.png[Add an observable type in case settings]
Copy file name to clipboardExpand all lines: docs/cases/cases-manage.asciidoc
+34-1Lines changed: 34 additions & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -101,6 +101,7 @@ TIP: Comments can contain Markdown. For syntax help, click the Markdown icon (im
101
101
* <<cases-lens-visualization>>
102
102
* Modify the case's description, assignees, category, severity, status, and tags.
103
103
* <<cases-ui-integrations,Manage connectors>> and send updates to external systems (if you've added a connector to the case)
104
+
* <<cases-add-observables>>
104
105
* <<cases-copy-case-uuid>>
105
106
* Refresh the case to retrieve the latest updates
106
107
@@ -194,14 +195,46 @@ After a visualization has been added to a case, you can modify or interact with
194
195
[role="screenshot"]
195
196
image::images/cases-open-vis.png[Shows where the Open Visualization option is]
196
197
198
+
[float]
199
+
[[cases-add-observables]]
200
+
=== Add observables
201
+
202
+
.Requirements
203
+
[sidebar]
204
+
--
205
+
To use observables, you must have a https://www.elastic.co/pricing[Platinum subscription] or higher.
206
+
--
207
+
208
+
An observable is a piece of information about an investigation, for example, a suspicious URL or a file hash. Use observables to identify correlated events and better understand the severity and scope of a case.
209
+
210
+
To create an observable:
211
+
212
+
. Click the **Observables** tab, then click **Add observable**.
213
+
+
214
+
NOTE: Each case can have a maximum of 50 observables.
215
+
+
216
+
. Provide the necessary details:
217
+
** **Type**: Select a type for the observable. You can choose a preset type or a <<cases-observable-types,custom one>>.
218
+
** **Value**: Enter a value for the observable. The value must align with the type you select.
219
+
** **Description** (Optional): Provide additional information about the observable.
220
+
221
+
. Click **Add observable**.
222
+
223
+
After adding an observable to a case, you can remove or edit it by using the **Actions** menu (**…**).
224
+
225
+
TIP: Go to the **Similar cases** tab to access other cases with the same observables.
226
+
227
+
[role="screenshot"]
228
+
image::images/cases-add-observables.png[Shows you where to add observables]
229
+
197
230
[float]
198
231
[[cases-copy-case-uuid]]
199
232
=== Copy the case UUID
200
233
201
234
Each case has a universally unique identifier (UUID) that you can copy and share. To copy a case's UUID to a clipboard, go to the Cases page and select *Actions* -> *Copy Case ID* for the case you want to share. Alternatively, go to a case's details page, then from the *More actions* menu (…), select *Copy Case ID*.
202
235
203
236
[role="screenshot"]
204
-
image::images/cases-copy-case-id.png[Copy Case ID option in More actions menu 40%,40%]
237
+
image::images/cases-copy-case-id.png[Copy Case ID option in More actions menu 30%,30%]
![mergify[bot]](https://avatars.githubusercontent.com/in/10562?v=4&size=40){kind=avatar}
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments