Hi, I am trying to understand a couple of things with Detections and Cases in Elastic SIEM -
Thanks
Hi again @forkhead, thanks for the continued interest!
- Is there a way to automatically create cases for some rule detections ?
No, there is not currently an in-app method for automatically creating a case as a rule action. This is something that we are investigating for a future release. We have heard this request from MSSP-type users, who have a SLA in place that requires them to auto-create case upon certain detections.
- Is there a way to store or create Case Templates in Cases (which then can also be attached to some detections where we want an automatic creation of a case) ?
No, there is not currently a way to do this in the SIEM app. This too is an area of investigation for future capabilities. As a partial workaround, one idea is to include the case template in the rule's advanced setting "Investigation guide." When a signal detected by the rule is investigated in the Timeline, the "Investigation guide" text is automatically populated in the Timeline Notes. When creating a case from the Timeline, the analyst can first copy the text from the Timeline Note, and then paste it into the newly opened case.
Please keep the feedback coming!
Haha @Mike_Paquette thanks for the replies. Yes, I was thinking if there is an in-app way to create cases where we always want those detections to be investigated but I think the other option I see is basically using the Signals API to fetch those and Cases API to create the case. For the other question let me look into the "Investigation guide" functionality.
Thanks
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.