Case observables

[shanisagiv1]

Describe the feature: Observable can be any type of value attached to a case and enable users with the different use cases:

• Get all similar cases with the same observable (e.g: username)
• Enrich the case by triggering actions that leverage the observable (e.g: validate domain legitimacy)

In addition, Observable is a key differentiator feature for some incident mng vendors. it enables users with different use cases for incident investigation when it allows incident similarities and automates manual remediation and investigation steps using integrations with 3rd parties

User stories for the feature:

• As a user, I’d like to define an observable in my case. An observable can be of any value.
• As a user, I’d like to define an observable with the following attributes:
  • Type (Most common types: Hash, IP, domains, web URL, email)
  • Value
  • Has been sighted
  • Description
  • Is IOC (toggle)
• As a user, I’d like to get similar Kibana Cases with the same observable for faster investigation.

More details about the first phase are detailed in the PRD here

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)

[elasticmachine]

Pinging @elastic/response-ops-cases (Feature:Cases)

[elasticmachine]

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)