Configure case settings

Customize how your team works with cases by setting up templates for faster case creation, adding custom fields to capture data specific to your workflow, and connecting to external systems like Jira or ServiceNow to keep incidents in sync.

To perform these tasks, you must have full access to the appropriate case and connector features.

If you close cases in your external incident management system, the cases will remain open in Kibana until you close them manually.

To close cases when they are sent to an external system, select the option to automatically close cases when pushing a new incident to an external system.

Connectors let you send cases to external incident management systems. To create and manage connectors, you need the appropriate Kibana feature privileges and subscription or project feature tier. Refer to Control access to cases.

You can create connectors in Stack Management > Connectors (see Connectors) or from the case Settings page:

1. From the Incident management system list, select Add new connector.

2. Select the system to send cases to:

   • IBM Resilient connector
   • Jira connector
   • ServiceNow ITSM connector
   • ServiceNow SecOps connector
   • Swimlane connector
   • TheHive connector
   • Webhook - Case Management connector

3. Enter your required settings, then click Save.

1. Select the required connector from the incident management system list.
2. Click Update <connector name>.
3. Modify the connector fields as needed, then click Save & close.

Select a connector from the Incident management system list to set it as the default for new cases. You can also choose a connector when creating individual cases or in case templates.

When you push a case to an external system, case fields are automatically mapped to corresponding fields in that system. For example, the case title maps to the short description in ServiceNow and the summary in Jira. Case tags map to labels in Jira, and comments map to work notes in ServiceNow.

With a Webhook - Case Management connector, you can map case fields to custom or existing fields.

When you push updates, mapped fields are either overwritten or appended, depending on the field and connector. Retrieving data from external systems is not supported.

You can add optional and required fields for customized case collaboration.

To create a custom field:

1. In the Custom fields section, click Add field.
2. You must provide a field label and type (text or toggle). You can optionally designate it as a required field and provide a default value.

When you create a custom field, it's added to all new and existing cases. In existing cases, new custom text fields initially have null values.

You can subsequently remove or edit custom fields on the Settings page.

Templates let you pre-fill case fields like severity, tags, title, description, and custom fields—speeding up case creation and ensuring consistency across your team. When creating a case, you can select a template and use its values or override them. Updating or deleting templates does not affect existing cases.

To create a template:

1. In the Templates section, click Add template.
2. Provide a template name and case severity.
3. (Optional) Add template tags and a description, values for each case field, and a case connector.

In addition to the preset observable types (such as IP addresses and file hashes), you can create up to 10 custom types to match your investigation needs. Custom observable types appear as options when you add observables to cases.

1. In the Observable types section, click Add observable type.
2. Enter a descriptive label for the observable type, then click Save.

You can edit or remove custom observable types from the Settings page. Be aware that deleting a custom observable type also deletes all instances of it from your cases.