---
title: Create cases
description: Create cases to track incidents, attach alerts and files, assign team members, and push updates to external systems.
url: https://www.elastic.co/elastic/docs-builder/docs/3028/explore-analyze/cases/create-cases
products:
- Elastic Cloud Serverless
- Elastic Observability
- Elastic Security
- Kibana
applies_to:
- Elastic Cloud Serverless: Generally available
- Elastic Stack: Generally available
---
# Create cases
To create a new case:
1. Go to the **Cases** page, then select **Create case**.
To access the **Cases** page:
- **Stack Management**: Go to **Stack Management** > **Cases**.
- **Elastic Security**: Find **Cases** in the navigation menu or search for `Security/Cases` using the [global search field](https://www.elastic.co/elastic/docs-builder/docs/3028/explore-analyze/find-and-organize/find-apps-and-objects).
- **Observability**: Find **Cases** in the navigation menu or search for `Observability/Cases` using the [global search field](https://www.elastic.co/elastic/docs-builder/docs/3028/explore-analyze/find-and-organize/find-apps-and-objects).
To access the **Cases** page:
- **Elastic Security**: Find **Cases** in the navigation menu or search for `Cases` using the [global search field](https://www.elastic.co/elastic/docs-builder/docs/3028/explore-analyze/find-and-organize/find-apps-and-objects).
- **Observability**: Find **Cases** in the navigation menu or search for `Cases` using the [global search field](https://www.elastic.co/elastic/docs-builder/docs/3028/explore-analyze/find-and-organize/find-apps-and-objects).
2. (Optional) Select a [template](/elastic/docs-builder/docs/3028/explore-analyze/cases/configure-case-settings#case-templates) to pre-fill field values.
3. Enter a name, severity, and description. If you do not assign your case a severity level, it will be assigned **Low** by default. The description supports [Markdown](https://www.markdownguide.org/cheat-sheet).
4. (Optional) Add a category, [assignees](https://www.elastic.co/elastic/docs-builder/docs/3028/explore-analyze/cases/control-case-access), and tags.
5. (Optional) Fill in any [custom fields](/elastic/docs-builder/docs/3028/explore-analyze/cases/configure-case-settings#case-custom-fields) in the **Additional fields** section.
6. Configure sync and extraction options:
- **Sync alert status** syncs alert statuses with the case status (on by default).
- **Auto-extract observables** extracts observables from attached alerts (on by default, requires appropriate subscription).
Auto-extracting observables is only available in Elastic Security Serverless and Elastic Security 9.2+.
7. (Optional) Select a [connector](/elastic/docs-builder/docs/3028/explore-analyze/cases/configure-case-settings#case-connectors) to send the case to an external system.
8. Select **Create case**. If you've selected a connector for the case, the case is automatically pushed to the third-party system it's connected to.
After creating a case, you can [attach objects](https://www.elastic.co/elastic/docs-builder/docs/3028/explore-analyze/cases/attach-objects-to-cases) like alerts, files, observables, and visualizations to provide context and supporting evidence. You can also [set up email notifications](#add-case-notifications) so users are alerted when they're assigned to a case.
## Set up email notifications
Set up email notifications to alert users when they're assigned to a case, so they can respond promptly.
Add the email domains to the [notifications domain allowlist](https://www.elastic.co/elastic/docs-builder/docs/3028/explore-analyze/alerting/alerts).You do not need to configure an email connector or update Kibana user settings—the preconfigured Elastic-Cloud-SMTP connector is used by default.
1. Create a preconfigured email connector.
Email notifications support only [preconfigured email connectors](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3028/reference/kibana/connectors-kibana/pre-configured-connectors), which are defined in the [`kibana.yml`](https://www.elastic.co/elastic/docs-builder/docs/3028/deploy-manage/stack-settings) file. For examples, refer to [Email connectors](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3028/reference/kibana/connectors-kibana/pre-configured-connectors#preconfigured-email-configuration) and [Configure email accounts for well-known services](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3028/reference/kibana/connectors-kibana/email-action-type#configuring-email).
2. Set the `notifications.connectors.default.email` Kibana setting to the name of your email connector.
```yaml
notifications.connectors.default.email: 'mail-dev'
xpack.actions.preconfigured:
mail-dev:
name: preconfigured-email-notification-maildev
actionTypeId: .email
config:
service: other
from: from address
host: host name
port: port number
secure: true/false
hasAuth: true/false
```
3. If you want the email notifications to contain links back to the case, configure the [server.publicBaseUrl](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3028/reference/kibana/configuration-reference/general-settings#server-publicbaseurl) setting.
## Case visibility across solutions
A case created in one solution is only visible within that solution:
- **Stack Management** cases are not visible in Observability or Elastic Security
- **Observability** cases are not visible in Stack Management or Elastic Security
- **Elastic Security** cases are not visible in Stack Management or Observability
Alerts also can't cross solution boundaries. You can only attach alerts from the same solution to cases. For example, you can't attach Observability alerts to an Elastic Security case.