Hello, I looked information if there is a possibility to export info about created and closed cases (also tags associated with cases and other related info) in ELK SIEM, but I coudn't find any information. Is there a way to export information from SIEM section Cases?
Regards
Ema
Hey Ema,
Thanks for your question! The Cases plugin supports creating external incidents as described here: Create or update an external incident | Elastic Security Solution [7.12] | Elastic
Unfortunately beyond that we don't have a way to export Cases at the moment but it is something we're hoping to incorporate!
Jonathan
Thank you for your response.
I am curious is there any way to create statistic chart, table or any other statistic visualization of open, closed cases within Elastic? Like dashboard or canvas?
Hi @bnk
It is not possible to do it through Cases. Nevertheless, there is a way to do it. You have to create the .kibana* index pattern and then go to canvas or dashboard and select the index pattern. Then you can filter like cases.status: "closed" and use a count metric or use the values from there to create visualizations. Be aware that this is a system index and that the data structures may not be very "dashboard friendly".
Best,
Christos
Thank you @christos.nasikas for your response! With your guidance we have managed to create a dashboard for closed cases. In your suggested .kibana* index, there are no info about "open" cases. Is there any way to include info or create new index about created and still open cases?
Regards
Ema
Hey @bnk
Cases at the moment support three statuses: open, in-progress, and closed. Have you tried to create the dashboard with cases.status: "open" ?
I created filter with Controls visualization, where I can filter out whole dashboard "closed" and "open" cases , only one visualization in a dashboard shows "Open" case. That visualization was created with cases.created_at field. Other visualizations do not show data at all. It seems that they count only "Closed" cases. For example, Metrics visualization (which counts sum of all cases) shows 0 open cases though where is 1. I edited it: aggregation is set to count, I've created a bucket with aggregation -> Filter -> cases.status :"open" -> update. But result were the same, zero open cases .
I think I am doing something wrong 
Regards
Ema
Hey @bnk
I managed to reproduce what you are saying. I think the problem is with the index pattern. You need to be a bit more specific with the index pattern. Mine was .kibana-*. I changed it to .kibana-nasikas_8.0.0 and it worked.
Steps to produce what you want:
.kibana_<your_versions>. You don't want to inlude .kibana-task-manager and .kibana-event-log
@timestamp as the time field.
cases.status field name. It should be on the Available fieldsYou should be able to see some diagrams with your data.
I hope that helps. Let me know if you need any help.
Best,
Christos
Thank you @christos.nasikas for detailed answer.
After I wrote a comment, I started analyzing .kibana-* index and I determined that the problem was in the index.
Thanks you once again, I managed to create a dashboard where I see all cases (open and closed).
Best Regards
Ema
You are welcome! I am glad that you managed to create your dashboards.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
