You are viewing docs on Elastic's new documentation system, currently in technical preview. For all other Elastic docs, visit elastic.co/guide.

Add detection alerts to cases

Add alerts to new or existing cases in Elastic Security.

From the Alerts table, you can attach one or more alerts to a new case or an existing one. Alerts from any rule type can be added to a case.

Note

  • After you add an alert to a case, you can remove it from the case activity under the alert summary or by using the Elastic Security Cases API.
  • Each case can have a maximum of 1,000 alerts.

Add alerts to a new case

To add alerts to a new case:

  1. Do one of the following:

    • To add a single alert to a case, select the More actions menu (...) in the Alerts table or Take action in the alert details flyout, then select Add to a new case.
    • To add multiple alerts, select the alerts, then select Add to a new case from the Bulk actions menu.
  2. Give the case a name, assign a severity level, and provide a description. You can use Markdown syntax in the case description.

    Note

    If you do not assign your case a severity level, it will be assigned Low by default.

  3. Optionally, add a category, assignees and relevant tags. You can add users only if they meet the necessary prerequisites.

  4. Specify whether you want to sync the status of associated alerts. It is enabled by default; however, you can toggle this setting on or off at any time. If it remains enabled, the alert's status updates whenever the case's status is modified.

  5. Select a connector. If you've previously added one, that connector displays as the default selection. Otherwise, the default setting is No connector selected.

  6. Click Create case after you've completed all of the required fields. A confirmation message is displayed with an option to view the new case. Click the link in the notification or go to the Cases page to view the case.

Add alerts to an existing case

To add alerts to an existing case:

  1. Do one of the following:

    • To add a single alert to a case, select the More actions menu (...) in the Alerts table or Take action in the alert details flyout, then select Add to existing case.
    • To add multiple alerts, select the alerts, then select Add to an existing case from the Bulk actions menu.
  2. From the Select case dialog box, select the case to which you want to attach the alert. A confirmation message is displayed with an option to view the updated case. Click the link in the notification or go to the Cases page to view the case's details.

    Note

    If you attach the alert to a case that has been configured to sync its status with associated alerts, the alert's status updates any time the case's status is modified.

On this page