Cases
The Elastic cases feature is used to manage basic workflow and processes for observed events. This is not a full-blown case management solution; it is basic, with the intention that third-party connections are used for a proper case-management solution.
Cases can be created from the Alerts section by clicking on the folder icon, from a timeline, or from the Cases tab:
Figure 8.54 – Create cases from the Alerts page
Cases can also have templates added to them that aid in the investigation of events:
Figure 8.55 – Cases with timeline icon
Clicking on the timeline icon will open a window that will allow you to select any available timeline:
Figure 8.56 – Adding a timeline to a case
We can add the timeline we created for the previously observed Agent Tesla infection. This adds the timeline as a Markdown hyperlink.
Once the case is created, we can make basic annotations and notes during our investigation. All of the comments render Markdown...
