-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Case observables #180360
Labels
Feature:Cases
Cases feature
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
Team:Threat Hunting:Investigations
Security Solution Investigations Team
Milestone
Comments
shanisagiv1
added
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
Feature:Cases
Cases feature
labels
Apr 9, 2024
Pinging @elastic/response-ops (Team:ResponseOps) |
Pinging @elastic/response-ops-cases (Feature:Cases) |
lgestc
added
the
Team:Threat Hunting:Investigations
Security Solution Investigations Team
label
Aug 7, 2024
Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations) |
2 tasks
lgestc
added a commit
that referenced
this issue
Dec 23, 2024
…190237) ## Summary ### Introducting Case Observables - _phases 0 and 1_ This pull request introduces case observables to Kibana, enhancing the platform's case management capabilities. It adds support for capturing and displaying observables (e.g., IP addresses, URLs, file hashes) linked to cases. The feature integrates with the Cases UI, allowing users to easily associate observables with cases for better tracking and analysis in incident response workflows. This improves investigative efficiency by correlating observables across multiple cases. #### Requirements: https://docs.google.com/document/d/12hZTpyn0eXy3Xnq8qLBd6_sJxBhNZoI7vXztxWHhUds/edit#heading=h.srf6mb8ifiad #### Design document: https://docs.google.com/document/d/1MeDLl6OEWast1RC1M3_hQXnRCd8frrXdGkFnypIYKJQ/edit#heading=h.kb5lrp2j62id Notable Cases sections are added in this pr: **1. Observables section in the case view, allowing for adding and listing up to 10 observables for the case** ![image](https://github.com/user-attachments/assets/f517803d-a6a3-4428-b3e3-478e70c60050) **2. Similar cases view for every case, allowing for similar case discovery** ![image](https://github.com/user-attachments/assets/388fddfb-9533-4f0d-aa8b-f5601e5323e0) **3. Observable types management view in Cases settings** ![image](https://github.com/user-attachments/assets/2d76f8be-c234-4f24-a419-da54228fb111) Original issue: #180360 Things skipped for now from MVP: - [ ] Allow users to manually create observables from the cases alerts table using the table actions (Phase 1) - [ ] Allow users to manually create observables of type “hash” from the files table using the table actions (Phase 1) --------- Co-authored-by: Christos Nasikas <[email protected]> Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Christos Nasikas <[email protected]>
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Dec 23, 2024
…lastic#190237) ## Summary ### Introducting Case Observables - _phases 0 and 1_ This pull request introduces case observables to Kibana, enhancing the platform's case management capabilities. It adds support for capturing and displaying observables (e.g., IP addresses, URLs, file hashes) linked to cases. The feature integrates with the Cases UI, allowing users to easily associate observables with cases for better tracking and analysis in incident response workflows. This improves investigative efficiency by correlating observables across multiple cases. #### Requirements: https://docs.google.com/document/d/12hZTpyn0eXy3Xnq8qLBd6_sJxBhNZoI7vXztxWHhUds/edit#heading=h.srf6mb8ifiad #### Design document: https://docs.google.com/document/d/1MeDLl6OEWast1RC1M3_hQXnRCd8frrXdGkFnypIYKJQ/edit#heading=h.kb5lrp2j62id Notable Cases sections are added in this pr: **1. Observables section in the case view, allowing for adding and listing up to 10 observables for the case** ![image](https://github.com/user-attachments/assets/f517803d-a6a3-4428-b3e3-478e70c60050) **2. Similar cases view for every case, allowing for similar case discovery** ![image](https://github.com/user-attachments/assets/388fddfb-9533-4f0d-aa8b-f5601e5323e0) **3. Observable types management view in Cases settings** ![image](https://github.com/user-attachments/assets/2d76f8be-c234-4f24-a419-da54228fb111) Original issue: elastic#180360 Things skipped for now from MVP: - [ ] Allow users to manually create observables from the cases alerts table using the table actions (Phase 1) - [ ] Allow users to manually create observables of type “hash” from the files table using the table actions (Phase 1) --------- Co-authored-by: Christos Nasikas <[email protected]> Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Christos Nasikas <[email protected]> (cherry picked from commit 3083706)
kibanamachine
added a commit
that referenced
this issue
Dec 23, 2024
… & 1) (#190237) (#205089) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] [Cases] Introduce case observables (phase 0 & 1) (#190237)](#190237) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Luke Gmys","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-23T13:25:58Z","message":"[Security Solution] [Cases] Introduce case observables (phase 0 & 1) (#190237)\n\n## Summary\r\n\r\n### Introducting Case Observables - _phases 0 and 1_\r\n\r\nThis pull request introduces case observables to Kibana, enhancing the\r\nplatform's case management capabilities. It adds support for capturing\r\nand displaying observables (e.g., IP addresses, URLs, file hashes)\r\nlinked to cases. The feature integrates with the Cases UI, allowing\r\nusers to easily associate observables with cases for better tracking and\r\nanalysis in incident response workflows. This improves investigative\r\nefficiency by correlating observables across multiple cases.\r\n\r\n#### Requirements:\r\n\r\nhttps://docs.google.com/document/d/12hZTpyn0eXy3Xnq8qLBd6_sJxBhNZoI7vXztxWHhUds/edit#heading=h.srf6mb8ifiad\r\n\r\n#### Design document:\r\nhttps://docs.google.com/document/d/1MeDLl6OEWast1RC1M3_hQXnRCd8frrXdGkFnypIYKJQ/edit#heading=h.kb5lrp2j62id\r\n\r\nNotable Cases sections are added in this pr:\r\n\r\n**1. Observables section in the case view, allowing for adding and\r\nlisting up to 10 observables for the case**\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/f517803d-a6a3-4428-b3e3-478e70c60050)\r\n\r\n**2. Similar cases view for every case, allowing for similar case\r\ndiscovery**\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/388fddfb-9533-4f0d-aa8b-f5601e5323e0)\r\n\r\n**3. Observable types management view in Cases settings**\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/2d76f8be-c234-4f24-a419-da54228fb111)\r\n\r\nOriginal issue:\r\n\r\nhttps://github.com//issues/180360\r\n\r\nThings skipped for now from MVP:\r\n- [ ] Allow users to manually create observables from the cases alerts\r\ntable using the table actions (Phase 1)\r\n- [ ] Allow users to manually create observables of type “hash” from the\r\nfiles table using the table actions (Phase 1)\r\n\r\n---------\r\n\r\nCo-authored-by: Christos Nasikas <[email protected]>\r\nCo-authored-by: kibanamachine <[email protected]>\r\nCo-authored-by: Christos Nasikas <[email protected]>","sha":"3083706bc9541d84700b81252f0e4880949e4ea0","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:ResponseOps","v9.0.0","Team: SecuritySolution","release_note:feature","Team:Threat Hunting:Investigations","backport:prev-minor","ci:cloud-deploy","ci:build-serverless-image"],"title":"[Security Solution] [Cases] Introduce case observables (phase 0 & 1)","number":190237,"url":"https://github.com/elastic/kibana/pull/190237","mergeCommit":{"message":"[Security Solution] [Cases] Introduce case observables (phase 0 & 1) (#190237)\n\n## Summary\r\n\r\n### Introducting Case Observables - _phases 0 and 1_\r\n\r\nThis pull request introduces case observables to Kibana, enhancing the\r\nplatform's case management capabilities. It adds support for capturing\r\nand displaying observables (e.g., IP addresses, URLs, file hashes)\r\nlinked to cases. The feature integrates with the Cases UI, allowing\r\nusers to easily associate observables with cases for better tracking and\r\nanalysis in incident response workflows. This improves investigative\r\nefficiency by correlating observables across multiple cases.\r\n\r\n#### Requirements:\r\n\r\nhttps://docs.google.com/document/d/12hZTpyn0eXy3Xnq8qLBd6_sJxBhNZoI7vXztxWHhUds/edit#heading=h.srf6mb8ifiad\r\n\r\n#### Design document:\r\nhttps://docs.google.com/document/d/1MeDLl6OEWast1RC1M3_hQXnRCd8frrXdGkFnypIYKJQ/edit#heading=h.kb5lrp2j62id\r\n\r\nNotable Cases sections are added in this pr:\r\n\r\n**1. Observables section in the case view, allowing for adding and\r\nlisting up to 10 observables for the case**\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/f517803d-a6a3-4428-b3e3-478e70c60050)\r\n\r\n**2. Similar cases view for every case, allowing for similar case\r\ndiscovery**\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/388fddfb-9533-4f0d-aa8b-f5601e5323e0)\r\n\r\n**3. Observable types management view in Cases settings**\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/2d76f8be-c234-4f24-a419-da54228fb111)\r\n\r\nOriginal issue:\r\n\r\nhttps://github.com//issues/180360\r\n\r\nThings skipped for now from MVP:\r\n- [ ] Allow users to manually create observables from the cases alerts\r\ntable using the table actions (Phase 1)\r\n- [ ] Allow users to manually create observables of type “hash” from the\r\nfiles table using the table actions (Phase 1)\r\n\r\n---------\r\n\r\nCo-authored-by: Christos Nasikas <[email protected]>\r\nCo-authored-by: kibanamachine <[email protected]>\r\nCo-authored-by: Christos Nasikas <[email protected]>","sha":"3083706bc9541d84700b81252f0e4880949e4ea0"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/190237","number":190237,"mergeCommit":{"message":"[Security Solution] [Cases] Introduce case observables (phase 0 & 1) (#190237)\n\n## Summary\r\n\r\n### Introducting Case Observables - _phases 0 and 1_\r\n\r\nThis pull request introduces case observables to Kibana, enhancing the\r\nplatform's case management capabilities. It adds support for capturing\r\nand displaying observables (e.g., IP addresses, URLs, file hashes)\r\nlinked to cases. The feature integrates with the Cases UI, allowing\r\nusers to easily associate observables with cases for better tracking and\r\nanalysis in incident response workflows. This improves investigative\r\nefficiency by correlating observables across multiple cases.\r\n\r\n#### Requirements:\r\n\r\nhttps://docs.google.com/document/d/12hZTpyn0eXy3Xnq8qLBd6_sJxBhNZoI7vXztxWHhUds/edit#heading=h.srf6mb8ifiad\r\n\r\n#### Design document:\r\nhttps://docs.google.com/document/d/1MeDLl6OEWast1RC1M3_hQXnRCd8frrXdGkFnypIYKJQ/edit#heading=h.kb5lrp2j62id\r\n\r\nNotable Cases sections are added in this pr:\r\n\r\n**1. Observables section in the case view, allowing for adding and\r\nlisting up to 10 observables for the case**\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/f517803d-a6a3-4428-b3e3-478e70c60050)\r\n\r\n**2. Similar cases view for every case, allowing for similar case\r\ndiscovery**\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/388fddfb-9533-4f0d-aa8b-f5601e5323e0)\r\n\r\n**3. Observable types management view in Cases settings**\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/2d76f8be-c234-4f24-a419-da54228fb111)\r\n\r\nOriginal issue:\r\n\r\nhttps://github.com//issues/180360\r\n\r\nThings skipped for now from MVP:\r\n- [ ] Allow users to manually create observables from the cases alerts\r\ntable using the table actions (Phase 1)\r\n- [ ] Allow users to manually create observables of type “hash” from the\r\nfiles table using the table actions (Phase 1)\r\n\r\n---------\r\n\r\nCo-authored-by: Christos Nasikas <[email protected]>\r\nCo-authored-by: kibanamachine <[email protected]>\r\nCo-authored-by: Christos Nasikas <[email protected]>","sha":"3083706bc9541d84700b81252f0e4880949e4ea0"}}]}] BACKPORT--> Co-authored-by: Luke Gmys <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Feature:Cases
Cases feature
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
Team:Threat Hunting:Investigations
Security Solution Investigations Team
Describe the feature:
Observable can be any type of value attached to a case and enable users with the different use cases:
In addition, Observable is a key differentiator feature for some incident mng vendors. it enables users with different use cases for incident investigation when it allows incident similarities and automates manual remediation and investigation steps using integrations with 3rd parties
User stories for the feature:
More details about the first phase are detailed in the PRD here
The text was updated successfully, but these errors were encountered: