Users usually do not delete cases. Instead, they close them and keep them for compliance reasons. This can lead to a lot of cases and related objects over time. Users may want to define ILM policies over the case data as they grow. Cases are part of the Kibana system index which is in the hot tier and it does not support ILM policies. To support this we may need to create our own index to put archive cases and define ILM policies on the archived index. Furthermore, to prevent tampering with the history
of the investigation and for compliance reasons archive cases should be read-only and immutable.
Tasks
[ ] Research the pros and cons of having a .cases-archive system index and decide if we need to maintain one.
[ ] Add the ability to archive cases.
[ ] Make archive cases read-only and immutable.
[ ] Do not show archive cases in the cases table.
[ ] Create a view to see, filter and search archive cases.
Users usually do not delete cases. Instead, they close them and keep them for compliance reasons. This can lead to a lot of cases and related objects over time. Users may want to define ILM policies over the case data as they grow. Cases are part of the Kibana system index which is in the hot tier and it does not support ILM policies. To support this we may need to create our own index to put archive cases and define ILM policies on the archived index. Furthermore, to prevent tampering with the history of the investigation and for compliance reasons archive cases should be read-only and immutable.
Tasks
.cases-archive
system index and decide if we need to maintain one.