search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.7k stars 8.12k forks source link

[Feature Request][Security Cases] Provide a way to track IOCs or artifacts associated with a case #131418

Open aarju opened 2 years ago

aarju commented 2 years ago

Describe the feature: Field names that are interesting for a case can be tagged or manually added as IOCs (indicators of compromise) within a case. These IOCs are displayed in a list in the case and can be enriched with threat intel information.

Describe a specific use case for the feature: While investigating a case the security analyst tags a destination.ip, a host.name, and a file.hash.sha1 field as IOCs in the case. These IOCs are listed in the 'artifacts' or 'IOCs' section of the case to make it easier to see them. When an IOC is added to a case we should automatically do a search for that IOC in the Threat Intel index patterns and enrich the fields with that information.

elasticmachine commented 2 years ago

Pinging @elastic/response-ops (Team:ResponseOps)

elasticmachine commented 2 years ago

Pinging @elastic/response-ops-cases (Feature:Cases)