[Security Solution] [Cases] Introduce case observables (phase 0 & 1) #190237
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lgestc
force-pushed
the
cases_observables
branch
2 times, most recently
from
b7c8f0e to
b70f7cc
Compare
lgestc
force-pushed
the
cases_observables
branch
2 times, most recently
from
3ea6323 to
1dfdc9b
Compare
lgestc
force-pushed
the
cases_observables
branch
2 times, most recently
from
ad86b09 to
fa8ed50
Compare
lgestc
changed the title
lgestc
added
Team:ResponseOps
lgestc
added
backport:skip
lgestc
force-pushed
the
cases_observables
branch
from
eb73134 to
e1c0dd4
Compare
lgestc
commented
Oct 2, 2024
elastic-vault-github-plugin-prod
bot
requested a review
from a team
as a code owner
lgestc
force-pushed
the
cases_observables
branch
from
cc054cc to
cc94167
Compare
lgestc
force-pushed
the
cases_observables
branch
from
83f88e2 to
5646f2f
Compare
jloleysens
reviewed
Oct 3, 2024
lgestc
force-pushed
the
cases_observables
branch
from
1a58c5d to
050d36b
Compare
lgestc
force-pushed
the
cases_observables
branch
from
cfa120c to
3f3b97f
Compare
cnasikas
removed
backport:skip
… src/core/server/integration_tests/ci_checks'
banderror
approved these changes
Dec 23, 2024
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Module Count
Async chunks
Page load bundle
Unknown metric groupsESLint disabled in files
ESLint disabled line counts
Total ESLint disabled count
History
|
gsoldevila
approved these changes
Dec 23, 2024
|
Starting backport for target branches: 8.x |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Dec 23, 2024
…lastic#190237) ## Summary ### Introducting Case Observables - _phases 0 and 1_ This pull request introduces case observables to Kibana, enhancing the platform's case management capabilities. It adds support for capturing and displaying observables (e.g., IP addresses, URLs, file hashes) linked to cases. The feature integrates with the Cases UI, allowing users to easily associate observables with cases for better tracking and analysis in incident response workflows. This improves investigative efficiency by correlating observables across multiple cases. #### Requirements: https://docs.google.com/document/d/12hZTpyn0eXy3Xnq8qLBd6_sJxBhNZoI7vXztxWHhUds/edit#heading=h.srf6mb8ifiad #### Design document: https://docs.google.com/document/d/1MeDLl6OEWast1RC1M3_hQXnRCd8frrXdGkFnypIYKJQ/edit#heading=h.kb5lrp2j62id Notable Cases sections are added in this pr: **1. Observables section in the case view, allowing for adding and listing up to 10 observables for the case**  **2. Similar cases view for every case, allowing for similar case discovery**  **3. Observable types management view in Cases settings**  Original issue: elastic#180360 Things skipped for now from MVP: - [ ] Allow users to manually create observables from the cases alerts table using the table actions (Phase 1) - [ ] Allow users to manually create observables of type “hash” from the files table using the table actions (Phase 1) --------- Co-authored-by: Christos Nasikas <[email protected]> Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Christos Nasikas <[email protected]> (cherry picked from commit 3083706)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Dec 23, 2024
… & 1) (#190237) (#205089) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] [Cases] Introduce case observables (phase 0 & 1) (#190237)](#190237) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Luke Gmys","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-23T13:25:58Z","message":"[Security Solution] [Cases] Introduce case observables (phase 0 & 1) (#190237)\n\n## Summary\r\n\r\n### Introducting Case Observables - _phases 0 and 1_\r\n\r\nThis pull request introduces case observables to Kibana, enhancing the\r\nplatform's case management capabilities. It adds support for capturing\r\nand displaying observables (e.g., IP addresses, URLs, file hashes)\r\nlinked to cases. The feature integrates with the Cases UI, allowing\r\nusers to easily associate observables with cases for better tracking and\r\nanalysis in incident response workflows. This improves investigative\r\nefficiency by correlating observables across multiple cases.\r\n\r\n#### Requirements:\r\n\r\nhttps://docs.google.com/document/d/12hZTpyn0eXy3Xnq8qLBd6_sJxBhNZoI7vXztxWHhUds/edit#heading=h.srf6mb8ifiad\r\n\r\n#### Design document:\r\nhttps://docs.google.com/document/d/1MeDLl6OEWast1RC1M3_hQXnRCd8frrXdGkFnypIYKJQ/edit#heading=h.kb5lrp2j62id\r\n\r\nNotable Cases sections are added in this pr:\r\n\r\n**1. Observables section in the case view, allowing for adding and\r\nlisting up to 10 observables for the case**\r\n\r\n\r\n\r\n\r\n**2. Similar cases view for every case, allowing for similar case\r\ndiscovery**\r\n\r\n\r\n\r\n\r\n**3. Observable types management view in Cases settings**\r\n\r\n\r\n\r\n\r\nOriginal issue:\r\n\r\nhttps://github.com//issues/180360\r\n\r\nThings skipped for now from MVP:\r\n- [ ] Allow users to manually create observables from the cases alerts\r\ntable using the table actions (Phase 1)\r\n- [ ] Allow users to manually create observables of type “hash” from the\r\nfiles table using the table actions (Phase 1)\r\n\r\n---------\r\n\r\nCo-authored-by: Christos Nasikas <[email protected]>\r\nCo-authored-by: kibanamachine <[email protected]>\r\nCo-authored-by: Christos Nasikas <[email protected]>","sha":"3083706bc9541d84700b81252f0e4880949e4ea0","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:ResponseOps","v9.0.0","Team: SecuritySolution","release_note:feature","Team:Threat Hunting:Investigations","backport:prev-minor","ci:cloud-deploy","ci:build-serverless-image"],"title":"[Security Solution] [Cases] Introduce case observables (phase 0 & 1)","number":190237,"url":"https://github.com/elastic/kibana/pull/190237","mergeCommit":{"message":"[Security Solution] [Cases] Introduce case observables (phase 0 & 1) (#190237)\n\n## Summary\r\n\r\n### Introducting Case Observables - _phases 0 and 1_\r\n\r\nThis pull request introduces case observables to Kibana, enhancing the\r\nplatform's case management capabilities. It adds support for capturing\r\nand displaying observables (e.g., IP addresses, URLs, file hashes)\r\nlinked to cases. The feature integrates with the Cases UI, allowing\r\nusers to easily associate observables with cases for better tracking and\r\nanalysis in incident response workflows. This improves investigative\r\nefficiency by correlating observables across multiple cases.\r\n\r\n#### Requirements:\r\n\r\nhttps://docs.google.com/document/d/12hZTpyn0eXy3Xnq8qLBd6_sJxBhNZoI7vXztxWHhUds/edit#heading=h.srf6mb8ifiad\r\n\r\n#### Design document:\r\nhttps://docs.google.com/document/d/1MeDLl6OEWast1RC1M3_hQXnRCd8frrXdGkFnypIYKJQ/edit#heading=h.kb5lrp2j62id\r\n\r\nNotable Cases sections are added in this pr:\r\n\r\n**1. Observables section in the case view, allowing for adding and\r\nlisting up to 10 observables for the case**\r\n\r\n\r\n\r\n\r\n**2. Similar cases view for every case, allowing for similar case\r\ndiscovery**\r\n\r\n\r\n\r\n\r\n**3. Observable types management view in Cases settings**\r\n\r\n\r\n\r\n\r\nOriginal issue:\r\n\r\nhttps://github.com//issues/180360\r\n\r\nThings skipped for now from MVP:\r\n- [ ] Allow users to manually create observables from the cases alerts\r\ntable using the table actions (Phase 1)\r\n- [ ] Allow users to manually create observables of type “hash” from the\r\nfiles table using the table actions (Phase 1)\r\n\r\n---------\r\n\r\nCo-authored-by: Christos Nasikas <[email protected]>\r\nCo-authored-by: kibanamachine <[email protected]>\r\nCo-authored-by: Christos Nasikas <[email protected]>","sha":"3083706bc9541d84700b81252f0e4880949e4ea0"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/190237","number":190237,"mergeCommit":{"message":"[Security Solution] [Cases] Introduce case observables (phase 0 & 1) (#190237)\n\n## Summary\r\n\r\n### Introducting Case Observables - _phases 0 and 1_\r\n\r\nThis pull request introduces case observables to Kibana, enhancing the\r\nplatform's case management capabilities. It adds support for capturing\r\nand displaying observables (e.g., IP addresses, URLs, file hashes)\r\nlinked to cases. The feature integrates with the Cases UI, allowing\r\nusers to easily associate observables with cases for better tracking and\r\nanalysis in incident response workflows. This improves investigative\r\nefficiency by correlating observables across multiple cases.\r\n\r\n#### Requirements:\r\n\r\nhttps://docs.google.com/document/d/12hZTpyn0eXy3Xnq8qLBd6_sJxBhNZoI7vXztxWHhUds/edit#heading=h.srf6mb8ifiad\r\n\r\n#### Design document:\r\nhttps://docs.google.com/document/d/1MeDLl6OEWast1RC1M3_hQXnRCd8frrXdGkFnypIYKJQ/edit#heading=h.kb5lrp2j62id\r\n\r\nNotable Cases sections are added in this pr:\r\n\r\n**1. Observables section in the case view, allowing for adding and\r\nlisting up to 10 observables for the case**\r\n\r\n\r\n\r\n\r\n**2. Similar cases view for every case, allowing for similar case\r\ndiscovery**\r\n\r\n\r\n\r\n\r\n**3. Observable types management view in Cases settings**\r\n\r\n\r\n\r\n\r\nOriginal issue:\r\n\r\nhttps://github.com//issues/180360\r\n\r\nThings skipped for now from MVP:\r\n- [ ] Allow users to manually create observables from the cases alerts\r\ntable using the table actions (Phase 1)\r\n- [ ] Allow users to manually create observables of type “hash” from the\r\nfiles table using the table actions (Phase 1)\r\n\r\n---------\r\n\r\nCo-authored-by: Christos Nasikas <[email protected]>\r\nCo-authored-by: kibanamachine <[email protected]>\r\nCo-authored-by: Christos Nasikas <[email protected]>","sha":"3083706bc9541d84700b81252f0e4880949e4ea0"}}]}] BACKPORT--> Co-authored-by: Luke Gmys <[email protected]>
stratoula
pushed a commit
to stratoula/kibana
that referenced
this pull request
Jan 2, 2025
…lastic#190237) ## Summary ### Introducting Case Observables - _phases 0 and 1_ This pull request introduces case observables to Kibana, enhancing the platform's case management capabilities. It adds support for capturing and displaying observables (e.g., IP addresses, URLs, file hashes) linked to cases. The feature integrates with the Cases UI, allowing users to easily associate observables with cases for better tracking and analysis in incident response workflows. This improves investigative efficiency by correlating observables across multiple cases. #### Requirements: https://docs.google.com/document/d/12hZTpyn0eXy3Xnq8qLBd6_sJxBhNZoI7vXztxWHhUds/edit#heading=h.srf6mb8ifiad #### Design document: https://docs.google.com/document/d/1MeDLl6OEWast1RC1M3_hQXnRCd8frrXdGkFnypIYKJQ/edit#heading=h.kb5lrp2j62id Notable Cases sections are added in this pr: **1. Observables section in the case view, allowing for adding and listing up to 10 observables for the case**  **2. Similar cases view for every case, allowing for similar case discovery**  **3. Observable types management view in Cases settings**  Original issue: elastic#180360 Things skipped for now from MVP: - [ ] Allow users to manually create observables from the cases alerts table using the table actions (Phase 1) - [ ] Allow users to manually create observables of type “hash” from the files table using the table actions (Phase 1) --------- Co-authored-by: Christos Nasikas <[email protected]> Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Christos Nasikas <[email protected]>
benakansara
pushed a commit
to benakansara/kibana
that referenced
this pull request
Jan 2, 2025
…lastic#190237) ## Summary ### Introducting Case Observables - _phases 0 and 1_ This pull request introduces case observables to Kibana, enhancing the platform's case management capabilities. It adds support for capturing and displaying observables (e.g., IP addresses, URLs, file hashes) linked to cases. The feature integrates with the Cases UI, allowing users to easily associate observables with cases for better tracking and analysis in incident response workflows. This improves investigative efficiency by correlating observables across multiple cases. #### Requirements: https://docs.google.com/document/d/12hZTpyn0eXy3Xnq8qLBd6_sJxBhNZoI7vXztxWHhUds/edit#heading=h.srf6mb8ifiad #### Design document: https://docs.google.com/document/d/1MeDLl6OEWast1RC1M3_hQXnRCd8frrXdGkFnypIYKJQ/edit#heading=h.kb5lrp2j62id Notable Cases sections are added in this pr: **1. Observables section in the case view, allowing for adding and listing up to 10 observables for the case**  **2. Similar cases view for every case, allowing for similar case discovery**  **3. Observable types management view in Cases settings**  Original issue: elastic#180360 Things skipped for now from MVP: - [ ] Allow users to manually create observables from the cases alerts table using the table actions (Phase 1) - [ ] Allow users to manually create observables of type “hash” from the files table using the table actions (Phase 1) --------- Co-authored-by: Christos Nasikas <[email protected]> Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Christos Nasikas <[email protected]>
Closed
13 tasks
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this pull request
Jan 13, 2025
…lastic#190237) ## Summary ### Introducting Case Observables - _phases 0 and 1_ This pull request introduces case observables to Kibana, enhancing the platform's case management capabilities. It adds support for capturing and displaying observables (e.g., IP addresses, URLs, file hashes) linked to cases. The feature integrates with the Cases UI, allowing users to easily associate observables with cases for better tracking and analysis in incident response workflows. This improves investigative efficiency by correlating observables across multiple cases. #### Requirements: https://docs.google.com/document/d/12hZTpyn0eXy3Xnq8qLBd6_sJxBhNZoI7vXztxWHhUds/edit#heading=h.srf6mb8ifiad #### Design document: https://docs.google.com/document/d/1MeDLl6OEWast1RC1M3_hQXnRCd8frrXdGkFnypIYKJQ/edit#heading=h.kb5lrp2j62id Notable Cases sections are added in this pr: **1. Observables section in the case view, allowing for adding and listing up to 10 observables for the case**  **2. Similar cases view for every case, allowing for similar case discovery**  **3. Observable types management view in Cases settings**  Original issue: elastic#180360 Things skipped for now from MVP: - [ ] Allow users to manually create observables from the cases alerts table using the table actions (Phase 1) - [ ] Allow users to manually create observables of type “hash” from the files table using the table actions (Phase 1) --------- Co-authored-by: Christos Nasikas <[email protected]> Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Christos Nasikas <[email protected]>
This was referenced Jan 15, 2025
viduni94
pushed a commit
to viduni94/kibana
that referenced
this pull request
Jan 23, 2025
…lastic#190237) ## Summary ### Introducting Case Observables - _phases 0 and 1_ This pull request introduces case observables to Kibana, enhancing the platform's case management capabilities. It adds support for capturing and displaying observables (e.g., IP addresses, URLs, file hashes) linked to cases. The feature integrates with the Cases UI, allowing users to easily associate observables with cases for better tracking and analysis in incident response workflows. This improves investigative efficiency by correlating observables across multiple cases. #### Requirements: https://docs.google.com/document/d/12hZTpyn0eXy3Xnq8qLBd6_sJxBhNZoI7vXztxWHhUds/edit#heading=h.srf6mb8ifiad #### Design document: https://docs.google.com/document/d/1MeDLl6OEWast1RC1M3_hQXnRCd8frrXdGkFnypIYKJQ/edit#heading=h.kb5lrp2j62id Notable Cases sections are added in this pr: **1. Observables section in the case view, allowing for adding and listing up to 10 observables for the case**  **2. Similar cases view for every case, allowing for similar case discovery**  **3. Observable types management view in Cases settings**  Original issue: elastic#180360 Things skipped for now from MVP: - [ ] Allow users to manually create observables from the cases alerts table using the table actions (Phase 1) - [ ] Allow users to manually create observables of type “hash” from the files table using the table actions (Phase 1) --------- Co-authored-by: Christos Nasikas <[email protected]> Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Christos Nasikas <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Introducting Case Observables - phases 0 and 1
This pull request introduces case observables to Kibana, enhancing the platform's case management capabilities. It adds support for capturing and displaying observables (e.g., IP addresses, URLs, file hashes) linked to cases. The feature integrates with the Cases UI, allowing users to easily associate observables with cases for better tracking and analysis in incident response workflows. This improves investigative efficiency by correlating observables across multiple cases.
Requirements:
https://docs.google.com/document/d/12hZTpyn0eXy3Xnq8qLBd6_sJxBhNZoI7vXztxWHhUds/edit#heading=h.srf6mb8ifiad
Design document: https://docs.google.com/document/d/1MeDLl6OEWast1RC1M3_hQXnRCd8frrXdGkFnypIYKJQ/edit#heading=h.kb5lrp2j62id
Notable Cases sections are added in this pr:
1. Observables section in the case view, allowing for adding and listing up to 10 observables for the case
2. Similar cases view for every case, allowing for similar case discovery
3. Observable types management view in Cases settings
Original issue:
#180360
Things skipped for now from MVP: