Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Request] [8.18, 9.0, and Serverless] Observables can be added to cases #6395

Closed
12 of 13 tasks
nastasha-solomon opened this issue Jan 7, 2025 · 1 comment · Fixed by #6477
Closed
12 of 13 tasks

[Request] [8.18, 9.0, and Serverless] Observables can be added to cases #6395

nastasha-solomon opened this issue Jan 7, 2025 · 1 comment · Fixed by #6477
Assignees
@nastasha-solomon
Labels
blocked An issue that's currently blocked because it’s pending info or action from stakeholders. Docset: ESS Issues that apply to docs in the Stack release Docset: Serverless Issues for Serverless Security Effort: Medium Issues that take moderate but not substantial time to complete Feature: Cases Cases issues Priority: High Issues that are time-sensitive and/or are of high customer importance Team: Threat Hunting Formerly Data Visibility v8.18.0 v9.0.0

Comments

@nastasha-solomon
Copy link
Contributor

nastasha-solomon commented Jan 7, 2025
edited
Loading

Description

Users can associate observables with cases for better tracking and analysis in incident response workflows. This improves investigative efficiency by correlating observables across multiple cases.

Misc. notes:

  • The max number of observables that users can create (via the Add observable modal) is 50.
  • The max number of observable types is 10.
  • This feature is GA'd in Serverless and will be released in 8.18/9.0.0 for ESS.
  • The Similar cases tab allows users to find other cases with the same observables (identical type and value).
  • Observable types can be managed from the Case settings page.
  • Only observables that belong to a non-deleted type are visible.

Background & resources

Which documentation set does this change impact?

ESS and serverless

ESS updates are below. The Serverless updates will be the same.

Changes to the Configure case settings page:

Changes to the Open and manage cases page:

In the Manage existing cases section:

  • Add to the list of things users can do with cases. Link to the new “Create and manage observables” section.

ESS release

8.18 and 9.0

Serverless release

January 7, 2025

Feature differences

N/A

API docs impact

N/A

Prerequisites, privileges, feature flags

ESS license - TBD
Serverless feature tier - Essentials
@nastasha-solomon nastasha-solomon added Docset: ESS Issues that apply to docs in the Stack release Docset: Serverless Issues for Serverless Security Effort: Medium Issues that take moderate but not substantial time to complete Feature: Cases Cases issues Priority: High Issues that are time-sensitive and/or are of high customer importance Team: Threat Hunting Formerly Data Visibility v8.18.0 v9.0.0 labels Jan 7, 2025
@nastasha-solomon nastasha-solomon self-assigned this Jan 7, 2025
@nastasha-solomon nastasha-solomon added the blocked An issue that's currently blocked because it’s pending info or action from stakeholders. label Jan 15, 2025
@nastasha-solomon
Copy link
Contributor Author

ESS license requirements are still pending. Also need a formal definition of the term "observable".

@nastasha-solomon nastasha-solomon mentioned this issue Jan 22, 2025
Merged
@mergify mergify bot mentioned this issue Jan 28, 2025
Merged
@jmikell821 jmikell821 mentioned this issue Feb 26, 2025
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@nastasha-solomon nastasha-solomon

Labels
blocked An issue that's currently blocked because it’s pending info or action from stakeholders. Docset: ESS Issues that apply to docs in the Stack release Docset: Serverless Issues for Serverless Security Effort: Medium Issues that take moderate but not substantial time to complete Feature: Cases Cases issues Priority: High Issues that are time-sensitive and/or are of high customer importance Team: Threat Hunting Formerly Data Visibility v8.18.0 v9.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Request] [8.18, 9.0, and Serverless] Observables can be added to cases elastic/security-docs
1 participant
@nastasha-solomon