Cases connector and action

edit

Cases connector and action

edit

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

The Cases connector creates cases in Kibana when alerts occur.

Create connectors in Kibana

edit

To use this connector you must have All Kibana privileges for the Cases feature. Depending on the type of rule you want to create and its role visibility, you must have privileges for Management or Observability case features. For more details, refer to Kibana privileges.

You cannot manage this connector in Stack Management > Connectors or by using APIs. You also cannot create a Cases preconfigured connector. It is available only when you’re creating a rule in Kibana. For example:

Add a cases action while creating a rule in Kibana Rules

You can have only one Cases action in each rule.

Connector configuration
edit

Cases connectors have the following configuration properties:

Group by alert field
By default, all alerts are attached to the same case. You can optionally choose a field to use for grouping the alerts; a unique case is created for each group.
Reopen when the case is closed
If this option is enabled, closed cases are re-opened when an alert occurs.
Time window
By default, alerts are added to an existing case only if they occur within a 7 day time window.

Test connectors

edit

You cannot test or edit these connectors in Kibana or by using APIs.