Loading

Create cases

To create a new case:

  1. Go to the Cases page, then select Create case.

    To access the Cases page:

    • Stack Management: Go to Stack Management > Cases.
    • Elastic Security: Find Cases in the navigation menu or search for Security/Cases using the global search field.
    • Observability: Find Cases in the navigation menu or search for Observability/Cases using the global search field.

    To access the Cases page:

    • Elastic Security: Find Cases in the navigation menu or search for Cases using the global search field.
    • Observability: Find Cases in the navigation menu or search for Cases using the global search field.

  2. (Optional) Select a template to pre-fill field values.

  3. Enter a name, severity, and description. If you do not assign your case a severity level, it will be assigned Low by default. The description supports Markdown.

  4. (Optional) Add a category, assignees, and tags.

  5. (Optional) Fill in any custom fields in the Additional fields section.

  6. Configure sync and extraction options:

    • Sync alert status syncs alert statuses with the case status (on by default).

    • Auto-extract observables extracts observables from attached alerts (on by default, requires appropriate subscription).

      Note

      Auto-extracting observables is only available for Elastic Security in Elastic Security Serverless and Elastic Stack 9.2+.

  7. (Optional) Select a connector to send the case to an external system.

  8. Select Create case. If you've selected a connector for the case, the case is automatically pushed to the third-party system it's connected to.

Set up email notifications to alert users when they're assigned to a case, so they can respond promptly.

Add the email domains to the notifications domain allowlist.

You do not need to configure an email connector or update Kibana user settings—the preconfigured Elastic-Cloud-SMTP connector is used by default.

  1. Create a preconfigured email connector.

    Note

    Email notifications support only preconfigured email connectors, which are defined in the kibana.yml file. For examples, refer to Email connectors and Configure email accounts for well-known services.

  2. Set the notifications.connectors.default.email Kibana setting to the name of your email connector.

    notifications.connectors.default.email: 'mail-dev'

xpack.actions.preconfigured:
  mail-dev:
    name: preconfigured-email-notification-maildev
    actionTypeId: .email
    config:
      service: other
      from: from address
      host: host name
      port: port number
      secure: true/false
      hasAuth: true/false

  3. If you want the email notifications to contain links back to the case, configure the server.publicBaseUrl setting.

A case created in one solution is only visible within that solution:

  • Stack Management cases are not visible in Observability or Elastic Security
  • Observability cases are not visible in Stack Management or Elastic Security
  • Elastic Security cases are not visible in Stack Management or Observability

Alerts also can't cross solution boundaries. You can only attach alerts from the same solution to cases. For example, you can't attach Observability alerts to an Elastic Security case.