SIEM created and closed cases report

Elastic Security SIEM
8

Hey @bnk

I managed to reproduce what you are saying. I think the problem is with the index pattern. You need to be a bit more specific with the index pattern. Mine was .kibana-*. I changed it to .kibana-nasikas_8.0.0 and it worked.

Steps to produce what you want:

  1. Go to Stack Management -> Index Patterns
  2. Click to Create index pattern and check Include system and hidden indices
  3. Put as Index pattern name .kibana_<your_versions>. You don't want to inlude .kibana-task-manager and .kibana-event-log
  4. Select @timestamp as the time field.
  5. Go to Analytics -> Dashboard -> Create visualization
  6. Select your index pattern

Screenshot 2021-05-17 at 3.36.48 PM
Screenshot 2021-05-17 at 3.36.48 PM682×718 35.4 KB

  1. Adjust your time range to include the cases you want.

Screenshot 2021-05-17 at 3.36.40 PM
Screenshot 2021-05-17 at 3.36.40 PM970×1036 62.4 KB

  1. Search for the cases.status field name. It should be on the Available fields

Screenshot 2021-05-17 at 3.36.28 PM
Screenshot 2021-05-17 at 3.36.28 PM630×700 26.1 KB

  1. Drag and drop the field to the right area

Screenshot 2021-05-17 at 3.39.41 PM
Screenshot 2021-05-17 at 3.39.41 PM2236×1562 251 KB

You should be able to see some diagrams with your data.

I hope that helps. Let me know if you need any help.

Best,
Christos