Cases for Elastic Security

Create cases to collect and share information about security incidents and investigations. You can attach alerts, document findings, and collaborate with your SOC team, all in one place. Cases also integrate with external ticketing systems like Jira, ServiceNow, and IBM Resilient, so you can escalate and track incidents across your security workflow.

Beyond the core case functionality, Elastic Security lets you:

• Set an alert closing reason when closing a case
• View case metrics
• Attach events from Timeline
• Add threat intelligence indicators
• Link Timelines to preserve investigation context

If Sync alert status is on, closing the case opens the Select alert close reason popup, where you can choose how attached detection alerts are closed. You can close the attached alerts without a reason, or specify an alert closing reason.

The available options match the closing reasons from the Alerts page, including any custom closing reasons defined in advanced settings.

Alerts that are already closed keep their existing reason; only open and acknowledged attached alerts are updated.

Select an existing case to access its summary. The case summary, located under the case title, contains metrics that summarize alert information and response times:

• Total alerts: Total number of unique alerts attached to the case
• Associated users: Total number of unique users represented in the attached alerts
• Associated hosts: Total number of unique hosts represented in the attached alerts
• Total connectors: Total number of connectors added to the case
• Case created: Date and time the case was created
• Open duration: Time elapsed since the case was created
• In progress duration: How long the case has been in the In progress state
• Duration from creation to close: Time elapsed from case creation to closure

Use these metrics to assess incident scope, track response efficiency, and identify trends across cases for process improvements.

Attach events to cases to document suspicious activity and preserve evidence for your investigation. You can add events from Timeline or from the Events tab on the Hosts, Network, or Users pages. This helps you build a chronological record of what happened, share findings with your team, and support post-incident analysis.

View attached events in the case's Events tab, where they're organized from newest to oldest. You can find the Events tab in the following places:

• : Go to the case's details page, then select the Attachments tab.
• : Go to the case's details page.

Attach threat intelligence indicators to cases to document evidence of compromise and connect your investigation to known threats. This helps you correlate alerts with threat actor tactics, track IOCs across related incidents, and build a complete picture of an attack.

Attach Timelines to cases to preserve your investigation context and share it with your team. When you link a Timeline, other analysts can see the exact queries, filters, and events you examined, making it easier to collaborate, hand off investigations, or document your evidence trail.