diff --git a/docs/cases/cases-manage-settings.asciidoc b/docs/cases/cases-manage-settings.asciidoc index 1c692cfb2f..78bb23b1b6 100644 --- a/docs/cases/cases-manage-settings.asciidoc +++ b/docs/cases/cases-manage-settings.asciidoc @@ -5,7 +5,7 @@ :frontmatter-tags-content-type: [how-to] :frontmatter-tags-user-goals: [analyze] -To change case closure options and add custom fields, templates, and connectors for external incident management systems, find **Cases** in the navigation menu or search for `Security/Cases` by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then click **Settings**. +To change case closure options, add custom fields, templates, and connectors for external incident management systems, and create custom observable types, find **Cases** in the navigation menu or search for `Security/Cases` by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then click **Settings**. [role="screenshot"] image::images/cases-settings.png[Shows the case settings page] @@ -123,3 +123,27 @@ image::images/cases-add-template.png[Add a template in case settings] When users create cases, they can optionally select a template and use its values or override them. NOTE: If you update or delete templates, existing cases are unaffected. + +[float] +[[cases-observable-types]] +=== Observable types + +.Requirements +[sidebar] +-- +To use observables, you must have a https://www.elastic.co/pricing[Platinum subscription] or higher. +-- + +Create custom observable types for enhanced case collaboration. + +. In the **Observable types** section, click **Add observable type**. +. Enter a descriptive label for the observable type, then click **Save**. + +After creating a new observable type, you can remove or edit it from the **Settings** page. + +NOTE: You can create up to 10 custom observable types. + +IMPORTANT: Deleting a custom observable type deletes all instances of it. + +[role="screenshot"] +image::images/cases-observable-types.png[Add an observable type in case settings] diff --git a/docs/cases/cases-manage.asciidoc b/docs/cases/cases-manage.asciidoc index 218da56fb6..6d6a816e50 100644 --- a/docs/cases/cases-manage.asciidoc +++ b/docs/cases/cases-manage.asciidoc @@ -101,6 +101,7 @@ TIP: Comments can contain Markdown. For syntax help, click the Markdown icon (im * <> * Modify the case's description, assignees, category, severity, status, and tags. * <> and send updates to external systems (if you've added a connector to the case) +* <> * <> * Refresh the case to retrieve the latest updates @@ -194,6 +195,38 @@ After a visualization has been added to a case, you can modify or interact with [role="screenshot"] image::images/cases-open-vis.png[Shows where the Open Visualization option is] +[float] +[[cases-add-observables]] +=== Add observables + +.Requirements +[sidebar] +-- +To use observables, you must have a https://www.elastic.co/pricing[Platinum subscription] or higher. +-- + +An observable is a piece of information about an investigation, for example, a suspicious URL or a file hash. Use observables to identify correlated events and better understand the severity and scope of a case. + +To create an observable: + +. Click the **Observables** tab, then click **Add observable**. ++ +NOTE: Each case can have a maximum of 50 observables. ++ +. Provide the necessary details: +** **Type**: Select a type for the observable. You can choose a preset type or a <>. +** **Value**: Enter a value for the observable. The value must align with the type you select. +** **Description** (Optional): Provide additional information about the observable. + +. Click **Add observable**. + +After adding an observable to a case, you can remove or edit it by using the **Actions** menu (**…**). + +TIP: Go to the **Similar cases** tab to access other cases with the same observables. + +[role="screenshot"] +image::images/cases-add-observables.png[Shows you where to add observables] + [float] [[cases-copy-case-uuid]] === Copy the case UUID @@ -201,7 +234,7 @@ image::images/cases-open-vis.png[Shows where the Open Visualization option is] Each case has a universally unique identifier (UUID) that you can copy and share. To copy a case's UUID to a clipboard, go to the Cases page and select *Actions* -> *Copy Case ID* for the case you want to share. Alternatively, go to a case's details page, then from the *More actions* menu (…​), select *Copy Case ID*. [role="screenshot"] -image::images/cases-copy-case-id.png[Copy Case ID option in More actions menu 40%,40%] +image::images/cases-copy-case-id.png[Copy Case ID option in More actions menu 30%,30%] [float] [[cases-export-import]] diff --git a/docs/cases/images/cases-add-observables.png b/docs/cases/images/cases-add-observables.png new file mode 100644 index 0000000000..659e0db868 Binary files /dev/null and b/docs/cases/images/cases-add-observables.png differ diff --git a/docs/cases/images/cases-add-template.png b/docs/cases/images/cases-add-template.png index 29075ec9f2..5a7e369434 100644 Binary files a/docs/cases/images/cases-add-template.png and b/docs/cases/images/cases-add-template.png differ diff --git a/docs/cases/images/cases-home-page.png b/docs/cases/images/cases-home-page.png index f2850757d6..7f27d203ea 100644 Binary files a/docs/cases/images/cases-home-page.png and b/docs/cases/images/cases-home-page.png differ diff --git a/docs/cases/images/cases-manage-comments.png b/docs/cases/images/cases-manage-comments.png index f2a1a3b09f..57514a879b 100644 Binary files a/docs/cases/images/cases-manage-comments.png and b/docs/cases/images/cases-manage-comments.png differ diff --git a/docs/cases/images/cases-observable-types.png b/docs/cases/images/cases-observable-types.png new file mode 100644 index 0000000000..8ca37cb784 Binary files /dev/null and b/docs/cases/images/cases-observable-types.png differ diff --git a/docs/cases/images/cases-settings.png b/docs/cases/images/cases-settings.png index fbe37e575d..fd2cb81b67 100644 Binary files a/docs/cases/images/cases-settings.png and b/docs/cases/images/cases-settings.png differ diff --git a/docs/cases/images/cases-summary.png b/docs/cases/images/cases-summary.png index d96cedab77..a48379d9bf 100644 Binary files a/docs/cases/images/cases-summary.png and b/docs/cases/images/cases-summary.png differ diff --git a/docs/cases/images/cases-ui-open.png b/docs/cases/images/cases-ui-open.png index 95d9c8c5fb..d71eb710f3 100644 Binary files a/docs/cases/images/cases-ui-open.png and b/docs/cases/images/cases-ui-open.png differ diff --git a/docs/serverless/images/cases-open-manage/-cases-cases-add-observables.png b/docs/serverless/images/cases-open-manage/-cases-cases-add-observables.png new file mode 100644 index 0000000000..659e0db868 Binary files /dev/null and b/docs/serverless/images/cases-open-manage/-cases-cases-add-observables.png differ diff --git a/docs/serverless/images/cases-open-manage/-cases-cases-home-page.png b/docs/serverless/images/cases-open-manage/-cases-cases-home-page.png index 070bb432fe..7f27d203ea 100644 Binary files a/docs/serverless/images/cases-open-manage/-cases-cases-home-page.png and b/docs/serverless/images/cases-open-manage/-cases-cases-home-page.png differ diff --git a/docs/serverless/images/cases-open-manage/-cases-cases-manage-comments.png b/docs/serverless/images/cases-open-manage/-cases-cases-manage-comments.png index f2a1a3b09f..57514a879b 100644 Binary files a/docs/serverless/images/cases-open-manage/-cases-cases-manage-comments.png and b/docs/serverless/images/cases-open-manage/-cases-cases-manage-comments.png differ diff --git a/docs/serverless/images/cases-open-manage/-cases-cases-summary.png b/docs/serverless/images/cases-open-manage/-cases-cases-summary.png index d96cedab77..a48379d9bf 100644 Binary files a/docs/serverless/images/cases-open-manage/-cases-cases-summary.png and b/docs/serverless/images/cases-open-manage/-cases-cases-summary.png differ diff --git a/docs/serverless/images/cases-open-manage/-cases-cases-ui-open.png b/docs/serverless/images/cases-open-manage/-cases-cases-ui-open.png index 95d9c8c5fb..d71eb710f3 100644 Binary files a/docs/serverless/images/cases-open-manage/-cases-cases-ui-open.png and b/docs/serverless/images/cases-open-manage/-cases-cases-ui-open.png differ diff --git a/docs/serverless/images/cases-settings/security-cases-observable-types.png b/docs/serverless/images/cases-settings/security-cases-observable-types.png new file mode 100644 index 0000000000..8ca37cb784 Binary files /dev/null and b/docs/serverless/images/cases-settings/security-cases-observable-types.png differ diff --git a/docs/serverless/images/cases-settings/security-cases-settings.png b/docs/serverless/images/cases-settings/security-cases-settings.png index db0040084b..fd2cb81b67 100644 Binary files a/docs/serverless/images/cases-settings/security-cases-settings.png and b/docs/serverless/images/cases-settings/security-cases-settings.png differ diff --git a/docs/serverless/images/cases-settings/security-cases-templates.png b/docs/serverless/images/cases-settings/security-cases-templates.png index 3c0dc7c91f..5a7e369434 100644 Binary files a/docs/serverless/images/cases-settings/security-cases-templates.png and b/docs/serverless/images/cases-settings/security-cases-templates.png differ diff --git a/docs/serverless/investigate/cases-open-manage.asciidoc b/docs/serverless/investigate/cases-open-manage.asciidoc index a438b5f535..f0b190a2ef 100644 --- a/docs/serverless/investigate/cases-open-manage.asciidoc +++ b/docs/serverless/investigate/cases-open-manage.asciidoc @@ -108,6 +108,7 @@ Comments can contain Markdown. For syntax help, click the Markdown icon (image:i * <> * Modify the case's description, assignees, category, severity, status, and tags. * Manage connectors and send updates to external systems (if you've added a connector to the case) +* <> * <> * Refresh the case to retrieve the latest updates @@ -212,6 +213,38 @@ After a visualization has been added to a case, you can modify or interact with [role="screenshot"] image::images/cases-open-manage/-cases-cases-open-vis.png[Shows where the Open Visualization option is] +[float] +[[cases-add-observables]] +=== Add observables + +.Requirements +[sidebar] +-- +To use observables, you must have the Security Analytics Essentials <>. +-- + +An observable is a piece of information about an investigation, for example, a suspicious URL or a file hash. Use observables to identify correlated events and better understand the severity and scope of a case. + +To create an observable: + +. Click the **Observables** tab, then click **Add observable**. ++ +NOTE: Each case can have a maximum of 50 observables. ++ +. Provide the necessary details: +** **Type**: Select a type for the observable. You can choose a preset type or a <>. +** **Value**: Enter a value for the observable. The value must align with the type you select. +** **Description** (Optional): Provide additional information about the observable. + +. Click **Add observable**. + +After adding an observable to a case, you can remove or edit it by using the **Actions** menu (**…**). + +TIP: Go to the **Similar cases** tab to access other cases with the same observables. + +[role="screenshot"] +image::images/cases-open-manage/-cases-cases-add-observables.png[Shows you where to add observables] + [discrete] [[cases-copy-case-uuid]] === Copy the case UUID diff --git a/docs/serverless/investigate/cases-settings.asciidoc b/docs/serverless/investigate/cases-settings.asciidoc index 54c8e1db2e..456f7a7151 100644 --- a/docs/serverless/investigate/cases-settings.asciidoc +++ b/docs/serverless/investigate/cases-settings.asciidoc @@ -124,3 +124,27 @@ When users create cases, they can optionally select a template and use its field ==== If you update or delete templates, existing cases are unaffected. ==== + +[float] +[[security-cases-observable-types]] +== Observable types + +.Requirements +[sidebar] +-- +To use observables, you must have the Security Analytics Essentials <>. +-- + +Create custom observable types for enhanced case collaboration. + +. In the **Observable types** section, click **Add observable type**. +. Enter a descriptive label for the observable type, then click **Save**. + +After creating a new observable type, you can remove or edit it from the **Settings** page. + +NOTE: You can create up to 10 custom observable types. + +IMPORTANT: Deleting a custom observable type deletes all instances of it. + +[role="screenshot"] +image::images/cases-settings/security-cases-observable-types.png[Add an observable type in case settings] \ No newline at end of file