From 6ac25381961e979b036e8bc5d3e5b9d25da1cf22 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 22 Jul 2025 17:07:23 -0400 Subject: [PATCH 01/35] First draft --- .../alerts-cases/cases/visualize-case-data.md | 57 +++++++++++++++++++ explore-analyze/toc.yml | 3 +- 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 explore-analyze/alerts-cases/cases/visualize-case-data.md diff --git a/explore-analyze/alerts-cases/cases/visualize-case-data.md b/explore-analyze/alerts-cases/cases/visualize-case-data.md new file mode 100644 index 0000000000..24168819d8 --- /dev/null +++ b/explore-analyze/alerts-cases/cases/visualize-case-data.md @@ -0,0 +1,57 @@ +--- +applies_to: + stack: ga + serverless: ga +products: + - id: kibana +--- + +# Visualize case data [visualize-case-data] + +Case data is stored in case analytics indices, which include data from case comments, attachments, and activity. You can query this information to build dashboards and metrics that improve your visibility into case patterns and trends. + +## About case analytics indices + +Case analytics indices and their aliases are automatically generated when Kibana starts up. Every five minutes, the indices are updated with new data from cases in your space. Historical data about cases is not stored; it gets overwritten whenever new case data is written to the indices. + +You can begin querying case analytics indices as soon as you have cases in your space. To learn more about fields in the indices, refer to . + +| Index | Alias | Description | +| ---------------------------- | ---------------------- |----------------------------------------- | +| `.internal.cases` | `.cases` | Stores general data related to cases. | +| `.internal.cases-comments` | `.cases-comments` | Stores data related to case comments. | +| `.internal.cases-activity` | `.cases-activity` | Stores data related to case activity. | +| `.internal.cases-attachments`| `.cases-attachments` | Stores data related to case attachments (only alerts and files added to the case). | + +## Explore case data [explore-case-analytics-indices] + +::::{admonition} Requirements +To query the case analytics indices, your role must have at least `Read` and `view_index_metadata` access to the indices. +:::: + +Search and filter case data in [Discover](../../discover.md) and [Lens](../../visualize/lens.md), then build visualizations for [dashboards](../../dashboards.md). To help you start visualizing your case data, here are some sample {{esql}} queries that you can run from the [{{esql}} editor](../../../explore-analyze/query-filter/languages/esql-kibana.md#esql-kibana-get-started) in Discover. + +* Find the total number of cases that are currently open: + ```console + FROM .internal.cases | STATS count = COUNT(*) BY status | WHERE status == "open" + ``` + +* Find the total number of cases that are currently in progress: + ```console + FROM .internal.cases | STATS count = COUNT(*) BY status | WHERE status == "in-progress" + ``` + +* Find the total number of cases that are closed: + ```console + FROM .internal.cases | STATS count = COUNT(*) BY status | WHERE status == "closed" + ``` + +* Find cases that are open and sort them by time, with the most recent is at the top: + ```console + FROM .internal.cases | WHERE status == "open" | SORT created_at DESC + ``` + +* Find the average time that it takes to close a case: + ```console + FROM .internal.cases | STATS average_time_to_close = AVG(time_to_resolve) + ``` diff --git a/explore-analyze/toc.yml b/explore-analyze/toc.yml index 0e0de372d3..4f7e4364c3 100644 --- a/explore-analyze/toc.yml +++ b/explore-analyze/toc.yml @@ -345,7 +345,7 @@ toc: - file: alerts-cases/alerts/alerting-setup.md - file: alerts-cases/alerts/create-manage-rules.md - file: alerts-cases/alerts/view-alerts.md - - file: alerts-cases/alerts/rule-types.md + - file: alerts-cases/alerts/rule-types.md children: - file: alerts-cases/alerts/rule-type-index-threshold.md - file: alerts-cases/alerts/rule-type-es-query.md @@ -410,4 +410,5 @@ toc: - file: alerts-cases/cases/setup-cases.md - file: alerts-cases/cases/manage-cases.md - file: alerts-cases/cases/manage-cases-settings.md + - file: alerts-cases/cases/visualize-case-data.md - file: numeral-formatting.md \ No newline at end of file From b7460552771a978d61828f3a146de0a4ac7c6d29 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 22 Jul 2025 17:12:25 -0400 Subject: [PATCH 02/35] Removed extra spaces --- explore-analyze/toc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/explore-analyze/toc.yml b/explore-analyze/toc.yml index 4f7e4364c3..87afaf3d6b 100644 --- a/explore-analyze/toc.yml +++ b/explore-analyze/toc.yml @@ -345,7 +345,7 @@ toc: - file: alerts-cases/alerts/alerting-setup.md - file: alerts-cases/alerts/create-manage-rules.md - file: alerts-cases/alerts/view-alerts.md - - file: alerts-cases/alerts/rule-types.md + - file: alerts-cases/alerts/rule-types.md children: - file: alerts-cases/alerts/rule-type-index-threshold.md - file: alerts-cases/alerts/rule-type-es-query.md From 18342d14ad18bdb5446fc21f97d76b0a748bbb6e Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 22 Jul 2025 17:31:06 -0400 Subject: [PATCH 03/35] Updates sec and obs docs --- explore-analyze/alerts-cases/cases/visualize-case-data.md | 4 ++-- solutions/observability/incident-management/cases.md | 7 ++++++- solutions/security/investigate/cases.md | 3 ++- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/explore-analyze/alerts-cases/cases/visualize-case-data.md b/explore-analyze/alerts-cases/cases/visualize-case-data.md index 24168819d8..dc4bf508e4 100644 --- a/explore-analyze/alerts-cases/cases/visualize-case-data.md +++ b/explore-analyze/alerts-cases/cases/visualize-case-data.md @@ -10,7 +10,7 @@ products: Case data is stored in case analytics indices, which include data from case comments, attachments, and activity. You can query this information to build dashboards and metrics that improve your visibility into case patterns and trends. -## About case analytics indices +## About case analytics indices [about-case-analytics-indices] Case analytics indices and their aliases are automatically generated when Kibana starts up. Every five minutes, the indices are updated with new data from cases in your space. Historical data about cases is not stored; it gets overwritten whenever new case data is written to the indices. @@ -29,7 +29,7 @@ You can begin querying case analytics indices as soon as you have cases in your To query the case analytics indices, your role must have at least `Read` and `view_index_metadata` access to the indices. :::: -Search and filter case data in [Discover](../../discover.md) and [Lens](../../visualize/lens.md), then build visualizations for [dashboards](../../dashboards.md). To help you start visualizing your case data, here are some sample {{esql}} queries that you can run from the [{{esql}} editor](../../../explore-analyze/query-filter/languages/esql-kibana.md#esql-kibana-get-started) in Discover. +Search and filter case data in [Discover](../../discover.md) and [Lens](../../visualize/lens.md), and build visualizations for [dashboards](../../dashboards.md). To help you start visualizing your case data, here are some sample {{esql}} queries that you can run from the [{{esql}} editor](../../../explore-analyze/query-filter/languages/esql-kibana.md#esql-kibana-get-started) in Discover. * Find the total number of cases that are currently open: ```console diff --git a/solutions/observability/incident-management/cases.md b/solutions/observability/incident-management/cases.md index 632e53d434..76a9e298a9 100644 --- a/solutions/observability/incident-management/cases.md +++ b/solutions/observability/incident-management/cases.md @@ -14,4 +14,9 @@ Collect and share information about observability issues by creating a case. Cas :::{image} /solutions/images/observability-cases.png :alt: Cases page :screenshot: -::: \ No newline at end of file +::: + +::::{note} +* From {{observability}} in the {{stack}}, you cannot access cases created in {{elastic-sec}} or Stack Management. +* With the appropriate index access, you can [build visualizations](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of {{observability}}, Stack Management, and {{elastic-sec}} case data to improve your visibility into case patterns and trends within your space. +:::: \ No newline at end of file diff --git a/solutions/security/investigate/cases.md b/solutions/security/investigate/cases.md index 79d78162ee..f11534945f 100644 --- a/solutions/security/investigate/cases.md +++ b/solutions/security/investigate/cases.md @@ -30,7 +30,8 @@ You can also send cases to these external systems by [configuring external conne ::: ::::{note} -From {{elastic-sec}} in the {{stack}}, you cannot access cases created in {{observability}} or Stack Management. +* From {{elastic-sec}} in the {{stack}}, you cannot access cases created in {{observability}} or Stack Management. +* With the appropriate index access, you can [build visualizations](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of {{observability}}, Stack Management, and {{elastic-sec}} case data to improve your visibility into case patterns and trends within your space. :::: From f5a6e4c566dd4f2bcdf5f87868e2f1ae1bbf76ca Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 22 Jul 2025 17:35:09 -0400 Subject: [PATCH 04/35] Applies to tags --- solutions/observability/incident-management/cases.md | 2 +- solutions/security/investigate/cases.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/solutions/observability/incident-management/cases.md b/solutions/observability/incident-management/cases.md index 76a9e298a9..bba7a2b313 100644 --- a/solutions/observability/incident-management/cases.md +++ b/solutions/observability/incident-management/cases.md @@ -18,5 +18,5 @@ Collect and share information about observability issues by creating a case. Cas ::::{note} * From {{observability}} in the {{stack}}, you cannot access cases created in {{elastic-sec}} or Stack Management. -* With the appropriate index access, you can [build visualizations](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of {{observability}}, Stack Management, and {{elastic-sec}} case data to improve your visibility into case patterns and trends within your space. +* {applies_to}`stack: ga 9.1` With the appropriate index access, you can [build visualizations](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of {{observability}}, Stack Management, and {{elastic-sec}} case data to improve your visibility into case patterns and trends within your space. :::: \ No newline at end of file diff --git a/solutions/security/investigate/cases.md b/solutions/security/investigate/cases.md index f11534945f..11c2f6bb64 100644 --- a/solutions/security/investigate/cases.md +++ b/solutions/security/investigate/cases.md @@ -31,7 +31,7 @@ You can also send cases to these external systems by [configuring external conne ::::{note} * From {{elastic-sec}} in the {{stack}}, you cannot access cases created in {{observability}} or Stack Management. -* With the appropriate index access, you can [build visualizations](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of {{observability}}, Stack Management, and {{elastic-sec}} case data to improve your visibility into case patterns and trends within your space. +* {applies_to}`stack: ga 9.1` With the appropriate index access, you can [build visualizations](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of {{observability}}, Stack Management, and {{elastic-sec}} case data to improve your visibility into case patterns and trends within your space. :::: From 1e574b175e2da6cdb333bd502bc8822c01072ef3 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 22 Jul 2025 18:42:39 -0400 Subject: [PATCH 05/35] Added ref to kibana page --- explore-analyze/alerts-cases/cases.md | 9 +++++++++ .../alerts-cases/cases/visualize-case-data.md | 3 ++- solutions/observability/incident-management/cases.md | 11 +++++++---- solutions/security/investigate/cases.md | 10 +++++++--- 4 files changed, 25 insertions(+), 8 deletions(-) diff --git a/explore-analyze/alerts-cases/cases.md b/explore-analyze/alerts-cases/cases.md index b9fd210972..1c43b27aaf 100644 --- a/explore-analyze/alerts-cases/cases.md +++ b/explore-analyze/alerts-cases/cases.md @@ -26,3 +26,12 @@ If you create cases in the {{observability}} or {{security-app}}, they are not v * [Configure access to cases](cases/setup-cases.md) * [Open and manage cases](cases/manage-cases.md) * [Configure case settings](cases/manage-cases-settings.md) + + +::::{note} +{applies_to}`stack: ga 9.1` With the appropriate index access, you can [build visualizations and metrics](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space. +:::: + +## Limitations +* If you create cases in {{stack-manage-app}}, they are not visible in the {{observability}} or the {{security-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in the {{observability}} or {{elastic-sec}}. +* You cannot attach alerts from {{elastic-sec}} or {{stack-manage-app}} to cases in {{observability}}. diff --git a/explore-analyze/alerts-cases/cases/visualize-case-data.md b/explore-analyze/alerts-cases/cases/visualize-case-data.md index dc4bf508e4..2c8c939723 100644 --- a/explore-analyze/alerts-cases/cases/visualize-case-data.md +++ b/explore-analyze/alerts-cases/cases/visualize-case-data.md @@ -14,7 +14,8 @@ Case data is stored in case analytics indices, which include data from case comm Case analytics indices and their aliases are automatically generated when Kibana starts up. Every five minutes, the indices are updated with new data from cases in your space. Historical data about cases is not stored; it gets overwritten whenever new case data is written to the indices. -You can begin querying case analytics indices as soon as you have cases in your space. To learn more about fields in the indices, refer to . +You can begin querying case analytics indices as soon as you have cases in your space. To learn more about fields in the indices, refer to +% [Case analytics indices schema](kibana://reference/case-analytics-indices-schema.md) | Index | Alias | Description | | ---------------------------- | ---------------------- |----------------------------------------- | diff --git a/solutions/observability/incident-management/cases.md b/solutions/observability/incident-management/cases.md index bba7a2b313..93a4354b90 100644 --- a/solutions/observability/incident-management/cases.md +++ b/solutions/observability/incident-management/cases.md @@ -16,7 +16,10 @@ Collect and share information about observability issues by creating a case. Cas :screenshot: ::: -::::{note} -* From {{observability}} in the {{stack}}, you cannot access cases created in {{elastic-sec}} or Stack Management. -* {applies_to}`stack: ga 9.1` With the appropriate index access, you can [build visualizations](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of {{observability}}, Stack Management, and {{elastic-sec}} case data to improve your visibility into case patterns and trends within your space. -:::: \ No newline at end of file +::::{note} +{applies_to}`stack: ga 9.1` With the appropriate index access, you can [build visualizations and metrics](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space. +:::: + +## Limitations +* If you create cases in {{observability}} or {{stack-manage-app}}, they are not visible in the {{security-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in the {{observability}} or {{elastic-sec}}. +* You cannot attach alerts from {{elastic-sec}} or {{stack-manage-app}} to cases in {{observability}}. \ No newline at end of file diff --git a/solutions/security/investigate/cases.md b/solutions/security/investigate/cases.md index 11c2f6bb64..9c65dd153d 100644 --- a/solutions/security/investigate/cases.md +++ b/solutions/security/investigate/cases.md @@ -29,11 +29,15 @@ You can also send cases to these external systems by [configuring external conne :screenshot: ::: -::::{note} -* From {{elastic-sec}} in the {{stack}}, you cannot access cases created in {{observability}} or Stack Management. -* {applies_to}`stack: ga 9.1` With the appropriate index access, you can [build visualizations](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of {{observability}}, Stack Management, and {{elastic-sec}} case data to improve your visibility into case patterns and trends within your space. +::::{note} +{applies_to}`stack: ga 9.1` With the appropriate index access, you can [build visualizations and metrics](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space. :::: +## Limitations +* If you create cases in the {{observability}} or {{stack-manage-app}}, they are not visible in the {{security-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in the {{observability}} or {{elastic-sec}}. +* You cannot attach alerts from the {{observability}} or {{stack-manage-app}} to cases in {{elastic-sec}}. + + From e6f473b4da81062bdf6741512e9bc9493e50f88c Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 22 Jul 2025 18:47:35 -0400 Subject: [PATCH 06/35] Fix error --- explore-analyze/alerts-cases/cases.md | 3 ++- solutions/observability/incident-management/cases.md | 3 ++- solutions/security/investigate/cases.md | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/explore-analyze/alerts-cases/cases.md b/explore-analyze/alerts-cases/cases.md index 1c43b27aaf..3380dee640 100644 --- a/explore-analyze/alerts-cases/cases.md +++ b/explore-analyze/alerts-cases/cases.md @@ -32,6 +32,7 @@ If you create cases in the {{observability}} or {{security-app}}, they are not v {applies_to}`stack: ga 9.1` With the appropriate index access, you can [build visualizations and metrics](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space. :::: -## Limitations +## Limitations [kibana-case-limitations] + * If you create cases in {{stack-manage-app}}, they are not visible in the {{observability}} or the {{security-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in the {{observability}} or {{elastic-sec}}. * You cannot attach alerts from {{elastic-sec}} or {{stack-manage-app}} to cases in {{observability}}. diff --git a/solutions/observability/incident-management/cases.md b/solutions/observability/incident-management/cases.md index 93a4354b90..b7b175c19d 100644 --- a/solutions/observability/incident-management/cases.md +++ b/solutions/observability/incident-management/cases.md @@ -20,6 +20,7 @@ Collect and share information about observability issues by creating a case. Cas {applies_to}`stack: ga 9.1` With the appropriate index access, you can [build visualizations and metrics](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space. :::: -## Limitations +## Limitations [observability-case-limitations] + * If you create cases in {{observability}} or {{stack-manage-app}}, they are not visible in the {{security-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in the {{observability}} or {{elastic-sec}}. * You cannot attach alerts from {{elastic-sec}} or {{stack-manage-app}} to cases in {{observability}}. \ No newline at end of file diff --git a/solutions/security/investigate/cases.md b/solutions/security/investigate/cases.md index 9c65dd153d..e4f89dfa63 100644 --- a/solutions/security/investigate/cases.md +++ b/solutions/security/investigate/cases.md @@ -33,7 +33,8 @@ You can also send cases to these external systems by [configuring external conne {applies_to}`stack: ga 9.1` With the appropriate index access, you can [build visualizations and metrics](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space. :::: -## Limitations +## Limitations [security-case-limitations] + * If you create cases in the {{observability}} or {{stack-manage-app}}, they are not visible in the {{security-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in the {{observability}} or {{elastic-sec}}. * You cannot attach alerts from the {{observability}} or {{stack-manage-app}} to cases in {{elastic-sec}}. From b02b1b34d4b0162e936fb70b7afaaf327aa52011 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 22 Jul 2025 18:52:27 -0400 Subject: [PATCH 07/35] fix for real this time (i hope) --- explore-analyze/alerts-cases/cases.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/explore-analyze/alerts-cases/cases.md b/explore-analyze/alerts-cases/cases.md index 3380dee640..6622e1e115 100644 --- a/explore-analyze/alerts-cases/cases.md +++ b/explore-analyze/alerts-cases/cases.md @@ -29,7 +29,7 @@ If you create cases in the {{observability}} or {{security-app}}, they are not v ::::{note} -{applies_to}`stack: ga 9.1` With the appropriate index access, you can [build visualizations and metrics](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space. +{applies_to}`stack: ga 9.1` With the appropriate index access, you can [build visualizations and metrics](../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space. :::: ## Limitations [kibana-case-limitations] From 2addac7af4170f35c54145f691a15a608a9c9de3 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 22 Jul 2025 18:59:45 -0400 Subject: [PATCH 08/35] minor fixes --- explore-analyze/alerts-cases/cases.md | 4 ++-- solutions/observability/incident-management/cases.md | 2 +- solutions/security/investigate/cases.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/explore-analyze/alerts-cases/cases.md b/explore-analyze/alerts-cases/cases.md index 6622e1e115..6b36c9a1c4 100644 --- a/explore-analyze/alerts-cases/cases.md +++ b/explore-analyze/alerts-cases/cases.md @@ -34,5 +34,5 @@ If you create cases in the {{observability}} or {{security-app}}, they are not v ## Limitations [kibana-case-limitations] -* If you create cases in {{stack-manage-app}}, they are not visible in the {{observability}} or the {{security-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in the {{observability}} or {{elastic-sec}}. -* You cannot attach alerts from {{elastic-sec}} or {{stack-manage-app}} to cases in {{observability}}. +* If you create cases in {{stack-manage-app}}, they are not visible in the {{observability}} or the {{security-app}}. Likewise, the cases you create in {{observability}}, they are not visible in {{stack-manage-app}} or {{elastic-sec}}. +* You cannot attach alerts from {{observability}} or {{elastic-sec}} to cases in {{stack-manage-app}}. diff --git a/solutions/observability/incident-management/cases.md b/solutions/observability/incident-management/cases.md index b7b175c19d..9c90adfb73 100644 --- a/solutions/observability/incident-management/cases.md +++ b/solutions/observability/incident-management/cases.md @@ -22,5 +22,5 @@ Collect and share information about observability issues by creating a case. Cas ## Limitations [observability-case-limitations] -* If you create cases in {{observability}} or {{stack-manage-app}}, they are not visible in the {{security-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in the {{observability}} or {{elastic-sec}}. +* If you create cases in {{observability}}, they are not visible in the {{security-app}} or {{stack-manage-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in the {{observability}} or {{elastic-sec}}. * You cannot attach alerts from {{elastic-sec}} or {{stack-manage-app}} to cases in {{observability}}. \ No newline at end of file diff --git a/solutions/security/investigate/cases.md b/solutions/security/investigate/cases.md index e4f89dfa63..9856616176 100644 --- a/solutions/security/investigate/cases.md +++ b/solutions/security/investigate/cases.md @@ -35,7 +35,7 @@ You can also send cases to these external systems by [configuring external conne ## Limitations [security-case-limitations] -* If you create cases in the {{observability}} or {{stack-manage-app}}, they are not visible in the {{security-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in the {{observability}} or {{elastic-sec}}. +* If you create cases in the {{security-app}}, they are not visible from {{observability}} or {{stack-manage-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in {{elastic-sec}} or {{observability}}. * You cannot attach alerts from the {{observability}} or {{stack-manage-app}} to cases in {{elastic-sec}}. From c9f572462ba9b80086919fc59b534f2a73738a68 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 22 Jul 2025 19:04:49 -0400 Subject: [PATCH 09/35] the to from --- explore-analyze/alerts-cases/cases.md | 2 +- solutions/observability/incident-management/cases.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/explore-analyze/alerts-cases/cases.md b/explore-analyze/alerts-cases/cases.md index 6b36c9a1c4..4ec4e6c0ee 100644 --- a/explore-analyze/alerts-cases/cases.md +++ b/explore-analyze/alerts-cases/cases.md @@ -34,5 +34,5 @@ If you create cases in the {{observability}} or {{security-app}}, they are not v ## Limitations [kibana-case-limitations] -* If you create cases in {{stack-manage-app}}, they are not visible in the {{observability}} or the {{security-app}}. Likewise, the cases you create in {{observability}}, they are not visible in {{stack-manage-app}} or {{elastic-sec}}. +* If you create cases in {{stack-manage-app}}, they are not visible from {{observability}} or the {{security-app}}. Likewise, the cases you create in {{observability}}, they are not visible in {{stack-manage-app}} or {{elastic-sec}}. * You cannot attach alerts from {{observability}} or {{elastic-sec}} to cases in {{stack-manage-app}}. diff --git a/solutions/observability/incident-management/cases.md b/solutions/observability/incident-management/cases.md index 9c90adfb73..0b3901ace8 100644 --- a/solutions/observability/incident-management/cases.md +++ b/solutions/observability/incident-management/cases.md @@ -22,5 +22,5 @@ Collect and share information about observability issues by creating a case. Cas ## Limitations [observability-case-limitations] -* If you create cases in {{observability}}, they are not visible in the {{security-app}} or {{stack-manage-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in the {{observability}} or {{elastic-sec}}. +* If you create cases in {{observability}}, they are not visible from the {{security-app}} or {{stack-manage-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in the {{observability}} or {{elastic-sec}}. * You cannot attach alerts from {{elastic-sec}} or {{stack-manage-app}} to cases in {{observability}}. \ No newline at end of file From 52325f62e280c6a11dc315b5f358ab7c6c9a9d32 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 23 Jul 2025 10:55:31 -0400 Subject: [PATCH 10/35] Update explore-analyze/alerts-cases/cases/visualize-case-data.md Co-authored-by: Mike Birnstiehl <114418652+mdbirnstiehl@users.noreply.github.com> --- explore-analyze/alerts-cases/cases/visualize-case-data.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/explore-analyze/alerts-cases/cases/visualize-case-data.md b/explore-analyze/alerts-cases/cases/visualize-case-data.md index 2c8c939723..65a7004e64 100644 --- a/explore-analyze/alerts-cases/cases/visualize-case-data.md +++ b/explore-analyze/alerts-cases/cases/visualize-case-data.md @@ -47,7 +47,7 @@ Search and filter case data in [Discover](../../discover.md) and [Lens](../../vi FROM .internal.cases | STATS count = COUNT(*) BY status | WHERE status == "closed" ``` -* Find cases that are open and sort them by time, with the most recent is at the top: +* Find cases that are open and sort them by time, with the most recent at the top: ```console FROM .internal.cases | WHERE status == "open" | SORT created_at DESC ``` From 43555590d4533375c359aa21ca92e1eb3c3b5def Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 23 Jul 2025 14:14:43 -0400 Subject: [PATCH 11/35] Update explore-analyze/alerts-cases/cases/visualize-case-data.md --- explore-analyze/alerts-cases/cases/visualize-case-data.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/explore-analyze/alerts-cases/cases/visualize-case-data.md b/explore-analyze/alerts-cases/cases/visualize-case-data.md index 65a7004e64..e70bc24551 100644 --- a/explore-analyze/alerts-cases/cases/visualize-case-data.md +++ b/explore-analyze/alerts-cases/cases/visualize-case-data.md @@ -12,7 +12,7 @@ Case data is stored in case analytics indices, which include data from case comm ## About case analytics indices [about-case-analytics-indices] -Case analytics indices and their aliases are automatically generated when Kibana starts up. Every five minutes, the indices are updated with new data from cases in your space. Historical data about cases is not stored; it gets overwritten whenever new case data is written to the indices. +Case analytics indices and their aliases are automatically generated when{{kib}} starts up. Every five minutes, the indices are updated with a snapshot of most current cases data in your space. Historical cases data is not stored; it gets overwritten whenever the indices are refreshed. You can begin querying case analytics indices as soon as you have cases in your space. To learn more about fields in the indices, refer to % [Case analytics indices schema](kibana://reference/case-analytics-indices-schema.md) From 2533c13d6cf001096158c3cd87eef2cab3f841ce Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 23 Jul 2025 14:14:55 -0400 Subject: [PATCH 12/35] Update explore-analyze/alerts-cases/cases/visualize-case-data.md --- explore-analyze/alerts-cases/cases/visualize-case-data.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/explore-analyze/alerts-cases/cases/visualize-case-data.md b/explore-analyze/alerts-cases/cases/visualize-case-data.md index e70bc24551..07f734d3e1 100644 --- a/explore-analyze/alerts-cases/cases/visualize-case-data.md +++ b/explore-analyze/alerts-cases/cases/visualize-case-data.md @@ -8,7 +8,7 @@ products: # Visualize case data [visualize-case-data] -Case data is stored in case analytics indices, which include data from case comments, attachments, and activity. You can query this information to build dashboards and metrics that improve your visibility into case patterns and trends. +Case data is stored in case analytics indices, which include data from case comments, attachments, and activity. You can query this information to build dashboards and metrics that improve your visibility into case, usage, patterns, and trends. ## About case analytics indices [about-case-analytics-indices] From 754575fdffb3d2ba6135f397c9445ebd6ccdfda2 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Mon, 29 Sep 2025 17:44:05 -0400 Subject: [PATCH 13/35] Technical input --- .../alerts-cases/cases/visualize-case-data.md | 61 ++++++++++++------- 1 file changed, 39 insertions(+), 22 deletions(-) diff --git a/explore-analyze/alerts-cases/cases/visualize-case-data.md b/explore-analyze/alerts-cases/cases/visualize-case-data.md index 07f734d3e1..3ad0ed43d0 100644 --- a/explore-analyze/alerts-cases/cases/visualize-case-data.md +++ b/explore-analyze/alerts-cases/cases/visualize-case-data.md @@ -8,51 +8,68 @@ products: # Visualize case data [visualize-case-data] -Case data is stored in case analytics indices, which include data from case comments, attachments, and activity. You can query this information to build dashboards and metrics that improve your visibility into case, usage, patterns, and trends. +Case analytics indices store data for cases in Stack Management, Observability, and Security. This includes information about case comments, attachments, and activity. You can query case data to build dashboards and metrics that improve your visibility into case usage, patterns, and trends. -## About case analytics indices [about-case-analytics-indices] +::::{admonition} Requirements -Case analytics indices and their aliases are automatically generated when{{kib}} starts up. Every five minutes, the indices are updated with a snapshot of most current cases data in your space. Historical cases data is not stored; it gets overwritten whenever the indices are refreshed. +* To use case analytics indices, you must first turn on the feature by adding the following line to your [`kibana.yml`](/deploy-manage/stack-settings.md) file. -You can begin querying case analytics indices as soon as you have cases in your space. To learn more about fields in the indices, refer to -% [Case analytics indices schema](kibana://reference/case-analytics-indices-schema.md) + ```yaml + xpack.cases.incrementalId.enabled: true + ``` + + If you already have cases in your {{kib}} space, the case analytics indices and their aliases are automatically generated. If you don't, you must create a case in Stack Management, Observability, or Security to auto-generate the indices. + + If you're creating cases in a new {{kib}} space, it can take around an hour for case analytics indices to generate. + +* To query the case analytics indices, your role must have at least `Read` and `view_index_metadata` access to the indices. + +:::: + +## About case analytics indices [about-case-analytics-indices] + +Case data is stored in indices that are auto-created per space and for each Elastic solution (Stack Management, Observability, and Security). The following table lists these indices and their aliases. | Index | Alias | Description | | ---------------------------- | ---------------------- |----------------------------------------- | -| `.internal.cases` | `.cases` | Stores general data related to cases. | -| `.internal.cases-comments` | `.cases-comments` | Stores data related to case comments. | -| `.internal.cases-activity` | `.cases-activity` | Stores data related to case activity. | -| `.internal.cases-attachments`| `.cases-attachments` | Stores data related to case attachments (only alerts and files added to the case). | +| • `.internal.cases.-cases` (Stack Management cases)
• `.internal.cases.-observability` (Observability cases)
• `.internal.cases.-securitysolution` (Security cases) | • `.cases.-cases`
• `.cases.-observability` (Observability cases)
• `.cases.-securitysolution` (Security cases) | Stores general data related to Stack Management, Observability, and Security cases. | + +| • `.internal.cases-comments.-cases` (Stack Management cases)
• `.internal.cases-comments.-observability` (Observability cases)
• `.internal.cases-comments.-securitysolution` (Security cases) | • `.cases-comments.-cases`
• `.cases-comments.-observability` (Observability cases)
• `.cases-comments.-securitysolution` (Security cases) | Stores data related to case comments for cases in each Elastic solution. | + +| • `.internal.cases-activity.-cases` (Stack Management cases)
• `.internal.cases-activity.-observability` (Observability cases)
• `.internal.cases-activity.-securitysolution` (Security cases) | • `.cases-activity.-cases`
• `.cases-activity.-observability` (Observability cases)
• `.cases-activity.-securitysolution` (Security cases) | Stores data related to case activity for cases in each Elastic solution. | + +| • `.internal.cases-attachments.-cases` (Stack Management cases)
• `.internal.cases-attachments.-observability` (Observability cases)
• `.internal.cases-attachments.-securitysolution` (Security cases) | • `.cases-attachments.-cases`
• `.cases-attachments.-observability` (Observability cases)
• `.cases-attachments.-securitysolution` (Security cases) | Stores data related to case attachments for cases in each Elastic solution. | + +Every five minutes, the indices are refreshed with a snapshot of the most current case data in your space. Historical case data isn't stored; it's overwritten whenever the indices refresh. ## Explore case data [explore-case-analytics-indices] -::::{admonition} Requirements -To query the case analytics indices, your role must have at least `Read` and `view_index_metadata` access to the indices. -:::: +Once the case analytics indices are created, you can start querying them for case data. To learn more about queryable fields in the indices, refer to +% [Case analytics indices schema](kibana://reference/case-analytics-indices-schema.md) Search and filter case data in [Discover](../../discover.md) and [Lens](../../visualize/lens.md), and build visualizations for [dashboards](../../dashboards.md). To help you start visualizing your case data, here are some sample {{esql}} queries that you can run from the [{{esql}} editor](../../../explore-analyze/query-filter/languages/esql-kibana.md#esql-kibana-get-started) in Discover. -* Find the total number of cases that are currently open: +* Find the total number of {{elastic-sec}}cases that are currently open in the default {{kib}} space: ```console - FROM .internal.cases | STATS count = COUNT(*) BY status | WHERE status == "open" + FROM .internal.cases.default-securitysolution | STATS count = COUNT(*) BY status | WHERE status == "open" ``` -* Find the total number of cases that are currently in progress: +* Find the total number of {{elastic-sec}} cases that are currently in progress in the default {{kib}} space: ```console - FROM .internal.cases | STATS count = COUNT(*) BY status | WHERE status == "in-progress" + FROM .internal.cases.default-securitysolution | STATS count = COUNT(*) BY status | WHERE status == "in-progress" ``` -* Find the total number of cases that are closed: +* Find the total number of {{elastic-sec}} cases that are closed in the default {{kib}} space: ```console - FROM .internal.cases | STATS count = COUNT(*) BY status | WHERE status == "closed" + FROM .internal.cases.default-securitysolution | STATS count = COUNT(*) BY status | WHERE status == "closed" ``` -* Find cases that are open and sort them by time, with the most recent at the top: +* Find {{elastic-sec}} cases that are open and sort them by time, with the most recent at the top: ```console - FROM .internal.cases | WHERE status == "open" | SORT created_at DESC + FROM .internal.cases.default-securitysolution | WHERE status == "open" | SORT created_at DESC ``` -* Find the average time that it takes to close a case: +* Find the average time that it takes to close {{elastic-sec}} cases in the default {{kib}} space: ```console - FROM .internal.cases | STATS average_time_to_close = AVG(time_to_resolve) + FROM .internal.cases.default-securitysolution | STATS average_time_to_close = AVG(time_to_resolve) ``` From 07777e65a2eb4e0ff96b7e8ef6e84e1eaf5d6a8e Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Mon, 29 Sep 2025 17:49:59 -0400 Subject: [PATCH 14/35] Fix table --- explore-analyze/alerts-cases/cases.md | 2 +- explore-analyze/alerts-cases/cases/visualize-case-data.md | 5 +---- solutions/observability/incident-management/cases.md | 2 +- solutions/security/investigate/cases.md | 2 +- 4 files changed, 4 insertions(+), 7 deletions(-) diff --git a/explore-analyze/alerts-cases/cases.md b/explore-analyze/alerts-cases/cases.md index 5af682d30d..f55c8e17a9 100644 --- a/explore-analyze/alerts-cases/cases.md +++ b/explore-analyze/alerts-cases/cases.md @@ -30,7 +30,7 @@ If you create cases in the {{observability}} or {{security-app}}, they are not v ::::{note} -{applies_to}`stack: ga 9.1` With the appropriate index access, you can [build visualizations and metrics](../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space. +{applies_to}`stack: ga 9.2` With the appropriate index access, you can [build visualizations and metrics](../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space. :::: ## Limitations [kibana-case-limitations] diff --git a/explore-analyze/alerts-cases/cases/visualize-case-data.md b/explore-analyze/alerts-cases/cases/visualize-case-data.md index 3ad0ed43d0..a37d78e66e 100644 --- a/explore-analyze/alerts-cases/cases/visualize-case-data.md +++ b/explore-analyze/alerts-cases/cases/visualize-case-data.md @@ -32,12 +32,9 @@ Case data is stored in indices that are auto-created per space and for each Elas | Index | Alias | Description | | ---------------------------- | ---------------------- |----------------------------------------- | -| • `.internal.cases.-cases` (Stack Management cases)
• `.internal.cases.-observability` (Observability cases)
• `.internal.cases.-securitysolution` (Security cases) | • `.cases.-cases`
• `.cases.-observability` (Observability cases)
• `.cases.-securitysolution` (Security cases) | Stores general data related to Stack Management, Observability, and Security cases. | - +| • `.internal.cases.-cases` (Stack Management cases)
• `.internal.cases.-observability` (Observability cases)
• `.internal.cases.-securitysolution` (Security cases) | • `.cases.-cases`
• `.cases.-observability` (Observability cases)
• `.cases.-securitysolution` (Security cases) | Stores general data related to Stack Management, Observability, and Security cases. | | • `.internal.cases-comments.-cases` (Stack Management cases)
• `.internal.cases-comments.-observability` (Observability cases)
• `.internal.cases-comments.-securitysolution` (Security cases) | • `.cases-comments.-cases`
• `.cases-comments.-observability` (Observability cases)
• `.cases-comments.-securitysolution` (Security cases) | Stores data related to case comments for cases in each Elastic solution. | - | • `.internal.cases-activity.-cases` (Stack Management cases)
• `.internal.cases-activity.-observability` (Observability cases)
• `.internal.cases-activity.-securitysolution` (Security cases) | • `.cases-activity.-cases`
• `.cases-activity.-observability` (Observability cases)
• `.cases-activity.-securitysolution` (Security cases) | Stores data related to case activity for cases in each Elastic solution. | - | • `.internal.cases-attachments.-cases` (Stack Management cases)
• `.internal.cases-attachments.-observability` (Observability cases)
• `.internal.cases-attachments.-securitysolution` (Security cases) | • `.cases-attachments.-cases`
• `.cases-attachments.-observability` (Observability cases)
• `.cases-attachments.-securitysolution` (Security cases) | Stores data related to case attachments for cases in each Elastic solution. | Every five minutes, the indices are refreshed with a snapshot of the most current case data in your space. Historical case data isn't stored; it's overwritten whenever the indices refresh. diff --git a/solutions/observability/incident-management/cases.md b/solutions/observability/incident-management/cases.md index 6f931b8a89..d6223664e7 100644 --- a/solutions/observability/incident-management/cases.md +++ b/solutions/observability/incident-management/cases.md @@ -18,7 +18,7 @@ Collect and share information about observability issues by creating a case. Cas ::: ::::{note} -{applies_to}`stack: ga 9.1` With the appropriate index access, you can [build visualizations and metrics](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space. +{applies_to}`stack: ga 9.2` With the appropriate index access, you can [build visualizations and metrics](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space. :::: ## Limitations [observability-case-limitations] diff --git a/solutions/security/investigate/cases.md b/solutions/security/investigate/cases.md index 9964e0767c..ddfa7eaa7d 100644 --- a/solutions/security/investigate/cases.md +++ b/solutions/security/investigate/cases.md @@ -31,7 +31,7 @@ You can also send cases to these external systems by [configuring external conne ::: ::::{note} -{applies_to}`stack: ga 9.1` With the appropriate index access, you can [build visualizations and metrics](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space. +{applies_to}`stack: ga 9.2` With the appropriate index access, you can [build visualizations and metrics](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space. :::: ## Limitations [security-case-limitations] From 0f063b2f4048bdee005f344da8286415d54faa3a Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Mon, 29 Sep 2025 17:59:43 -0400 Subject: [PATCH 15/35] removed some duplicate information --- .../alerts-cases/cases/visualize-case-data.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/explore-analyze/alerts-cases/cases/visualize-case-data.md b/explore-analyze/alerts-cases/cases/visualize-case-data.md index a37d78e66e..92b5e7a366 100644 --- a/explore-analyze/alerts-cases/cases/visualize-case-data.md +++ b/explore-analyze/alerts-cases/cases/visualize-case-data.md @@ -30,12 +30,14 @@ Case analytics indices store data for cases in Stack Management, Observability, Case data is stored in indices that are auto-created per space and for each Elastic solution (Stack Management, Observability, and Security). The following table lists these indices and their aliases. +Indices for cases created in Stack Management are **not** appended with a solution name (for example, `.internal.cases.-cases`). Indices for cases created in Observability are appended by `observability` (for example,`.internal.cases.-observability`). Indices for cases created in Security are appended by `securitysolution` (for example, `.internal.cases.-securitysolution`). + | Index | Alias | Description | | ---------------------------- | ---------------------- |----------------------------------------- | -| • `.internal.cases.-cases` (Stack Management cases)
• `.internal.cases.-observability` (Observability cases)
• `.internal.cases.-securitysolution` (Security cases) | • `.cases.-cases`
• `.cases.-observability` (Observability cases)
• `.cases.-securitysolution` (Security cases) | Stores general data related to Stack Management, Observability, and Security cases. | -| • `.internal.cases-comments.-cases` (Stack Management cases)
• `.internal.cases-comments.-observability` (Observability cases)
• `.internal.cases-comments.-securitysolution` (Security cases) | • `.cases-comments.-cases`
• `.cases-comments.-observability` (Observability cases)
• `.cases-comments.-securitysolution` (Security cases) | Stores data related to case comments for cases in each Elastic solution. | -| • `.internal.cases-activity.-cases` (Stack Management cases)
• `.internal.cases-activity.-observability` (Observability cases)
• `.internal.cases-activity.-securitysolution` (Security cases) | • `.cases-activity.-cases`
• `.cases-activity.-observability` (Observability cases)
• `.cases-activity.-securitysolution` (Security cases) | Stores data related to case activity for cases in each Elastic solution. | -| • `.internal.cases-attachments.-cases` (Stack Management cases)
• `.internal.cases-attachments.-observability` (Observability cases)
• `.internal.cases-attachments.-securitysolution` (Security cases) | • `.cases-attachments.-cases`
• `.cases-attachments.-observability` (Observability cases)
• `.cases-attachments.-securitysolution` (Security cases) | Stores data related to case attachments for cases in each Elastic solution. | +| • `.internal.cases.-cases`
• `.internal.cases.-observability`
• `.internal.cases.-securitysolution`| • `.cases.-cases`
• `.cases.-observability`
• `.cases.-securitysolution` | Stores general data related to cases. | +| • `.internal.cases-comments.-cases
• `.internal.cases-comments.-observability`
• `.internal.cases-comments.-securitysolution` | • `.cases-comments.-cases`
• `.cases-comments.-observability`
• `.cases-comments.-securitysolution` | Stores data related to case comments. | +| • `.internal.cases-activity.-cases`
• `.internal.cases-activity.-observability`
• `.internal.cases-activity.-securitysolution` | • `.cases-activity.-cases`
• `.cases-activity.-observability`
• `.cases-activity.-securitysolution` | Stores data related to case activity. | +| • `.internal.cases-attachments.-cases`
• `.internal.cases-attachments.-observability`
• `.internal.cases-attachments.-securitysolution` | • `.cases-attachments.-cases`
• `.cases-attachments.-observability`
• `.cases-attachments.-securitysolution` | Stores data related to case attachments. | Every five minutes, the indices are refreshed with a snapshot of the most current case data in your space. Historical case data isn't stored; it's overwritten whenever the indices refresh. From 7ad4c2b9d256f94dd62255a9e97f08f1460e2d3f Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Mon, 29 Sep 2025 22:43:13 -0400 Subject: [PATCH 16/35] Reformats table --- .../alerts-cases/cases/visualize-case-data.md | 92 +++++++++++++------ 1 file changed, 63 insertions(+), 29 deletions(-) diff --git a/explore-analyze/alerts-cases/cases/visualize-case-data.md b/explore-analyze/alerts-cases/cases/visualize-case-data.md index 92b5e7a366..fea6b56d3f 100644 --- a/explore-analyze/alerts-cases/cases/visualize-case-data.md +++ b/explore-analyze/alerts-cases/cases/visualize-case-data.md @@ -8,67 +8,101 @@ products: # Visualize case data [visualize-case-data] -Case analytics indices store data for cases in Stack Management, Observability, and Security. This includes information about case comments, attachments, and activity. You can query case data to build dashboards and metrics that improve your visibility into case usage, patterns, and trends. +Case data, such as details about comments, activities, and attachments, is stored in case analytics indices. You can query these indices to build dashboards and metrics that improve your visibility into case patterns and trends. -::::{admonition} Requirements +::::{tip} +To learn more about queryable fields in the case analytics indices, refer to +% [Case analytics indices schema](kibana://reference/case-analytics-indices-schema.md) +:::: -* To use case analytics indices, you must first turn on the feature by adding the following line to your [`kibana.yml`](/deploy-manage/stack-settings.md) file. +## About case analytics indices [about-case-analytics-indices] - ```yaml - xpack.cases.incrementalId.enabled: true - ``` +The following case analytics indices and their aliases are automatically generated for _all_ {{kib}} spaces if any spaces have cases. - If you already have cases in your {{kib}} space, the case analytics indices and their aliases are automatically generated. If you don't, you must create a case in Stack Management, Observability, or Security to auto-generate the indices. +::::{note} +* Every five minutes, indices are updated with a snapshot of most current cases data in your spaces. Historical data for cases is not stored; it gets overwritten whenever the indices are refreshed. +* It may take around an hour for case analytics indices to form in a new {{kib}} space. +:::: - If you're creating cases in a new {{kib}} space, it can take around an hour for case analytics indices to generate. +### General case data -* To query the case analytics indices, your role must have at least `Read` and `view_index_metadata` access to the indices. +These indices store general data related to cases created in Stack Management, {{observability}}, and Security. -:::: +| Index | Alias | Created for | +| ---------------------------- | ---------------------- |----------------------------------------- | +| `.internal.cases.-cases` | `.cases.-cases` | Stack Management cases | +| `.internal.cases.-observability` | `.cases.-observability` | {{observability}} cases | +| `.internal.cases.-securitysolution` | `.cases.-securitysolution` | Security cases | -## About case analytics indices [about-case-analytics-indices] +### Case comments + +These indices store data related to comments in Stack Management, {{observability}}, and Security cases. + +| Index | Alias | Created for | +| ---------------------------- | ---------------------- |----------------------------------------- | +| `.internal.cases-comments.-cases` | `.cases-comments.-cases` | Stack Management cases | +| `.internal.cases-comments.-observability` | `.cases-comments.-observability` | {{observability}} cases | +| `.internal.cases-comments.-securitysolution` | `.cases-comments.-securitysolution` | Security cases | + + +### Case attachments -Case data is stored in indices that are auto-created per space and for each Elastic solution (Stack Management, Observability, and Security). The following table lists these indices and their aliases. +These indices store data related to attachments in Stack Management, {{observability}}, and Security cases. -Indices for cases created in Stack Management are **not** appended with a solution name (for example, `.internal.cases.-cases`). Indices for cases created in Observability are appended by `observability` (for example,`.internal.cases.-observability`). Indices for cases created in Security are appended by `securitysolution` (for example, `.internal.cases.-securitysolution`). +| Index | Alias | Created for | +| ---------------------------- | ---------------------- |----------------------------------------- | +| `.internal.cases-attachments.-cases` | `.cases-attachments.-cases` | Stack Management cases | +| `.internal.cases-attachments.-observability` | `.cases-attachments.-observability` | {{observability}} cases | +| `.internal.cases-attachments.-securitysolution` | `.cases-attachments.-securitysolution` | Security cases | + +### Case activity -| Index | Alias | Description | +These indices store data related to activity in Stack Management, {{observability}}, and Security cases. + +| Index | Alias | Created for | | ---------------------------- | ---------------------- |----------------------------------------- | -| • `.internal.cases.-cases`
• `.internal.cases.-observability`
• `.internal.cases.-securitysolution`| • `.cases.-cases`
• `.cases.-observability`
• `.cases.-securitysolution` | Stores general data related to cases. | -| • `.internal.cases-comments.-cases
• `.internal.cases-comments.-observability`
• `.internal.cases-comments.-securitysolution` | • `.cases-comments.-cases`
• `.cases-comments.-observability`
• `.cases-comments.-securitysolution` | Stores data related to case comments. | -| • `.internal.cases-activity.-cases`
• `.internal.cases-activity.-observability`
• `.internal.cases-activity.-securitysolution` | • `.cases-activity.-cases`
• `.cases-activity.-observability`
• `.cases-activity.-securitysolution` | Stores data related to case activity. | -| • `.internal.cases-attachments.-cases`
• `.internal.cases-attachments.-observability`
• `.internal.cases-attachments.-securitysolution` | • `.cases-attachments.-cases`
• `.cases-attachments.-observability`
• `.cases-attachments.-securitysolution` | Stores data related to case attachments. | +| `.internal.cases-activity.-cases` | `.cases-activity.-cases` | Stack Management cases | +| `.internal.cases-activity.-observability` | `.cases-activity.-observability` | {{observability}} cases | +| `.internal.cases-activity.-securitysolution` | `.cases-activity.-securitysolution` | Security cases | -Every five minutes, the indices are refreshed with a snapshot of the most current case data in your space. Historical case data isn't stored; it's overwritten whenever the indices refresh. ## Explore case data [explore-case-analytics-indices] -Once the case analytics indices are created, you can start querying them for case data. To learn more about queryable fields in the indices, refer to -% [Case analytics indices schema](kibana://reference/case-analytics-indices-schema.md) +::::{admonition} Requirements + +* Enable the case analytics indices feature by adding `xpack.cases.incrementalId.enabled: true` to your [`kibana.yml`](/deploy-manage/stack-settings.md) file. +* Ensure your role has at least `read` and `view_index_metadata` access to the appropriate case anlaytics indices. + +:::: Search and filter case data in [Discover](../../discover.md) and [Lens](../../visualize/lens.md), and build visualizations for [dashboards](../../dashboards.md). To help you start visualizing your case data, here are some sample {{esql}} queries that you can run from the [{{esql}} editor](../../../explore-analyze/query-filter/languages/esql-kibana.md#esql-kibana-get-started) in Discover. -* Find the total number of {{elastic-sec}}cases that are currently open in the default {{kib}} space: +* Find the total number of open cases in the default {{kib}} space: + ```console - FROM .internal.cases.default-securitysolution | STATS count = COUNT(*) BY status | WHERE status == "open" + FROM .internal.cases.default-observability | STATS count = COUNT(*) BY status | WHERE status == "open" ``` -* Find the total number of {{elastic-sec}} cases that are currently in progress in the default {{kib}} space: +* Find the total number of in progress Stack Management cases in the default {{kib}} space: + ```console - FROM .internal.cases.default-securitysolution | STATS count = COUNT(*) BY status | WHERE status == "in-progress" + FROM .internal.cases.default-cases | STATS count = COUNT(*) BY status | WHERE status == "in-progress" ``` -* Find the total number of {{elastic-sec}} cases that are closed in the default {{kib}} space: +* Find the total number of closed {{observability}} cases in the default {{kib}} space: + ```console - FROM .internal.cases.default-securitysolution | STATS count = COUNT(*) BY status | WHERE status == "closed" + FROM .internal.cases.default-observability | STATS count = COUNT(*) BY status | WHERE status == "closed" ``` -* Find {{elastic-sec}} cases that are open and sort them by time, with the most recent at the top: +* Find Security cases that are open in the default {{kib}} space, and sort them by time, with the most recent at the top: + ```console FROM .internal.cases.default-securitysolution | WHERE status == "open" | SORT created_at DESC ``` -* Find the average time that it takes to close {{elastic-sec}} cases in the default {{kib}} space: +* Find the average time that it takes to close Security cases in the default {{kib}} space: + ```console FROM .internal.cases.default-securitysolution | STATS average_time_to_close = AVG(time_to_resolve) ``` From b6a80a360ab671c517c640fd43f6be0c145c6ce9 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Mon, 29 Sep 2025 23:27:35 -0400 Subject: [PATCH 17/35] Moves more content --- .../alerts-cases/cases/visualize-case-data.md | 34 +++++++++++-------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/explore-analyze/alerts-cases/cases/visualize-case-data.md b/explore-analyze/alerts-cases/cases/visualize-case-data.md index fea6b56d3f..198a6c44be 100644 --- a/explore-analyze/alerts-cases/cases/visualize-case-data.md +++ b/explore-analyze/alerts-cases/cases/visualize-case-data.md @@ -1,6 +1,6 @@ --- applies_to: - stack: ga + stack: ga 9.2 serverless: ga products: - id: kibana @@ -8,20 +8,26 @@ products: # Visualize case data [visualize-case-data] -Case data, such as details about comments, activities, and attachments, is stored in case analytics indices. You can query these indices to build dashboards and metrics that improve your visibility into case patterns and trends. +Case data, such as details about comments, activities, and attachments, is collected in case analytics indices. You can query these indices to build dashboards and metrics that improve your visibility into case patterns and trends. + +::::{admonition} Requirements + +To visualize case data, you must do the following: + +* {applies_to}`stack: ga` Turn on the case analytics indices feature by adding `xpack.cases.incrementalId.enabled: true` to your [`kibana.yml`](/deploy-manage/stack-settings.md) file. +* Ensure your role has at least `read` and `view_index_metadata` access to the appropriate case anlaytics indices. +* (Optional) If you don't have cases, create a new one in a {{kib}} space to automatically generate the case analytics indices. -::::{tip} -To learn more about queryable fields in the case analytics indices, refer to -% [Case analytics indices schema](kibana://reference/case-analytics-indices-schema.md) :::: ## About case analytics indices [about-case-analytics-indices] -The following case analytics indices and their aliases are automatically generated for _all_ {{kib}} spaces if any spaces have cases. +After you turn on the case analytics indices feature, your {{kib}} spaces are checked for case data. If they have any, {{es}} automatically creates case analytics indices for each solution (Stack Management, {{observability}}, and Security) and every {{kib}} space. Aliases for the case analytics indices are automatically created as well. + +The case analytics indices are updated very five minutes with a snapshot of most current cases data in your spaces. Historical data for cases is not stored; it gets overwritten whenever the indices are refreshed. ::::{note} -* Every five minutes, indices are updated with a snapshot of most current cases data in your spaces. Historical data for cases is not stored; it gets overwritten whenever the indices are refreshed. -* It may take around an hour for case analytics indices to form in a new {{kib}} space. +It may take up to an hour for case analytics indices to form in a new {{kib}} space. :::: ### General case data @@ -68,13 +74,6 @@ These indices store data related to activity in Stack Management, {{observabilit ## Explore case data [explore-case-analytics-indices] -::::{admonition} Requirements - -* Enable the case analytics indices feature by adding `xpack.cases.incrementalId.enabled: true` to your [`kibana.yml`](/deploy-manage/stack-settings.md) file. -* Ensure your role has at least `read` and `view_index_metadata` access to the appropriate case anlaytics indices. - -:::: - Search and filter case data in [Discover](../../discover.md) and [Lens](../../visualize/lens.md), and build visualizations for [dashboards](../../dashboards.md). To help you start visualizing your case data, here are some sample {{esql}} queries that you can run from the [{{esql}} editor](../../../explore-analyze/query-filter/languages/esql-kibana.md#esql-kibana-get-started) in Discover. * Find the total number of open cases in the default {{kib}} space: @@ -106,3 +105,8 @@ Search and filter case data in [Discover](../../discover.md) and [Lens](../../vi ```console FROM .internal.cases.default-securitysolution | STATS average_time_to_close = AVG(time_to_resolve) ``` + +::::{tip} +To learn more about queryable fields in the indices, refer to +% [Case analytics indices schema](kibana://reference/case-analytics-indices-schema.md) +:::: \ No newline at end of file From a49dd7225415e6f014113784396e1d658922fe71 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Sat, 11 Oct 2025 13:13:27 -0400 Subject: [PATCH 18/35] Apply suggestion from @nastasha-solomon --- explore-analyze/alerts-cases/cases/visualize-case-data.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/explore-analyze/alerts-cases/cases/visualize-case-data.md b/explore-analyze/alerts-cases/cases/visualize-case-data.md index 198a6c44be..d0ab688301 100644 --- a/explore-analyze/alerts-cases/cases/visualize-case-data.md +++ b/explore-analyze/alerts-cases/cases/visualize-case-data.md @@ -22,7 +22,7 @@ To visualize case data, you must do the following: ## About case analytics indices [about-case-analytics-indices] -After you turn on the case analytics indices feature, your {{kib}} spaces are checked for case data. If they have any, {{es}} automatically creates case analytics indices for each solution (Stack Management, {{observability}}, and Security) and every {{kib}} space. Aliases for the case analytics indices are automatically created as well. +After turning on the case analytics indices feature, your {{kib}} spaces are checked for case data. {{es}} automatically creates case analytics indices for Stack Management, {{observability}}, and Security in each {{kib}} space that has cases. {{es}} automatically creates aliases for the case analytics indices as well. The case analytics indices are updated very five minutes with a snapshot of most current cases data in your spaces. Historical data for cases is not stored; it gets overwritten whenever the indices are refreshed. From 17656145db1b97a8b4df93c9172e5b568e65724b Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Sat, 11 Oct 2025 23:11:09 -0400 Subject: [PATCH 19/35] adds some content from toi --- explore-analyze/alerts-cases/cases.md | 6 +- ...isualize-case-data.md => cases-as-data.md} | 129 ++++++++++-------- explore-analyze/toc.yml | 2 +- .../incident-management/cases.md | 5 +- solutions/security/investigate/cases.md | 6 +- 5 files changed, 79 insertions(+), 69 deletions(-) rename explore-analyze/alerts-cases/cases/{visualize-case-data.md => cases-as-data.md} (50%) diff --git a/explore-analyze/alerts-cases/cases.md b/explore-analyze/alerts-cases/cases.md index f55c8e17a9..371c29ad70 100644 --- a/explore-analyze/alerts-cases/cases.md +++ b/explore-analyze/alerts-cases/cases.md @@ -27,11 +27,7 @@ If you create cases in the {{observability}} or {{security-app}}, they are not v * [Configure access to cases](cases/setup-cases.md) * [Open and manage cases](cases/manage-cases.md) * [Configure case settings](cases/manage-cases-settings.md) - - -::::{note} -{applies_to}`stack: ga 9.2` With the appropriate index access, you can [build visualizations and metrics](../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space. -:::: +* {applies_to}`stack: preview 9.2`[Use cases as data](cases/cases-as-data.md) ## Limitations [kibana-case-limitations] diff --git a/explore-analyze/alerts-cases/cases/visualize-case-data.md b/explore-analyze/alerts-cases/cases/cases-as-data.md similarity index 50% rename from explore-analyze/alerts-cases/cases/visualize-case-data.md rename to explore-analyze/alerts-cases/cases/cases-as-data.md index d0ab688301..1fb261b875 100644 --- a/explore-analyze/alerts-cases/cases/visualize-case-data.md +++ b/explore-analyze/alerts-cases/cases/cases-as-data.md @@ -1,80 +1,47 @@ --- applies_to: - stack: ga 9.2 - serverless: ga -products: - - id: kibana + deployment: + ess: preview 9.2 + ece: preview 9.2 --- -# Visualize case data [visualize-case-data] +# Use cases as data [use-cases-as-data] -Case data, such as details about comments, activities, and attachments, is collected in case analytics indices. You can query these indices to build dashboards and metrics that improve your visibility into case patterns and trends. +The cases as data feature lets you visualize data about cases in your [space](/deploy-manage/manage-spaces.md). After turning it on, you can query case data from dedicated case analytics indices and build dashboards and visualizations to track case trends and operational metrics. This information is particularly useful when reporting on key performance indicators (KPIs) such as Mean Time To Respond (MTTR), case severity trends, and analyst workload. -::::{admonition} Requirements - -To visualize case data, you must do the following: +## Turn on cases as data [turn-on-cases-as-data] -* {applies_to}`stack: ga` Turn on the case analytics indices feature by adding `xpack.cases.incrementalId.enabled: true` to your [`kibana.yml`](/deploy-manage/stack-settings.md) file. -* Ensure your role has at least `read` and `view_index_metadata` access to the appropriate case anlaytics indices. -* (Optional) If you don't have cases, create a new one in a {{kib}} space to automatically generate the case analytics indices. +To turn on cases as data, add `xpack.cases.incrementalId.enabled: true` to your [`kibana.yml`](/deploy-manage/stack-settings.md) file. +::::{warning} +3 tasks will be created that each execute in 5 minute interval. If you have lots of spaces with cases (for example, dozens), we do not reccomend enabling this feature as it will clog up task manager. :::: -## About case analytics indices [about-case-analytics-indices] +## Create and manage indices for case data [create-manage-case-analytics-indices] -After turning on the case analytics indices feature, your {{kib}} spaces are checked for case data. {{es}} automatically creates case analytics indices for Stack Management, {{observability}}, and Security in each {{kib}} space that has cases. {{es}} automatically creates aliases for the case analytics indices as well. +After turning on cases as data, you do not need to manually create the analytics indices. {{es}} automatically creates the indices in any space with cases and for each solution ({{stack-manage-app}}, {{observability}}, and Security cases). To form the analytics indices, it indexes general data about cases and data related to case comments, attachments, and activity. -The case analytics indices are updated very five minutes with a snapshot of most current cases data in your spaces. Historical data for cases is not stored; it gets overwritten whenever the indices are refreshed. +You also do not need to manually manage the analytics indices' index lifecycle management (ILM) policies. The indices are updated by a background task that runs every five minutes and applies a snapshot of the most current cases data. Note that historical case data is not retained; it gets overwritten whenever the indices are refreshed. ::::{note} -It may take up to an hour for case analytics indices to form in a new {{kib}} space. +After you create cases, {{es}} may take up to 10 minutes to index the new case data. If you create a new space, it can take up to an hour for new case analytics indices to form. :::: -### General case data - -These indices store general data related to cases created in Stack Management, {{observability}}, and Security. - -| Index | Alias | Created for | -| ---------------------------- | ---------------------- |----------------------------------------- | -| `.internal.cases.-cases` | `.cases.-cases` | Stack Management cases | -| `.internal.cases.-observability` | `.cases.-observability` | {{observability}} cases | -| `.internal.cases.-securitysolution` | `.cases.-securitysolution` | Security cases | - -### Case comments - -These indices store data related to comments in Stack Management, {{observability}}, and Security cases. - -| Index | Alias | Created for | -| ---------------------------- | ---------------------- |----------------------------------------- | -| `.internal.cases-comments.-cases` | `.cases-comments.-cases` | Stack Management cases | -| `.internal.cases-comments.-observability` | `.cases-comments.-observability` | {{observability}} cases | -| `.internal.cases-comments.-securitysolution` | `.cases-comments.-securitysolution` | Security cases | - +## Explore case data [understand-case-analytics-indices] -### Case attachments - -These indices store data related to attachments in Stack Management, {{observability}}, and Security cases. - -| Index | Alias | Created for | -| ---------------------------- | ---------------------- |----------------------------------------- | -| `.internal.cases-attachments.-cases` | `.cases-attachments.-cases` | Stack Management cases | -| `.internal.cases-attachments.-observability` | `.cases-attachments.-observability` | {{observability}} cases | -| `.internal.cases-attachments.-securitysolution` | `.cases-attachments.-securitysolution` | Security cases | - -### Case activity +::::{admonition} Requirements -These indices store data related to activity in Stack Management, {{observability}}, and Security cases. +* Your role has at least `read` and `view_index_metadata` access to the appropriate [case anlaytics indices](/explore-analyze/alerts-cases.md/cases/cases-as-data.md#case-analytics-indices). +* You must have the appropriate subscription. Refer to the subscription page for [Elastic Cloud](https://www.elastic.co/subscriptions/cloud) and [Elastic Stack/self-managed](https://www.elastic.co/subscriptions) for the breakdown of available features and their associated subscription tiers. -| Index | Alias | Created for | -| ---------------------------- | ---------------------- |----------------------------------------- | -| `.internal.cases-activity.-cases` | `.cases-activity.-cases` | Stack Management cases | -| `.internal.cases-activity.-observability` | `.cases-activity.-observability` | {{observability}} cases | -| `.internal.cases-activity.-securitysolution` | `.cases-activity.-securitysolution` | Security cases | +:::: +To explore case data: -## Explore case data [explore-case-analytics-indices] +1. Create a [data view](/explore-analyze/find-and-organize/data-views.md) that uses any of the [case analytics indices](/explore-analyze/alerts-cases/cases/cases-as-data.md#case-analytics-indices). +2. Search and filter the case data in [Discover](../../discover.md) or build visualizations for dashboards in [Lens](../../visualize/lens.md). -Search and filter case data in [Discover](../../discover.md) and [Lens](../../visualize/lens.md), and build visualizations for [dashboards](../../dashboards.md). To help you start visualizing your case data, here are some sample {{esql}} queries that you can run from the [{{esql}} editor](../../../explore-analyze/query-filter/languages/esql-kibana.md#esql-kibana-get-started) in Discover. +To help you start visualizing your case data, here are some sample {{esql}} queries that you can run from the [{{esql}} editor](../../../explore-analyze/query-filter/languages/esql-kibana.md#esql-kibana-get-started) in Discover. * Find the total number of open cases in the default {{kib}} space: @@ -106,7 +73,51 @@ Search and filter case data in [Discover](../../discover.md) and [Lens](../../vi FROM .internal.cases.default-securitysolution | STATS average_time_to_close = AVG(time_to_resolve) ``` -::::{tip} -To learn more about queryable fields in the indices, refer to -% [Case analytics indices schema](kibana://reference/case-analytics-indices-schema.md) -:::: \ No newline at end of file +## Case analytics indices names and aliases + +This section provides the names and aliases of the case analytics indices that {{es}} creates per space and solution. Note that `` is a placeholder for the name of a space. + +::::{note} +Go to +% [Case analytics indices schema](kibana://reference/case-analytics-indices-schema.md) for schema details. +:::: + +### Indices for general case data + +These indices store general data about cases. + +| Index | Alias | Created for | +| ---------------------------- | ---------------------- |----------------------------------------- | +| `.internal.cases.-cases` | `.cases.-cases` | Stack Management cases | +| `.internal.cases.-observability` | `.cases.-observability` | {{observability}} cases | +| `.internal.cases.-securitysolution` | `.cases.-securitysolution` | Security cases | + +### Indices for case comments + +These indices store data related to comments in Stack Management, {{observability}}, and Security cases. + +| Index | Alias | Created for | +| ---------------------------- | ---------------------- |----------------------------------------- | +| `.internal.cases-comments.-cases` | `.cases-comments.-cases` | Stack Management cases | +| `.internal.cases-comments.-observability` | `.cases-comments.-observability` | {{observability}} cases | +| `.internal.cases-comments.-securitysolution` | `.cases-comments.-securitysolution` | Security cases | + +### Indices for case attachments + +These indices store data related to attachments in Stack Management, {{observability}}, and Security cases. + +| Index | Alias | Created for | +| ---------------------------- | ---------------------- |----------------------------------------- | +| `.internal.cases-attachments.-cases` | `.cases-attachments.-cases` | Stack Management cases | +| `.internal.cases-attachments.-observability` | `.cases-attachments.-observability` | {{observability}} cases | +| `.internal.cases-attachments.-securitysolution` | `.cases-attachments.-securitysolution` | Security cases | + +### Indices for case activity [case-activity-indices] + +These indices store data related to activity in Stack Management, {{observability}}, and Security cases. + +| Index | Alias | Created for | +| ---------------------------- | ---------------------- |----------------------------------------- | +| `.internal.cases-activity.-cases` | `.cases-activity.-cases` | Stack Management cases | +| `.internal.cases-activity.-observability` | `.cases-activity.-observability` | {{observability}} cases | +| `.internal.cases-activity.-securitysolution` | `.cases-activity.-securitysolution` | Security cases | \ No newline at end of file diff --git a/explore-analyze/toc.yml b/explore-analyze/toc.yml index 3fea34b876..956fca8164 100644 --- a/explore-analyze/toc.yml +++ b/explore-analyze/toc.yml @@ -365,5 +365,5 @@ toc: - file: alerts-cases/cases/setup-cases.md - file: alerts-cases/cases/manage-cases.md - file: alerts-cases/cases/manage-cases-settings.md - - file: alerts-cases/cases/visualize-case-data.md + - file: alerts-cases/cases/cases-as-data.md - file: numeral-formatting.md \ No newline at end of file diff --git a/solutions/observability/incident-management/cases.md b/solutions/observability/incident-management/cases.md index d6223664e7..ad690a801f 100644 --- a/solutions/observability/incident-management/cases.md +++ b/solutions/observability/incident-management/cases.md @@ -17,8 +17,9 @@ Collect and share information about observability issues by creating a case. Cas :screenshot: ::: -::::{note} -{applies_to}`stack: ga 9.2` With the appropriate index access, you can [build visualizations and metrics](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space. +::::{tip} +:applies_to: stack: preview 9.2 +After creating cases, use case data to build dashboards and visualizations that give you insights into case trends and operational metrics. Refer to [Use cases as data](/explore-analyze/alerts-cases/cases/cases-as-data.md) to learn more. :::: ## Limitations [observability-case-limitations] diff --git a/solutions/security/investigate/cases.md b/solutions/security/investigate/cases.md index ddfa7eaa7d..0c5d3eefb8 100644 --- a/solutions/security/investigate/cases.md +++ b/solutions/security/investigate/cases.md @@ -30,10 +30,12 @@ You can also send cases to these external systems by [configuring external conne :screenshot: ::: -::::{note} -{applies_to}`stack: ga 9.2` With the appropriate index access, you can [build visualizations and metrics](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space. +::::{tip} +:applies_to: stack: preview 9.2 +After creating cases, use case data to build dashboards and visualizations that give you insights into case trends and operational metrics. Refer to [Cases as data](/explore-analyze/alerts-cases/cases/cases-as-data.md) to learn more. :::: + ## Limitations [security-case-limitations] * If you create cases in the {{security-app}}, they are not visible from {{observability}} or {{stack-manage-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in {{elastic-sec}} or {{observability}}. From 178e51dc7f1110de9ab05c897a6446911413a12d Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Sat, 11 Oct 2025 23:19:15 -0400 Subject: [PATCH 20/35] fix conflict --- explore-analyze/alerts-cases/cases/cases-as-data.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/explore-analyze/alerts-cases/cases/cases-as-data.md b/explore-analyze/alerts-cases/cases/cases-as-data.md index 1fb261b875..2caddae342 100644 --- a/explore-analyze/alerts-cases/cases/cases-as-data.md +++ b/explore-analyze/alerts-cases/cases/cases-as-data.md @@ -27,7 +27,7 @@ You also do not need to manually manage the analytics indices' index lifecycle m After you create cases, {{es}} may take up to 10 minutes to index the new case data. If you create a new space, it can take up to an hour for new case analytics indices to form. :::: -## Explore case data [understand-case-analytics-indices] +## Explore case data [explore-case-data] ::::{admonition} Requirements @@ -38,7 +38,7 @@ After you create cases, {{es}} may take up to 10 minutes to index the new case d To explore case data: -1. Create a [data view](/explore-analyze/find-and-organize/data-views.md) that uses any of the [case analytics indices](/explore-analyze/alerts-cases/cases/cases-as-data.md#case-analytics-indices). +1. Create a [data view](/explore-analyze/find-and-organize/data-views.md) that uses any of the [case analytics indices](/explore-analyze/alerts-cases/cases/cases-as-data.md#case-analytics-indices-names). 2. Search and filter the case data in [Discover](../../discover.md) or build visualizations for dashboards in [Lens](../../visualize/lens.md). To help you start visualizing your case data, here are some sample {{esql}} queries that you can run from the [{{esql}} editor](../../../explore-analyze/query-filter/languages/esql-kibana.md#esql-kibana-get-started) in Discover. @@ -73,7 +73,7 @@ To help you start visualizing your case data, here are some sample {{esql}} quer FROM .internal.cases.default-securitysolution | STATS average_time_to_close = AVG(time_to_resolve) ``` -## Case analytics indices names and aliases +## Case analytics indices names and aliases [case-analytics-indices-names] This section provides the names and aliases of the case analytics indices that {{es}} creates per space and solution. Note that `` is a placeholder for the name of a space. @@ -112,7 +112,7 @@ These indices store data related to attachments in Stack Management, {{observabi | `.internal.cases-attachments.-observability` | `.cases-attachments.-observability` | {{observability}} cases | | `.internal.cases-attachments.-securitysolution` | `.cases-attachments.-securitysolution` | Security cases | -### Indices for case activity [case-activity-indices] +### Indices for case activity These indices store data related to activity in Stack Management, {{observability}}, and Security cases. From 53aeeef08108ec9db1e809fa985e0fe6873e4f2f Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Sat, 11 Oct 2025 23:26:45 -0400 Subject: [PATCH 21/35] bye --- explore-analyze/alerts-cases/cases/cases-as-data.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/explore-analyze/alerts-cases/cases/cases-as-data.md b/explore-analyze/alerts-cases/cases/cases-as-data.md index 2caddae342..de4dea21e3 100644 --- a/explore-analyze/alerts-cases/cases/cases-as-data.md +++ b/explore-analyze/alerts-cases/cases/cases-as-data.md @@ -38,7 +38,7 @@ After you create cases, {{es}} may take up to 10 minutes to index the new case d To explore case data: -1. Create a [data view](/explore-analyze/find-and-organize/data-views.md) that uses any of the [case analytics indices](/explore-analyze/alerts-cases/cases/cases-as-data.md#case-analytics-indices-names). +1. Create a [data view](/explore-analyze/find-and-organize/data-views.md) that uses any of the case analytics indices. 2. Search and filter the case data in [Discover](../../discover.md) or build visualizations for dashboards in [Lens](../../visualize/lens.md). To help you start visualizing your case data, here are some sample {{esql}} queries that you can run from the [{{esql}} editor](../../../explore-analyze/query-filter/languages/esql-kibana.md#esql-kibana-get-started) in Discover. From 43a1eb50226106ff46792f6a2a138ad01e3c2514 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Sat, 11 Oct 2025 23:31:37 -0400 Subject: [PATCH 22/35] try again --- explore-analyze/alerts-cases/cases/cases-as-data.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/explore-analyze/alerts-cases/cases/cases-as-data.md b/explore-analyze/alerts-cases/cases/cases-as-data.md index de4dea21e3..b27fbf09c2 100644 --- a/explore-analyze/alerts-cases/cases/cases-as-data.md +++ b/explore-analyze/alerts-cases/cases/cases-as-data.md @@ -38,7 +38,7 @@ After you create cases, {{es}} may take up to 10 minutes to index the new case d To explore case data: -1. Create a [data view](/explore-analyze/find-and-organize/data-views.md) that uses any of the case analytics indices. +1. Create a [data view](../../../explore-analyze/find-and-organize/data-views.md) that uses any of the case analytics indices. 2. Search and filter the case data in [Discover](../../discover.md) or build visualizations for dashboards in [Lens](../../visualize/lens.md). To help you start visualizing your case data, here are some sample {{esql}} queries that you can run from the [{{esql}} editor](../../../explore-analyze/query-filter/languages/esql-kibana.md#esql-kibana-get-started) in Discover. From f830cbfd8086a04d25cc08462601b351b0b6122e Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Sat, 11 Oct 2025 23:35:55 -0400 Subject: [PATCH 23/35] Apply suggestion from @nastasha-solomon --- explore-analyze/alerts-cases/cases/cases-as-data.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/explore-analyze/alerts-cases/cases/cases-as-data.md b/explore-analyze/alerts-cases/cases/cases-as-data.md index b27fbf09c2..c3c4ee605c 100644 --- a/explore-analyze/alerts-cases/cases/cases-as-data.md +++ b/explore-analyze/alerts-cases/cases/cases-as-data.md @@ -31,7 +31,7 @@ After you create cases, {{es}} may take up to 10 minutes to index the new case d ::::{admonition} Requirements -* Your role has at least `read` and `view_index_metadata` access to the appropriate [case anlaytics indices](/explore-analyze/alerts-cases.md/cases/cases-as-data.md#case-analytics-indices). +* Your role has at least `read` and `view_index_metadata` access to the appropriate case anlaytics indices. * You must have the appropriate subscription. Refer to the subscription page for [Elastic Cloud](https://www.elastic.co/subscriptions/cloud) and [Elastic Stack/self-managed](https://www.elastic.co/subscriptions) for the breakdown of available features and their associated subscription tiers. :::: From 4eb307a0dfba18a2d220332873d082945541cce1 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Sat, 11 Oct 2025 23:42:55 -0400 Subject: [PATCH 24/35] small change --- solutions/observability/incident-management/cases.md | 2 +- solutions/security/investigate/cases.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/solutions/observability/incident-management/cases.md b/solutions/observability/incident-management/cases.md index ad690a801f..4c42e064b4 100644 --- a/solutions/observability/incident-management/cases.md +++ b/solutions/observability/incident-management/cases.md @@ -19,7 +19,7 @@ Collect and share information about observability issues by creating a case. Cas ::::{tip} :applies_to: stack: preview 9.2 -After creating cases, use case data to build dashboards and visualizations that give you insights into case trends and operational metrics. Refer to [Use cases as data](/explore-analyze/alerts-cases/cases/cases-as-data.md) to learn more. +After creating cases, use case data to build dashboards and visualizations that provide insights into case trends and operational metrics. Refer to [Use cases as data](/explore-analyze/alerts-cases/cases/cases-as-data.md) to learn more. :::: ## Limitations [observability-case-limitations] diff --git a/solutions/security/investigate/cases.md b/solutions/security/investigate/cases.md index 0c5d3eefb8..9b27484e46 100644 --- a/solutions/security/investigate/cases.md +++ b/solutions/security/investigate/cases.md @@ -32,7 +32,7 @@ You can also send cases to these external systems by [configuring external conne ::::{tip} :applies_to: stack: preview 9.2 -After creating cases, use case data to build dashboards and visualizations that give you insights into case trends and operational metrics. Refer to [Cases as data](/explore-analyze/alerts-cases/cases/cases-as-data.md) to learn more. +After creating cases, use case data to build dashboards and visualizations that provide insights into case trends and operational metrics. Refer to [Cases as data](/explore-analyze/alerts-cases/cases/cases-as-data.md) to learn more. :::: From 7158d17e946b12df1ed8162c23360b7e1d69d05b Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Sat, 11 Oct 2025 23:49:57 -0400 Subject: [PATCH 25/35] removed attribute --- .../alerts-cases/cases/cases-as-data.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/explore-analyze/alerts-cases/cases/cases-as-data.md b/explore-analyze/alerts-cases/cases/cases-as-data.md index c3c4ee605c..2cfdbc2b60 100644 --- a/explore-analyze/alerts-cases/cases/cases-as-data.md +++ b/explore-analyze/alerts-cases/cases/cases-as-data.md @@ -24,16 +24,16 @@ After turning on cases as data, you do not need to manually create the analytics You also do not need to manually manage the analytics indices' index lifecycle management (ILM) policies. The indices are updated by a background task that runs every five minutes and applies a snapshot of the most current cases data. Note that historical case data is not retained; it gets overwritten whenever the indices are refreshed. ::::{note} -After you create cases, {{es}} may take up to 10 minutes to index the new case data. If you create a new space, it can take up to an hour for new case analytics indices to form. +There may be delays in indexing data and creating indices: +- After making new cases, it may take up to 10 minutes to index the new case data. +- After making a new space, it can take up to an hour for the case analytics indices for that space to form. :::: ## Explore case data [explore-case-data] ::::{admonition} Requirements - -* Your role has at least `read` and `view_index_metadata` access to the appropriate case anlaytics indices. +* Your role needs at least `read` and `view_index_metadata` access to the appropriate case analytics indices. * You must have the appropriate subscription. Refer to the subscription page for [Elastic Cloud](https://www.elastic.co/subscriptions/cloud) and [Elastic Stack/self-managed](https://www.elastic.co/subscriptions) for the breakdown of available features and their associated subscription tiers. - :::: To explore case data: @@ -43,31 +43,31 @@ To explore case data: To help you start visualizing your case data, here are some sample {{esql}} queries that you can run from the [{{esql}} editor](../../../explore-analyze/query-filter/languages/esql-kibana.md#esql-kibana-get-started) in Discover. -* Find the total number of open cases in the default {{kib}} space: +* Find the total number of open cases in the default space: ```console FROM .internal.cases.default-observability | STATS count = COUNT(*) BY status | WHERE status == "open" ``` -* Find the total number of in progress Stack Management cases in the default {{kib}} space: +* Find the total number of in progress Stack Management cases in the default space: ```console FROM .internal.cases.default-cases | STATS count = COUNT(*) BY status | WHERE status == "in-progress" ``` -* Find the total number of closed {{observability}} cases in the default {{kib}} space: +* Find the total number of closed {{observability}} cases in the default space: ```console FROM .internal.cases.default-observability | STATS count = COUNT(*) BY status | WHERE status == "closed" ``` -* Find Security cases that are open in the default {{kib}} space, and sort them by time, with the most recent at the top: +* Find Security cases that are open in the default space, and sort them by time, with the most recent at the top: ```console FROM .internal.cases.default-securitysolution | WHERE status == "open" | SORT created_at DESC ``` -* Find the average time that it takes to close Security cases in the default {{kib}} space: +* Find the average time that it takes to close Security cases in the default space: ```console FROM .internal.cases.default-securitysolution | STATS average_time_to_close = AVG(time_to_resolve) From 75018ff86b615c4c96064502618da02ed387ba8b Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Sun, 12 Oct 2025 12:30:01 -0400 Subject: [PATCH 26/35] cleanup --- .../alerts-cases/cases/cases-as-data.md | 41 +++++++++---------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/explore-analyze/alerts-cases/cases/cases-as-data.md b/explore-analyze/alerts-cases/cases/cases-as-data.md index 2cfdbc2b60..c7ecde08e7 100644 --- a/explore-analyze/alerts-cases/cases/cases-as-data.md +++ b/explore-analyze/alerts-cases/cases/cases-as-data.md @@ -9,6 +9,10 @@ applies_to: The cases as data feature lets you visualize data about cases in your [space](/deploy-manage/manage-spaces.md). After turning it on, you can query case data from dedicated case analytics indices and build dashboards and visualizations to track case trends and operational metrics. This information is particularly useful when reporting on key performance indicators (KPIs) such as Mean Time To Respond (MTTR), case severity trends, and analyst workload. +::::{admonition} Requirements +To use cases as data, you must have the appropriate subscription. Refer to the subscription page for [Elastic Cloud](https://www.elastic.co/subscriptions/cloud) and [Elastic Stack/self-managed](https://www.elastic.co/subscriptions) for the breakdown of available features and their associated subscription tiers. +:::: + ## Turn on cases as data [turn-on-cases-as-data] To turn on cases as data, add `xpack.cases.incrementalId.enabled: true` to your [`kibana.yml`](/deploy-manage/stack-settings.md) file. @@ -19,31 +23,26 @@ To turn on cases as data, add `xpack.cases.incrementalId.enabled: true` to your ## Create and manage indices for case data [create-manage-case-analytics-indices] -After turning on cases as data, you do not need to manually create the analytics indices. {{es}} automatically creates the indices in any space with cases and for each solution ({{stack-manage-app}}, {{observability}}, and Security cases). To form the analytics indices, it indexes general data about cases and data related to case comments, attachments, and activity. +After turning on cases as data, you do not need to manually create the analytics indices. {{es}} will automatically create them for you in any space with cases and for each solution ({{stack-manage-app}}, {{observability}}, and Security). The indices are populated with general case data as well as data related to case comments, attachments, and activity. -You also do not need to manually manage the analytics indices' index lifecycle management (ILM) policies. The indices are updated by a background task that runs every five minutes and applies a snapshot of the most current cases data. Note that historical case data is not retained; it gets overwritten whenever the indices are refreshed. +You also do not need to manually manage the lifecycle policies of the analytics indices. Every five minutes, a background task runs to refresh the indices with a snapshot of the most current cases data. During the refresh, historical case data is overwritten. ::::{note} -There may be delays in indexing data and creating indices: - After making new cases, it may take up to 10 minutes to index the new case data. - After making a new space, it can take up to an hour for the case analytics indices for that space to form. :::: -## Explore case data [explore-case-data] +## Grant access to case analytics indices [case-analytics-indices-privs] -::::{admonition} Requirements -* Your role needs at least `read` and `view_index_metadata` access to the appropriate case analytics indices. -* You must have the appropriate subscription. Refer to the subscription page for [Elastic Cloud](https://www.elastic.co/subscriptions/cloud) and [Elastic Stack/self-managed](https://www.elastic.co/subscriptions) for the breakdown of available features and their associated subscription tiers. -:::: +Ensure your role has at least `read` and `view_index_metadata` access to the appropriate [case analytics indices](../../../explore-analyze/alerts-cases/cases/cases-as-data.md#case-analytics-indices-names). -To explore case data: +## Explore and visualize case data with Discover [explore-case-data] -1. Create a [data view](../../../explore-analyze/find-and-organize/data-views.md) that uses any of the case analytics indices. -2. Search and filter the case data in [Discover](../../discover.md) or build visualizations for dashboards in [Lens](../../visualize/lens.md). + By default, {{kib}} requires a [{{data-source}}](../../find-and-organize/data-views.md) to access your Elasticsearch data. When creating a {{data-source}} for case data, point to one or more [case analytics indices or their aliases](../../../explore-analyze/alerts-cases/cases/cases-as-data.md#case-analytics-indices-names). -To help you start visualizing your case data, here are some sample {{esql}} queries that you can run from the [{{esql}} editor](../../../explore-analyze/query-filter/languages/esql-kibana.md#esql-kibana-get-started) in Discover. +You can also [try {{esql}}](../../../explore-analyze/discover/try-esql.md), that lets you query any data you have in {{es}} without specifying a {{data-source}} first. Here are some sample queries to get you started: -* Find the total number of open cases in the default space: +* Find the total number of open {{observability}} cases in the default space: ```console FROM .internal.cases.default-observability | STATS count = COUNT(*) BY status | WHERE status == "open" @@ -75,14 +74,14 @@ To help you start visualizing your case data, here are some sample {{esql}} quer ## Case analytics indices names and aliases [case-analytics-indices-names] -This section provides the names and aliases of the case analytics indices that {{es}} creates per space and solution. Note that `` is a placeholder for the name of a space. +{{es}} automatically creates the following case analytics indices and their aliases in spaces with case data. ::::{note} Go to % [Case analytics indices schema](kibana://reference/case-analytics-indices-schema.md) for schema details. :::: -### Indices for general case data +### General case data These indices store general data about cases. @@ -92,9 +91,9 @@ These indices store general data about cases. | `.internal.cases.-observability` | `.cases.-observability` | {{observability}} cases | | `.internal.cases.-securitysolution` | `.cases.-securitysolution` | Security cases | -### Indices for case comments +### Case comments -These indices store data related to comments in Stack Management, {{observability}}, and Security cases. +These indices store data related to comments. | Index | Alias | Created for | | ---------------------------- | ---------------------- |----------------------------------------- | @@ -102,9 +101,9 @@ These indices store data related to comments in Stack Management, {{observabilit | `.internal.cases-comments.-observability` | `.cases-comments.-observability` | {{observability}} cases | | `.internal.cases-comments.-securitysolution` | `.cases-comments.-securitysolution` | Security cases | -### Indices for case attachments +### Case attachments -These indices store data related to attachments in Stack Management, {{observability}}, and Security cases. +These indices store data related to attachments. | Index | Alias | Created for | | ---------------------------- | ---------------------- |----------------------------------------- | @@ -112,9 +111,9 @@ These indices store data related to attachments in Stack Management, {{observabi | `.internal.cases-attachments.-observability` | `.cases-attachments.-observability` | {{observability}} cases | | `.internal.cases-attachments.-securitysolution` | `.cases-attachments.-securitysolution` | Security cases | -### Indices for case activity +### Case activity -These indices store data related to activity in Stack Management, {{observability}}, and Security cases. +These indices store data related to activity. | Index | Alias | Created for | | ---------------------------- | ---------------------- |----------------------------------------- | From 604fd8edb3447c5ae50b5c1e6bb7c5747fda8ede Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Sun, 12 Oct 2025 18:02:12 -0400 Subject: [PATCH 27/35] Removed space --- explore-analyze/alerts-cases/cases/cases-as-data.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/explore-analyze/alerts-cases/cases/cases-as-data.md b/explore-analyze/alerts-cases/cases/cases-as-data.md index c7ecde08e7..d9c45f81aa 100644 --- a/explore-analyze/alerts-cases/cases/cases-as-data.md +++ b/explore-analyze/alerts-cases/cases/cases-as-data.md @@ -38,9 +38,9 @@ Ensure your role has at least `read` and `view_index_metadata` access to the app ## Explore and visualize case data with Discover [explore-case-data] - By default, {{kib}} requires a [{{data-source}}](../../find-and-organize/data-views.md) to access your Elasticsearch data. When creating a {{data-source}} for case data, point to one or more [case analytics indices or their aliases](../../../explore-analyze/alerts-cases/cases/cases-as-data.md#case-analytics-indices-names). +By default, {{kib}} requires a [{{data-source}}](../../find-and-organize/data-views.md) to access your Elasticsearch data. When creating a {{data-source}} for case data, point to one or more [case analytics indices or their aliases](../../../explore-analyze/alerts-cases/cases/cases-as-data.md#case-analytics-indices-names). -You can also [try {{esql}}](../../../explore-analyze/discover/try-esql.md), that lets you query any data you have in {{es}} without specifying a {{data-source}} first. Here are some sample queries to get you started: +You can also [try {{esql}}](../../../explore-analyze/discover/try-esql.md), which lets you query any data you have in {{es}} without specifying a {{data-source}} first. Here are some sample queries to get you started: * Find the total number of open {{observability}} cases in the default space: From 92ba0cf6ece88b9b72246d71fa2567412cb1c455 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Sun, 12 Oct 2025 20:14:34 -0400 Subject: [PATCH 28/35] Adding info about dataviews --- .../alerts-cases/cases/cases-as-data.md | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/explore-analyze/alerts-cases/cases/cases-as-data.md b/explore-analyze/alerts-cases/cases/cases-as-data.md index d9c45f81aa..2ecac6e7b8 100644 --- a/explore-analyze/alerts-cases/cases/cases-as-data.md +++ b/explore-analyze/alerts-cases/cases/cases-as-data.md @@ -18,7 +18,7 @@ To use cases as data, you must have the appropriate subscription. Refer to the s To turn on cases as data, add `xpack.cases.incrementalId.enabled: true` to your [`kibana.yml`](/deploy-manage/stack-settings.md) file. ::::{warning} -3 tasks will be created that each execute in 5 minute interval. If you have lots of spaces with cases (for example, dozens), we do not reccomend enabling this feature as it will clog up task manager. +3 tasks will be created that each execute in 5 minute interval. If you have lots of spaces with cases (for example, dozens), we do not recommend enabling this feature as it will clog up task manager. :::: ## Create and manage indices for case data [create-manage-case-analytics-indices] @@ -36,11 +36,17 @@ You also do not need to manually manage the lifecycle policies of the analytics Ensure your role has at least `read` and `view_index_metadata` access to the appropriate [case analytics indices](../../../explore-analyze/alerts-cases/cases/cases-as-data.md#case-analytics-indices-names). -## Explore and visualize case data with Discover [explore-case-data] +## Explore case data with Discover and Lens [explore-case-data] -By default, {{kib}} requires a [{{data-source}}](../../find-and-organize/data-views.md) to access your Elasticsearch data. When creating a {{data-source}} for case data, point to one or more [case analytics indices or their aliases](../../../explore-analyze/alerts-cases/cases/cases-as-data.md#case-analytics-indices-names). +Use [Discover](../../discover.md) and [Lens](../../visualize/lens.md) to search and filter your case data and display your findings in visualizations. -You can also [try {{esql}}](../../../explore-analyze/discover/try-esql.md), which lets you query any data you have in {{es}} without specifying a {{data-source}} first. Here are some sample queries to get you started: +To get started, create a [{{data-source}}](../../find-and-organize/data-views.md) that points to one or more [case analytics indices or their aliases](../../../explore-analyze/alerts-cases/cases/cases-as-data.md#case-analytics-indices-names). To point to all case analytics indices in your space, use the `.internal.cases*` index pattern. + +::::{note} +Case data is stored in hidden indices. You can display hidden indices by selecting **Show advanced settings**, then turning on the setting that allows hidden and system indices. +:::: + +You can also interact with your case data using [{{esql}} in Discover](../../../explore-analyze/discover/try-esql.md). Here are some sample queries to get you started: * Find the total number of open {{observability}} cases in the default space: From 86e01b0960677c05c77076fd4e55d0c6e8087a30 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 13 Oct 2025 15:46:49 -0400 Subject: [PATCH 29/35] Update explore-analyze/alerts-cases/cases.md Co-authored-by: Mike Birnstiehl <114418652+mdbirnstiehl@users.noreply.github.com> --- explore-analyze/alerts-cases/cases.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/explore-analyze/alerts-cases/cases.md b/explore-analyze/alerts-cases/cases.md index 371c29ad70..0056b0c89c 100644 --- a/explore-analyze/alerts-cases/cases.md +++ b/explore-analyze/alerts-cases/cases.md @@ -31,5 +31,5 @@ If you create cases in the {{observability}} or {{security-app}}, they are not v ## Limitations [kibana-case-limitations] -* If you create cases in {{stack-manage-app}}, they are not visible from {{observability}} or the {{security-app}}. Likewise, the cases you create in {{observability}}, they are not visible in {{stack-manage-app}} or {{elastic-sec}}. +* If you create cases in {{stack-manage-app}}, they are not visible from {{observability}} or the {{security-app}}. Likewise, the cases you create in {{observability}} are not visible in {{stack-manage-app}} or {{elastic-sec}}. * You cannot attach alerts from {{observability}} or {{elastic-sec}} to cases in {{stack-manage-app}}. From 99720b9e9028f9aebdc447a9a69b3751b9c1806d Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 13 Oct 2025 15:47:51 -0400 Subject: [PATCH 30/35] Update explore-analyze/alerts-cases/cases/cases-as-data.md --- explore-analyze/alerts-cases/cases/cases-as-data.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/explore-analyze/alerts-cases/cases/cases-as-data.md b/explore-analyze/alerts-cases/cases/cases-as-data.md index 2ecac6e7b8..a73c6f5e73 100644 --- a/explore-analyze/alerts-cases/cases/cases-as-data.md +++ b/explore-analyze/alerts-cases/cases/cases-as-data.md @@ -43,7 +43,7 @@ Use [Discover](../../discover.md) and [Lens](../../visualize/lens.md) to search To get started, create a [{{data-source}}](../../find-and-organize/data-views.md) that points to one or more [case analytics indices or their aliases](../../../explore-analyze/alerts-cases/cases/cases-as-data.md#case-analytics-indices-names). To point to all case analytics indices in your space, use the `.internal.cases*` index pattern. ::::{note} -Case data is stored in hidden indices. You can display hidden indices by selecting **Show advanced settings**, then turning on the setting that allows hidden and system indices. +Case data is stored in hidden indices. You can display hidden indices by selecting **Show advanced settings**, then turning on **Allow hidden and system indices**. :::: You can also interact with your case data using [{{esql}} in Discover](../../../explore-analyze/discover/try-esql.md). Here are some sample queries to get you started: From 2d9fdb32b669a9773b8d22ea955404f89251437b Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 14 Oct 2025 14:15:47 -0400 Subject: [PATCH 31/35] Update explore-analyze/alerts-cases/cases/cases-as-data.md --- explore-analyze/alerts-cases/cases/cases-as-data.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/explore-analyze/alerts-cases/cases/cases-as-data.md b/explore-analyze/alerts-cases/cases/cases-as-data.md index a73c6f5e73..4b35fa3f88 100644 --- a/explore-analyze/alerts-cases/cases/cases-as-data.md +++ b/explore-analyze/alerts-cases/cases/cases-as-data.md @@ -18,7 +18,7 @@ To use cases as data, you must have the appropriate subscription. Refer to the s To turn on cases as data, add `xpack.cases.incrementalId.enabled: true` to your [`kibana.yml`](/deploy-manage/stack-settings.md) file. ::::{warning} -3 tasks will be created that each execute in 5 minute interval. If you have lots of spaces with cases (for example, dozens), we do not recommend enabling this feature as it will clog up task manager. +If your deployment has more than 10 spaces, we do not recommend turning on cases as data. The background tasks that refresh the case analytics indices in each space are run every five minutes and may overload Task Manager. :::: ## Create and manage indices for case data [create-manage-case-analytics-indices] From bcf78ea020596bfc8449bcf992909efa551c6558 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 14 Oct 2025 19:49:35 -0400 Subject: [PATCH 32/35] Updated index names --- .../alerts-cases/cases/cases-as-data.md | 41 +++++++++---------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/explore-analyze/alerts-cases/cases/cases-as-data.md b/explore-analyze/alerts-cases/cases/cases-as-data.md index 4b35fa3f88..1361fa14ac 100644 --- a/explore-analyze/alerts-cases/cases/cases-as-data.md +++ b/explore-analyze/alerts-cases/cases/cases-as-data.md @@ -51,41 +51,40 @@ You can also interact with your case data using [{{esql}} in Discover](../../../ * Find the total number of open {{observability}} cases in the default space: ```console - FROM .internal.cases.default-observability | STATS count = COUNT(*) BY status | WHERE status == "open" + FROM .internal.cases.observability-default | STATS count = COUNT(*) BY status | WHERE status == "open" ``` * Find the total number of in progress Stack Management cases in the default space: ```console - FROM .internal.cases.default-cases | STATS count = COUNT(*) BY status | WHERE status == "in-progress" + FROM .internal.cases.cases-default | STATS count = COUNT(*) BY status | WHERE status == "in-progress" ``` * Find the total number of closed {{observability}} cases in the default space: ```console - FROM .internal.cases.default-observability | STATS count = COUNT(*) BY status | WHERE status == "closed" + FROM .internal.cases.observability-default | STATS count = COUNT(*) BY status | WHERE status == "closed" ``` * Find Security cases that are open in the default space, and sort them by time, with the most recent at the top: ```console - FROM .internal.cases.default-securitysolution | WHERE status == "open" | SORT created_at DESC + FROM .internal.cases.securitysolution-default | WHERE status == "open" | SORT created_at DESC ``` * Find the average time that it takes to close Security cases in the default space: ```console - FROM .internal.cases.default-securitysolution | STATS average_time_to_close = AVG(time_to_resolve) + FROM .internal.cases.securitysolution-default | STATS average_time_to_close = AVG(time_to_resolve) ``` ## Case analytics indices names and aliases [case-analytics-indices-names] {{es}} automatically creates the following case analytics indices and their aliases in spaces with case data. -::::{note} -Go to -% [Case analytics indices schema](kibana://reference/case-analytics-indices-schema.md) for schema details. -:::: +% ::::{note} +% Go to [Case analytics indices schema](kibana://reference/case-analytics-indices-schema.md) for schema details. +% :::: ### General case data @@ -93,9 +92,9 @@ These indices store general data about cases. | Index | Alias | Created for | | ---------------------------- | ---------------------- |----------------------------------------- | -| `.internal.cases.-cases` | `.cases.-cases` | Stack Management cases | -| `.internal.cases.-observability` | `.cases.-observability` | {{observability}} cases | -| `.internal.cases.-securitysolution` | `.cases.-securitysolution` | Security cases | +| `.internal.cases.cases-` | `.cases.cases-` | Stack Management cases | +| `.internal.cases.observability-` | `.cases.observability-` | {{observability}} cases | +| `.internal.cases.securitysolution-` | `.cases.securitysolution-` | Security cases | ### Case comments @@ -103,9 +102,9 @@ These indices store data related to comments. | Index | Alias | Created for | | ---------------------------- | ---------------------- |----------------------------------------- | -| `.internal.cases-comments.-cases` | `.cases-comments.-cases` | Stack Management cases | -| `.internal.cases-comments.-observability` | `.cases-comments.-observability` | {{observability}} cases | -| `.internal.cases-comments.-securitysolution` | `.cases-comments.-securitysolution` | Security cases | +| `.internal.cases-comments.cases-` | `.cases-comments.cases-` | Stack Management cases | +| `.internal.cases-comments.observability-` | `.cases-comments.observability-` | {{observability}} cases | +| `.internal.cases-comments.securitysolution-` | `.cases-comments.securitysolution-` | Security cases | ### Case attachments @@ -113,9 +112,9 @@ These indices store data related to attachments. | Index | Alias | Created for | | ---------------------------- | ---------------------- |----------------------------------------- | -| `.internal.cases-attachments.-cases` | `.cases-attachments.-cases` | Stack Management cases | -| `.internal.cases-attachments.-observability` | `.cases-attachments.-observability` | {{observability}} cases | -| `.internal.cases-attachments.-securitysolution` | `.cases-attachments.-securitysolution` | Security cases | +| `.internal.cases-attachments.cases-` | `.cases-attachments.cases-` | Stack Management cases | +| `.internal.cases-attachments.observability-` | `.cases-attachments.observability-` | {{observability}} cases | +| `.internal.cases-attachments.securitysolution-` | `.cases-attachments.securitysolution-` | Security cases | ### Case activity @@ -123,6 +122,6 @@ These indices store data related to activity. | Index | Alias | Created for | | ---------------------------- | ---------------------- |----------------------------------------- | -| `.internal.cases-activity.-cases` | `.cases-activity.-cases` | Stack Management cases | -| `.internal.cases-activity.-observability` | `.cases-activity.-observability` | {{observability}} cases | -| `.internal.cases-activity.-securitysolution` | `.cases-activity.-securitysolution` | Security cases | \ No newline at end of file +| `.internal.cases-activity.cases-` | `.cases-activity.cases-` | Stack Management cases | +| `.internal.cases-activity.observability-` | `.cases-activity.observability-` | {{observability}} cases | +| `.internal.cases-activity.securitysolution-` | `.cases-activity.securitysolution-` | Security cases | \ No newline at end of file From bdd9dd5ab934400686a299d7aa4c5be22de1c860 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Wed, 15 Oct 2025 11:26:48 -0400 Subject: [PATCH 33/35] Updating applies to --- explore-analyze/alerts-cases/cases/cases-as-data.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/explore-analyze/alerts-cases/cases/cases-as-data.md b/explore-analyze/alerts-cases/cases/cases-as-data.md index 1361fa14ac..97fa7631e4 100644 --- a/explore-analyze/alerts-cases/cases/cases-as-data.md +++ b/explore-analyze/alerts-cases/cases/cases-as-data.md @@ -1,8 +1,7 @@ --- applies_to: - deployment: - ess: preview 9.2 - ece: preview 9.2 + stack: preview 9.2 + serverless: unavailable --- # Use cases as data [use-cases-as-data] From 289392b5de71df77f98a9180ddfd2394a4af9a00 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Wed, 15 Oct 2025 12:19:22 -0400 Subject: [PATCH 34/35] adding to applies to tags --- explore-analyze/alerts-cases/cases.md | 2 +- solutions/observability/incident-management/cases.md | 2 +- solutions/security/investigate/cases.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/explore-analyze/alerts-cases/cases.md b/explore-analyze/alerts-cases/cases.md index 0056b0c89c..b366fbea13 100644 --- a/explore-analyze/alerts-cases/cases.md +++ b/explore-analyze/alerts-cases/cases.md @@ -27,7 +27,7 @@ If you create cases in the {{observability}} or {{security-app}}, they are not v * [Configure access to cases](cases/setup-cases.md) * [Open and manage cases](cases/manage-cases.md) * [Configure case settings](cases/manage-cases-settings.md) -* {applies_to}`stack: preview 9.2`[Use cases as data](cases/cases-as-data.md) +* {applies_to}`stack: preview 9.2` {applies_to}`serverless: unavailable`[Use cases as data](cases/cases-as-data.md) ## Limitations [kibana-case-limitations] diff --git a/solutions/observability/incident-management/cases.md b/solutions/observability/incident-management/cases.md index 4c42e064b4..235445e38c 100644 --- a/solutions/observability/incident-management/cases.md +++ b/solutions/observability/incident-management/cases.md @@ -18,7 +18,7 @@ Collect and share information about observability issues by creating a case. Cas ::: ::::{tip} -:applies_to: stack: preview 9.2 +:applies_to: {stack: preview 9.2, serverless: unavailable} After creating cases, use case data to build dashboards and visualizations that provide insights into case trends and operational metrics. Refer to [Use cases as data](/explore-analyze/alerts-cases/cases/cases-as-data.md) to learn more. :::: diff --git a/solutions/security/investigate/cases.md b/solutions/security/investigate/cases.md index 9b27484e46..9195a3afb1 100644 --- a/solutions/security/investigate/cases.md +++ b/solutions/security/investigate/cases.md @@ -31,7 +31,7 @@ You can also send cases to these external systems by [configuring external conne ::: ::::{tip} -:applies_to: stack: preview 9.2 +:applies_to: {stack: preview 9.2, serverless: unavailable} After creating cases, use case data to build dashboards and visualizations that provide insights into case trends and operational metrics. Refer to [Cases as data](/explore-analyze/alerts-cases/cases/cases-as-data.md) to learn more. :::: From 41484f57da85e138b0191f159e0a71acee33c2a7 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 16 Oct 2025 10:24:51 -0400 Subject: [PATCH 35/35] Apply suggestion from @nastasha-solomon --- explore-analyze/alerts-cases/cases/cases-as-data.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/explore-analyze/alerts-cases/cases/cases-as-data.md b/explore-analyze/alerts-cases/cases/cases-as-data.md index 97fa7631e4..9f694e1f87 100644 --- a/explore-analyze/alerts-cases/cases/cases-as-data.md +++ b/explore-analyze/alerts-cases/cases/cases-as-data.md @@ -17,7 +17,7 @@ To use cases as data, you must have the appropriate subscription. Refer to the s To turn on cases as data, add `xpack.cases.incrementalId.enabled: true` to your [`kibana.yml`](/deploy-manage/stack-settings.md) file. ::::{warning} -If your deployment has more than 10 spaces, we do not recommend turning on cases as data. The background tasks that refresh the case analytics indices in each space are run every five minutes and may overload Task Manager. +We only recommend turning this feature on if your deployment has 10 or fewer spaces with cases. The background tasks that refresh the case analytics indices in each space are run every five minutes and may overload Task Manager. :::: ## Create and manage indices for case data [create-manage-case-analytics-indices]