diff --git a/docs/en/siem/cases-overview.asciidoc b/docs/en/siem/cases-overview.asciidoc index aa43789c5..1147564c4 100644 --- a/docs/en/siem/cases-overview.asciidoc +++ b/docs/en/siem/cases-overview.asciidoc @@ -1,6 +1,65 @@ [[cases-overview]] [role="xpack"] -= Cases += Cases (Beta) -// Placeholder \ No newline at end of file +beta[] + +Cases are used to open and track security issues directly in the {siem-app}. +They list the original reporter and all users who contribute to a case +(`participants`). Comments support markdown syntax, and allow linking to saved +<>. Additionally, you can send cases to external +systems from within the {siem-app} (currently {sn}). <> +describes how to set this up. + +You can create and manage cases via the UI or the <>. + +IMPORTANT: To make sure you can view and open cases, see <>. + +[role="screenshot"] +image::images/cases-ui-home.png[] + +[float] +[[cases-ui-open]] +== Open a new case + +Open a new case to keep track of security issues and share their details with colleagues. + +. Go to *SIEM* -> *Cases* -> *Create new case*. +. Give the case a name, and add a description and any relevant tags. ++ +TIP: In the `Description` area, you can use +https://www.markdownguide.org/cheat-sheet[markdown] syntax and insert a +timeline link (click the icon in the top right corner of the area). + +. When ready, create the case. +. If external connections are configured, you can send the case to {sn}. + +[role="screenshot"] +image::images/cases-ui-open.png[] + +[float] +[[cases-ui-manage]] +== Manage existing cases + +You can search existing cases, and filter them by tags, reporter, and status +(open or closed). + +To view a case, click on its name. You can then: + +* Add a new comment. +* Edit existing comments and the case's description. +* Send updates to {sn} (if external connections are configured). +* Close the case. +* Reopen a closed case. +* Edit tags. +* Refresh cases to retrieve the latest updates. + +[float] +[[case-permisions]] +== Cases prerequisites + +To view cases, you need the {kib} space `Read` privilege for the Saved Objects +Management feature. To create cases and add comments, you need the `All` {kib} +space privilege for the Saved Objects Management feature. For more information, +see {kibana-ref}/xpack-spaces.html#spaces-control-user-access[Feature access based on user privileges]. diff --git a/docs/en/siem/cases-ui-integrations.asciidoc b/docs/en/siem/cases-ui-integrations.asciidoc new file mode 100644 index 000000000..01e904843 --- /dev/null +++ b/docs/en/siem/cases-ui-integrations.asciidoc @@ -0,0 +1,59 @@ +[[cases-ui-integrations]] +[role="xpack"] +== Configuring external connections + +You can push new cases and case updates to {sn}. To do this, you need to create +a connector, which stores the information required to push cases to {sn} via +{sn}'s https://developer.servicenow.com/dev.do#!/reference/api/madrid/rest/c_TableAPI[Table API]. +After you have created a connector, you can set {siem-soln} cases to close +automatically when they are sent to {sn}. + +[float] +=== Create a new connector + +. Go to *SIEM* -> *Cases* -> *Edit external connection*. ++ +[role="screenshot"] +image::images/cases-ui-connector.png[] +. Click `Add new connector option`, and then click {sn}. ++ +[role="screenshot"] +image::images/cases-ui-sn-connector.png[] +. Fill in the following: +* _Connector name_: A name for the connector. +* _URL_: The URL of the {sn} instance to which you want to send cases. +* _Username_: The username of the {sn} account used to access the {sn} +instance. +* _Password_: The password of the the {sn} account used to access the {sn} +instance. +. To represent a SIEM case as a {sn} incident, these SIEM case fields are +mapped to {sn} incidents fields as follows: +** `Title`: Mapped to the {sn} `Short description` field. When an update to a +SIEM case title is sent to {sn}, the existing {sn} `Short description` field is +overwritten. +** `Description`: Mapped to the {sn} `Description` field. When an update to a +SIEM case description is sent to {sn}, the existing {sn} `Description` field is +overwritten. +** `Comments`: Mapped to the {sn} `Comments` field. When a comment is updated +in a SIEM case, a new comment is added to the {sn} incident. +. Save the connector. + +[float] +=== Close sent cases automatically + +To close cases when they are sent to {sn}, select the +_Automatically close SIEM cases when pushing new incident to third-party_ +option. + +[float] +=== Change and update connectors + +You can create additional connectors, update existing connectors, and change +the connector used to send cases to {sn}. + +. To change the connector used to send cases to {sn}: +.. Go to *SIEM* -> *Cases* -> *Edit external connection*. +.. Select the required connector from the `Incident management system` list. +. To update an existing connector: +.. Click `Update connector`. +.. Update the the connector fields as required. \ No newline at end of file diff --git a/docs/en/siem/images/cases-ui-connector.png b/docs/en/siem/images/cases-ui-connector.png new file mode 100644 index 000000000..791ebc7e8 Binary files /dev/null and b/docs/en/siem/images/cases-ui-connector.png differ diff --git a/docs/en/siem/images/cases-ui-home.png b/docs/en/siem/images/cases-ui-home.png new file mode 100644 index 000000000..069b08a86 Binary files /dev/null and b/docs/en/siem/images/cases-ui-home.png differ diff --git a/docs/en/siem/images/cases-ui-open.png b/docs/en/siem/images/cases-ui-open.png new file mode 100644 index 000000000..66cbd96d0 Binary files /dev/null and b/docs/en/siem/images/cases-ui-open.png differ diff --git a/docs/en/siem/images/cases-ui-sn-connector.png b/docs/en/siem/images/cases-ui-sn-connector.png new file mode 100644 index 000000000..fe69b5ec9 Binary files /dev/null and b/docs/en/siem/images/cases-ui-sn-connector.png differ diff --git a/docs/en/siem/index.asciidoc b/docs/en/siem/index.asciidoc index 1577e7059..8f58f0e99 100644 --- a/docs/en/siem/index.asciidoc +++ b/docs/en/siem/index.asciidoc @@ -63,6 +63,8 @@ include::prebuilt-rules-changelog.asciidoc[] include::cases-overview.asciidoc[] +include::cases-ui-integrations.asciidoc[] + include::cases-api.asciidoc[] include::cases-api-create.asciidoc[] diff --git a/docs/en/siem/siem-ui.asciidoc b/docs/en/siem/siem-ui.asciidoc index eba7ba7fa..df63aaed5 100644 --- a/docs/en/siem/siem-ui.asciidoc +++ b/docs/en/siem/siem-ui.asciidoc @@ -178,6 +178,17 @@ according to various attributes, including `Risk scores`, `Severities`, and `Top event categories`. The `All signals` table helps with investigations, allowing you to search, filter, and aggregate all {siem-soln} signals. +[float] +[[cases-ui]] +=== Cases + +The Cases page is used to open and track security issues directly in the +{siem-app}. For information on how to open and manage cases, see +<>. + +[role="screenshot"] +image::images/cases-ui-home.png[] + [float] [[timelines-ui]] === Timelines