You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: solutions/security/investigate/open-manage-cases.md
+7-2Lines changed: 7 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -37,8 +37,9 @@ Open a new case to keep track of security issues and share their details with co
37
37
4. Optionally, add a category, assignees and relevant tags. You can add users only if they meet the necessary [prerequisites](/solutions/security/investigate/cases-requirements.md).
38
38
5. {applies_to}`stack: preview` {applies_to}`serverless: preview` If you defined [custom fields](/solutions/security/investigate/configure-case-settings.md#cases-ui-custom-fields), they appear in the **Additional fields** section.
39
39
6. Choose if you want alert statuses to sync with the case’s status after they are added to the case. This option is enabled by default, but you can turn it off after creating the case.
40
-
7. From **External incident management**, select a [connector](/solutions/security/investigate/configure-case-settings.md#cases-ui-integrations). If you’ve previously added one, that connector displays as the default selection. Otherwise, the default setting is `No connector selected`.
41
-
8. Click **Create case**.
40
+
7. {applies_to}`stack: 9.2` With the appropriate [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project feature tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md), you can choose to automatically extract [observables](/solutions/security/investigate/open-manage-cases.md#cases-add-observables) from alerts that you're adding to the case.
41
+
8. From **External incident management**, select a [connector](/solutions/security/investigate/configure-case-settings.md#cases-ui-integrations). If you’ve previously added one, that connector displays as the default selection. Otherwise, the default setting is `No connector selected`.
42
+
9. Click **Create case**.
42
43
43
44
::::{note}
44
45
If you’ve selected a connector for the case, the case is automatically pushed to the third-party system it’s connected to.
@@ -224,6 +225,10 @@ Ensure you have the appropriate [{{stack}} subscription](https://www.elastic.co/
224
225
225
226
An observable is a piece of information about an investigation, for example, a suspicious URL or a file hash. Use observables to identify correlated events and better understand the severity and scope of a case.
226
227
228
+
::::{tip}
229
+
When creating a new case, keep the **Extract observables** option turned on to automatically extract observables from alerts that you're adding to the case. After creating the case, you can turn this setting on or off using the **Auto-extract observables** setting on the case's **Observables** tab.
230
+
::::
231
+
227
232
To create an observable:
228
233
229
234
1. Click the **Observables** tab, then click **Add observable**.
0 commit comments