Search and share cases

Quickly locate relevant cases and share them with others or external ticketing systems to streamline collaboration and handoffs.

The Cases page has a search bar for quickly finding cases and case data. You can search for case titles, descriptions, and IDs using keywords and text.

Note the following rules for search:

• Keywords: Searches for keywords (like case and alert IDs) must be exact.
• Text: Text searches (such as case titles and descriptions) are case-insensitive.
• Syntax: No special syntax is required when entering your search criteria.

You can also search for alert and event IDs, observable values, case comments, and custom fields (text type only). For example, you can search Elastic Security for a specific IP address that's been specified as an observable, a colleague's comment, or the ID of an alert that's attached to the case.

You can filter cases by attributes such as assignees, categories, severity, status, and tags.

To find cases created during a specific time range, use the date time picker above the Cases table. The default selection is the last 30 days—click Show all cases to display every case in your space.

To send a case to an external system, select the push button in the External incident management system section of the individual case page. This information is not sent automatically. If you make further changes to the shared case fields, you should push the case again.

For more information about configuring connections to external incident management systems, refer to Configure case settings.

Cases have two types of identifiers:

• Numeric ID: A short, human-readable number that appears after the case name. Use it for quick reference in conversations or searches. Numeric IDs increment by one for each new case in your space and are assigned by a background task that runs every 10 minutes.
• UUID: A longer alphanumeric identifier for the cases API. Copy it from Actions → Copy Case ID on the Cases page or from the action menu in a case.