Cases - assignee, status - not found in kibana

[jakko10]

Hi,

If I create a case and set assignee + status, is it possible to somehow search these cases from elastc dev tools -> console?

So far I can find all the events with no problem but not the so_case.assigneeId, so_case.status values.
Is it even possible?

BR
Jakko

[jakko10]

Or is it possible to query from so-case? I'm guessing the data is there but I just don't know how to approach it.
The aim is to query cases and verify the values of so_case.assigned and so_case.status, etc.

[dougburks]

The main Cases page shows the so_case.status and so_case.assigneeId columns:

You should be able to click on a value in those columns to get a context menu that allows you to include, exclude, etc. as described on the Dashboards page:
https://docs.securityonion.net/en/2.3/dashboards.html#context-menu

If you need even more features in the main Cases interface, you can enable advanced interface features:
https://docs.securityonion.net/en/2.3/cases.html#options

[jakko10]

One last question regarding the cases. It's possible to add comments to the case, will the case comment appear in the elastic too or is it stored somewhere else?

[dougburks]

As I mentioned in my last reply, Cases stores all of its data in Elasticsearch.

[jakko10]

Yes, but where? I've literally spent a day trying to find the data from elastic, the documentation does not cover this.
Please could you provide some sort of an example?

[dougburks]

Here's an example for you. On the left, you can see that I created a case and added 2 comments. On the right, you can see the output of sudo so-elasticsearch-query so-case/_search | jq showing the case and the 2 comments.

[jakko10]

Hehe, I just found more-or-less the same solution, the example helped me to better understand it though.
Thank you!