Searcheability of Cases managed in SecurityOnion Console

[Ron89]

I noticed that in 2.1.130, Security Onion has introduced a new case management system. While it provides the basic functionalities of recording evidence and discussions, we find the lack of custom search ability make them hard to keep track of in the long run. Since SO2 makes heavy use of ElasticSearch, can we use it to keep the case record so that they can be easily found with flexible criteria? Or maybe increase the flexibility of the case search functionality in the SOC itself?

[dougburks]

Please see https://docs.securityonion.net/en/2.3/cases.html#data:

Cases data is stored in Elasticsearch. You can view it in Dashboards or Hunt by clicking the Options menu and disabling the Exclude case data option. You can then search the so-case index with the following query:

_index:"*:so-case"

You can also use this query in Kibana.

[Ron89]

I tried ElasticSearch, there is no data coming back when used _index:*:so-case as search pattern. For Hunt interface, after disabling exclude case data, the case data did show. But it's a jumbo of all kinds of case data. And it doesn't support any filtering by things like the existence of so_case.title or sorting with information as such. So the output is not at all readable. Did I miss some features? Or this is the extent of the feature as of this version?

[dougburks]

If you're trying to sort by so_case.title, you should be able to do that from the Cases Overview page:
https://docs.securityonion.net/en/2.3/cases.html#overview-page

For example:

[Ron89]

Again, the overview page does not support custom filtering...
So this is really the limitation of the case management of the current version?

[dougburks]

One option would be to enable the advanced setting as shown at https://docs.securityonion.net/en/2.3/soc-customization.html#advanced-interface.

[dougburks]

Yesterday, we released Security Onion 2.3.160 which includes a new option to toggle the advanced setting.