Hi @elasticfran,
The "add lens" feature allows you to add dashboards in Cases. It was introduced in 7.15.
At the moment is not possible to create a dashboard from within Cases. It is in our roadmap to support it in the future. There is a way to do it using the .kibana system index. Be aware that
the data structures of a system index may not be very "dashboard friendly" and they are subject to change in the future.
Steps:
- Go to Stack Management -> Index Patterns.
- Click to Create index pattern and check Include system and hidden indices.
- Put as Index pattern name
.kibana_<your_version>. You don't want to inlude.kibana-task-managerand.kibana-event-log - Select
@timestamporupdated_atas the time field. - Go to Analytics -> Dashboard -> Create visualization
- Select your index pattern
- Adjust your time range to include the cases you want.
- On the Available fields you can search for cases fields. To visualize open, in progress, closed cases use the
cases.statusfield. For new cases thecases.created_atfield etc.
- Drag and drop the field to the visualization area (on the right). You should be able to see some visualizations.
Let me know if you need any help.
Reference: SIEM created and closed cases report - #8 by christos.nasikas
Best,
Christos