Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Case observables #180360

Open
shanisagiv1 opened this issue Apr 9, 2024 · 3 comments
Open

Case observables #180360

shanisagiv1 opened this issue Apr 9, 2024 · 3 comments
Assignees
Labels
Feature:Cases Cases feature Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team:Threat Hunting:Investigations Security Solution Investigations Team
Milestone

Comments

@shanisagiv1
Copy link

shanisagiv1 commented Apr 9, 2024

Describe the feature:
Observable can be any type of value attached to a case and enable users with the different use cases:

  • Get all similar cases with the same observable (e.g: username)
  • Enrich the case by triggering actions that leverage the observable (e.g: validate domain legitimacy)

In addition, Observable is a key differentiator feature for some incident mng vendors. it enables users with different use cases for incident investigation when it allows incident similarities and automates manual remediation and investigation steps using integrations with 3rd parties

User stories for the feature:

  • As a user, I’d like to define an observable in my case. An observable can be of any value.
  • As a user, I’d like to define an observable with the following attributes:
    • Type (Most common types: Hash, IP, domains, web URL, email)
    • Value
    • Has been sighted
    • Description
    • Is IOC (toggle)
  • As a user, I’d like to get similar Kibana Cases with the same observable for faster investigation.

More details about the first phase are detailed in the PRD here

@botelastic botelastic bot added the needs-team Issues missing a team label label Apr 9, 2024
@shanisagiv1 shanisagiv1 added Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Feature:Cases Cases feature labels Apr 9, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops-cases (Feature:Cases)

@botelastic botelastic bot removed the needs-team Issues missing a team label label Apr 9, 2024
@shanisagiv1 shanisagiv1 self-assigned this Apr 9, 2024
@lgestc lgestc self-assigned this Aug 7, 2024
@lgestc lgestc added the Team:Threat Hunting:Investigations Security Solution Investigations Team label Aug 7, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

@lgestc lgestc added this to the 8.16 milestone Sep 10, 2024
@PhilippeOberti PhilippeOberti removed this from the 8.16 milestone Oct 11, 2024
@lgestc lgestc added this to the 8.17 milestone Nov 5, 2024
@PhilippeOberti PhilippeOberti modified the milestones: 8.17, 8.18 Dec 10, 2024
lgestc added a commit that referenced this issue Dec 23, 2024
…190237)

## Summary

### Introducting Case Observables - _phases 0 and 1_

This pull request introduces case observables to Kibana, enhancing the
platform's case management capabilities. It adds support for capturing
and displaying observables (e.g., IP addresses, URLs, file hashes)
linked to cases. The feature integrates with the Cases UI, allowing
users to easily associate observables with cases for better tracking and
analysis in incident response workflows. This improves investigative
efficiency by correlating observables across multiple cases.

#### Requirements:

https://docs.google.com/document/d/12hZTpyn0eXy3Xnq8qLBd6_sJxBhNZoI7vXztxWHhUds/edit#heading=h.srf6mb8ifiad

#### Design document:
https://docs.google.com/document/d/1MeDLl6OEWast1RC1M3_hQXnRCd8frrXdGkFnypIYKJQ/edit#heading=h.kb5lrp2j62id

Notable Cases sections are added in this pr:

**1. Observables section in the case view, allowing for adding and
listing up to 10 observables for the case**


![image](https://github.com/user-attachments/assets/f517803d-a6a3-4428-b3e3-478e70c60050)

**2. Similar cases view for every case, allowing for similar case
discovery**


![image](https://github.com/user-attachments/assets/388fddfb-9533-4f0d-aa8b-f5601e5323e0)

**3. Observable types management view in Cases settings**


![image](https://github.com/user-attachments/assets/2d76f8be-c234-4f24-a419-da54228fb111)

Original issue:

#180360

Things skipped for now from MVP:
- [ ] Allow users to manually create observables from the cases alerts
table using the table actions (Phase 1)
- [ ] Allow users to manually create observables of type “hash” from the
files table using the table actions (Phase 1)

---------

Co-authored-by: Christos Nasikas <[email protected]>
Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: Christos Nasikas <[email protected]>
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Dec 23, 2024
…lastic#190237)

## Summary

### Introducting Case Observables - _phases 0 and 1_

This pull request introduces case observables to Kibana, enhancing the
platform's case management capabilities. It adds support for capturing
and displaying observables (e.g., IP addresses, URLs, file hashes)
linked to cases. The feature integrates with the Cases UI, allowing
users to easily associate observables with cases for better tracking and
analysis in incident response workflows. This improves investigative
efficiency by correlating observables across multiple cases.

#### Requirements:

https://docs.google.com/document/d/12hZTpyn0eXy3Xnq8qLBd6_sJxBhNZoI7vXztxWHhUds/edit#heading=h.srf6mb8ifiad

#### Design document:
https://docs.google.com/document/d/1MeDLl6OEWast1RC1M3_hQXnRCd8frrXdGkFnypIYKJQ/edit#heading=h.kb5lrp2j62id

Notable Cases sections are added in this pr:

**1. Observables section in the case view, allowing for adding and
listing up to 10 observables for the case**

![image](https://github.com/user-attachments/assets/f517803d-a6a3-4428-b3e3-478e70c60050)

**2. Similar cases view for every case, allowing for similar case
discovery**

![image](https://github.com/user-attachments/assets/388fddfb-9533-4f0d-aa8b-f5601e5323e0)

**3. Observable types management view in Cases settings**

![image](https://github.com/user-attachments/assets/2d76f8be-c234-4f24-a419-da54228fb111)

Original issue:

elastic#180360

Things skipped for now from MVP:
- [ ] Allow users to manually create observables from the cases alerts
table using the table actions (Phase 1)
- [ ] Allow users to manually create observables of type “hash” from the
files table using the table actions (Phase 1)

---------

Co-authored-by: Christos Nasikas <[email protected]>
Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: Christos Nasikas <[email protected]>
(cherry picked from commit 3083706)
kibanamachine added a commit that referenced this issue Dec 23, 2024
… &amp; 1) (#190237) (#205089)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution] [Cases] Introduce case observables (phase 0 &amp;
1) (#190237)](#190237)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Luke
Gmys","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-23T13:25:58Z","message":"[Security
Solution] [Cases] Introduce case observables (phase 0 & 1)
(#190237)\n\n## Summary\r\n\r\n### Introducting Case Observables -
_phases 0 and 1_\r\n\r\nThis pull request introduces case observables to
Kibana, enhancing the\r\nplatform's case management capabilities. It
adds support for capturing\r\nand displaying observables (e.g., IP
addresses, URLs, file hashes)\r\nlinked to cases. The feature integrates
with the Cases UI, allowing\r\nusers to easily associate observables
with cases for better tracking and\r\nanalysis in incident response
workflows. This improves investigative\r\nefficiency by correlating
observables across multiple cases.\r\n\r\n####
Requirements:\r\n\r\nhttps://docs.google.com/document/d/12hZTpyn0eXy3Xnq8qLBd6_sJxBhNZoI7vXztxWHhUds/edit#heading=h.srf6mb8ifiad\r\n\r\n####
Design
document:\r\nhttps://docs.google.com/document/d/1MeDLl6OEWast1RC1M3_hQXnRCd8frrXdGkFnypIYKJQ/edit#heading=h.kb5lrp2j62id\r\n\r\nNotable
Cases sections are added in this pr:\r\n\r\n**1. Observables section in
the case view, allowing for adding and\r\nlisting up to 10 observables
for the
case**\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/f517803d-a6a3-4428-b3e3-478e70c60050)\r\n\r\n**2.
Similar cases view for every case, allowing for similar
case\r\ndiscovery**\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/388fddfb-9533-4f0d-aa8b-f5601e5323e0)\r\n\r\n**3.
Observable types management view in Cases
settings**\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/2d76f8be-c234-4f24-a419-da54228fb111)\r\n\r\nOriginal
issue:\r\n\r\nhttps://github.com//issues/180360\r\n\r\nThings
skipped for now from MVP:\r\n- [ ] Allow users to manually create
observables from the cases alerts\r\ntable using the table actions
(Phase 1)\r\n- [ ] Allow users to manually create observables of type
“hash” from the\r\nfiles table using the table actions (Phase
1)\r\n\r\n---------\r\n\r\nCo-authored-by: Christos Nasikas
<[email protected]>\r\nCo-authored-by: kibanamachine
<[email protected]>\r\nCo-authored-by:
Christos Nasikas
<[email protected]>","sha":"3083706bc9541d84700b81252f0e4880949e4ea0","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:ResponseOps","v9.0.0","Team:
SecuritySolution","release_note:feature","Team:Threat
Hunting:Investigations","backport:prev-minor","ci:cloud-deploy","ci:build-serverless-image"],"title":"[Security
Solution] [Cases] Introduce case observables (phase 0 &
1)","number":190237,"url":"https://github.com/elastic/kibana/pull/190237","mergeCommit":{"message":"[Security
Solution] [Cases] Introduce case observables (phase 0 & 1)
(#190237)\n\n## Summary\r\n\r\n### Introducting Case Observables -
_phases 0 and 1_\r\n\r\nThis pull request introduces case observables to
Kibana, enhancing the\r\nplatform's case management capabilities. It
adds support for capturing\r\nand displaying observables (e.g., IP
addresses, URLs, file hashes)\r\nlinked to cases. The feature integrates
with the Cases UI, allowing\r\nusers to easily associate observables
with cases for better tracking and\r\nanalysis in incident response
workflows. This improves investigative\r\nefficiency by correlating
observables across multiple cases.\r\n\r\n####
Requirements:\r\n\r\nhttps://docs.google.com/document/d/12hZTpyn0eXy3Xnq8qLBd6_sJxBhNZoI7vXztxWHhUds/edit#heading=h.srf6mb8ifiad\r\n\r\n####
Design
document:\r\nhttps://docs.google.com/document/d/1MeDLl6OEWast1RC1M3_hQXnRCd8frrXdGkFnypIYKJQ/edit#heading=h.kb5lrp2j62id\r\n\r\nNotable
Cases sections are added in this pr:\r\n\r\n**1. Observables section in
the case view, allowing for adding and\r\nlisting up to 10 observables
for the
case**\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/f517803d-a6a3-4428-b3e3-478e70c60050)\r\n\r\n**2.
Similar cases view for every case, allowing for similar
case\r\ndiscovery**\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/388fddfb-9533-4f0d-aa8b-f5601e5323e0)\r\n\r\n**3.
Observable types management view in Cases
settings**\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/2d76f8be-c234-4f24-a419-da54228fb111)\r\n\r\nOriginal
issue:\r\n\r\nhttps://github.com//issues/180360\r\n\r\nThings
skipped for now from MVP:\r\n- [ ] Allow users to manually create
observables from the cases alerts\r\ntable using the table actions
(Phase 1)\r\n- [ ] Allow users to manually create observables of type
“hash” from the\r\nfiles table using the table actions (Phase
1)\r\n\r\n---------\r\n\r\nCo-authored-by: Christos Nasikas
<[email protected]>\r\nCo-authored-by: kibanamachine
<[email protected]>\r\nCo-authored-by:
Christos Nasikas
<[email protected]>","sha":"3083706bc9541d84700b81252f0e4880949e4ea0"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/190237","number":190237,"mergeCommit":{"message":"[Security
Solution] [Cases] Introduce case observables (phase 0 & 1)
(#190237)\n\n## Summary\r\n\r\n### Introducting Case Observables -
_phases 0 and 1_\r\n\r\nThis pull request introduces case observables to
Kibana, enhancing the\r\nplatform's case management capabilities. It
adds support for capturing\r\nand displaying observables (e.g., IP
addresses, URLs, file hashes)\r\nlinked to cases. The feature integrates
with the Cases UI, allowing\r\nusers to easily associate observables
with cases for better tracking and\r\nanalysis in incident response
workflows. This improves investigative\r\nefficiency by correlating
observables across multiple cases.\r\n\r\n####
Requirements:\r\n\r\nhttps://docs.google.com/document/d/12hZTpyn0eXy3Xnq8qLBd6_sJxBhNZoI7vXztxWHhUds/edit#heading=h.srf6mb8ifiad\r\n\r\n####
Design
document:\r\nhttps://docs.google.com/document/d/1MeDLl6OEWast1RC1M3_hQXnRCd8frrXdGkFnypIYKJQ/edit#heading=h.kb5lrp2j62id\r\n\r\nNotable
Cases sections are added in this pr:\r\n\r\n**1. Observables section in
the case view, allowing for adding and\r\nlisting up to 10 observables
for the
case**\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/f517803d-a6a3-4428-b3e3-478e70c60050)\r\n\r\n**2.
Similar cases view for every case, allowing for similar
case\r\ndiscovery**\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/388fddfb-9533-4f0d-aa8b-f5601e5323e0)\r\n\r\n**3.
Observable types management view in Cases
settings**\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/2d76f8be-c234-4f24-a419-da54228fb111)\r\n\r\nOriginal
issue:\r\n\r\nhttps://github.com//issues/180360\r\n\r\nThings
skipped for now from MVP:\r\n- [ ] Allow users to manually create
observables from the cases alerts\r\ntable using the table actions
(Phase 1)\r\n- [ ] Allow users to manually create observables of type
“hash” from the\r\nfiles table using the table actions (Phase
1)\r\n\r\n---------\r\n\r\nCo-authored-by: Christos Nasikas
<[email protected]>\r\nCo-authored-by: kibanamachine
<[email protected]>\r\nCo-authored-by:
Christos Nasikas
<[email protected]>","sha":"3083706bc9541d84700b81252f0e4880949e4ea0"}}]}]
BACKPORT-->

Co-authored-by: Luke Gmys <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Cases Cases feature Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team:Threat Hunting:Investigations Security Solution Investigations Team
Projects
None yet
Development

No branches or pull requests

4 participants