Hello,
I need to do some basic analytics on the Kibana cases we created until now. Where are these cases indexed? For example I added some tags and I want to visualise the amount of cases out of all cases that have certain tags (eg false-positive).
Grtz
Willem
Hi @willemdh, Kibana cases are stored as saved objects in the .kibana index.
Saved objects are managed differently than other documents stored in Elasticsearch to implement access controls that, for example, ensure only users who have access to a Kibana space have access to them.
There are some known limitations of saved objects. For example, they cannot be queried via aggregations, which are often used to create visualizations.
There are some known limitations of saved objects. For example, they cannot be queried via aggregations, which are often used to create visualizations.
Sorry to hear that.
I'm really lost with the case management in Elastic SIEM.... I have no usable connector for our itsm tool, I cannot use custom webhooks, I cannot do any required things with the builtin Cases..
My CISO asks for basic SIEM metrics, I can't give them..
I had a quick look to this, and yes unfortunately cases are stored as saved objects
But definetly you can get cases metadata reindexed to a new index for Analytics
GET .kibana/_search
{
"query": {
"bool": {
"must": [
{
"exists": {
"field": "cases-user-actions"
}
}
]
}
}
}
You will just need a small ingest pipeline to serialize case metadata, as they are stred in a json field
PUT _ingest/pipeline/read_siem_cases
{
"description": "Serialize case attributes",
"processors": [
{
"json": {
"field": "cases-user-actions.new_value",
"target_field": "case_metadata"
}
}
]
}
And here is how to reindex only cases
POST _reindex
{
"source": {
"index": ".kibana",
"query": {
"bool": {
"must": [
{
"exists": {
"field": "cases-user-actions"
}
}
]
}
}
},
"dest": {
"index": "siem_cases",
"pipeline": "read_siem_cases"
}
}
The new index will looks like this
{
"_index" : "siem_cases",
"_type" : "_doc",
"_id" : "cases-user-actions:419c6d60-7556-11eb-a3ff-3f54f568a988",
"_score" : 1.0,
"_source" : {
"migrationVersion" : {
"cases-user-actions" : "7.10.0"
},
"references" : [
{
"name" : "associated-cases",
"id" : "4177a750-7556-11eb-a3ff-3f54f568a988",
"type" : "cases"
}
],
"updated_at" : "2021-02-22T21:38:09.336Z",
"cases-user-actions" : {
"action_by" : {
"full_name" : null,
"email" : null,
"username" : "elastic"
},
"action_field" : [
"description",
"status",
"tags",
"title",
"connector",
"settings"
],
"action" : "create",
"old_value" : null,
"action_at" : "2021-02-22T21:38:09.087Z",
"new_value" : """{"title":"My Case Name","tags":["My Case Tag1","My Case Tag2","My Case Tag3"],"description":"My Case Description","connector":{"id":"none","name":"none","type":".none","fields":null},"settings":{"syncAlerts":true}}"""
},
"type" : "cases-user-actions",
"case_metadata" : {
"settings" : {
"syncAlerts" : true
},
"connector" : {
"name" : "none",
"id" : "none",
"type" : ".none",
"fields" : null
},
"description" : "My Case Description",
"title" : "My Case Name",
"tags" : [
"My Case Tag1",
"My Case Tag2",
"My Case Tag3"
]
}
}
}
Thanks a lot for this suggestion @ylasri I will definitel try it out. What privileges are minimal required for this, is read on .kibana enough?
Yes Read on .kibana index, but also permission to use _reindex API and write to a new index with an ingest pipeline
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.