Back to Details

security-case-management

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Case Management

案例管理

Manage SOC cases through the Kibana Cases API. All cases are scoped to 
securitySolution
— this skill operates exclusively within Elastic Security. Cases appear in Kibana Security and can be assigned to analysts, linked to alerts, and pushed to external incident management systems via connectors.
通过Kibana Cases API管理SOC案例。所有案例的作用域均为
securitySolution
——本技能仅在Elastic Security内运行。案例会显示在Kibana Security中,可分配给分析师、关联到警报,并通过连接器推送到外部事件管理系统。

Prerequisites

前置条件

Install dependencies before first use from the 
skills/security
directory:
bash
cd skills/security && npm install
Set the required environment variables (or add them to a 
.env
file in the workspace root):
bash
export KIBANA_URL="https://your-cluster.kb.cloud.example.com:443"
export KIBANA_API_KEY="your-kibana-api-key"
首次使用前,请从
skills/security
目录安装依赖:
bash
cd skills/security && npm install
设置所需的环境变量(或添加到工作区根目录的
.env
文件中):
bash
export KIBANA_URL="https://your-cluster.kb.cloud.example.com:443"
export KIBANA_API_KEY="your-kibana-api-key"

When to use

适用场景

  • Creating a case after alert triage (classification, IOCs, findings)
  • Searching for existing cases to correlate related alerts
  • Adding investigation comments or attaching alerts to an existing case
  • Updating case status or severity
  • Listing recent cases for review
  • 警报分诊后创建案例(分类、IOC、调查结果)
  • 搜索现有案例以关联相关警报
  • 向现有案例添加调查注释或关联警报
  • 更新案例状态或严重性
  • 列出近期案例以供审核

When NOT to use

不适用场景

  • Do not use this skill for Observability or Elasticsearch cases — it hardcodes 
    owner: securitySolution
  • Do not use for cases outside the Security solution space
  • 请勿将本技能用于Observability或Elasticsearch案例——它硬编码了
    owner: securitySolution
  • 请勿用于Security解决方案之外的案例

Execution rules

执行规则

  • Start executing tools immediately — do not read SKILL.md, browse the workspace, or list files first.
  • Report tool output faithfully. Copy case IDs, titles, tags, severities, and counts exactly as returned by the API. Do not abbreviate case IDs, truncate titles, invent details, or round numbers.
  • When the API returns zero results, state that explicitly — do not guess at possible results.
  • When listing or finding cases, report the exact total count from the API response and present each case with its verbatim title, severity, and status.
  • 立即执行工具——不要先读取SKILL.md、浏览工作区或列出文件。
  • 如实报告工具输出。准确复制API返回的案例ID、标题、标签、严重性和计数。不要缩写案例ID、截断标题、编造细节或四舍五入数字。
  • 当API返回零结果时,明确说明——不要猜测可能的结果。
  • 列出或查找案例时,报告API响应中的准确总计数,并呈现每个案例的原文标题、严重性和状态。

Quick start

快速开始

All commands run from the workspace root. All output is JSON. Call the tools directly — do not read the skill file or explore the workspace first. For attach-alert/attach-alerts, 
--rule-id
and 
--rule-name
are required by the Kibana API (use 
--rule-id unknown --rule-name unknown
if unknown). Use 
attach-alerts
for batch with automatic rate-limit retry and 2-second spacing between API calls.
所有命令均从工作区根目录运行。所有输出均为JSON格式。直接调用工具——不要先读取技能文件或浏览工作区。对于attach-alert/attach-alerts操作,Kibana API要求必须提供
--rule-id
--rule-name
(如果未知,使用
--rule-id unknown --rule-name unknown
)。使用
attach-alerts
进行批量操作,它会自动处理速率限制重试,并在API调用之间保留2秒间隔。

Common multi-step workflows

常见多步骤工作流

TaskTools to call (in order)
Create a case
case_manager
create (title, description, tags, severity)
Find cases for a host
case_manager
find --tags "agent_id:<id>" or find --search "<hostname>"
Attach alert to case
case_manager
attach-alert (case-id, alert-id, alert-index, rule-id/name)
Add investigation notes
case_manager
add-comment (case-id, comment text)
List recent open cases
case_manager
list --status open --per-page <n>
Update case
case_manager
update (case-id, status/severity/tags changes)
Finding cases for a host: Use 
find --search "<hostname>"
to search by hostname across title, description, and comments. Alternatively use 
find --tags "agent_id:<agent_id>"
if the agent ID is known. Always add 
--status open
to filter to active cases only. Report the exact 
total
count and each case title verbatim from the API response.
bash
undefined
任务调用工具(按顺序)
创建案例
case_manager
create (title, description, tags, severity)
查找主机相关案例
case_manager
find --tags "agent_id:<id>" 或 find --search "<hostname>"
将警报关联到案例
case_manager
attach-alert (case-id, alert-id, alert-index, rule-id/name)
添加调查笔记
case_manager
add-comment (case-id, comment text)
列出近期未关闭案例
case_manager
list --status open --per-page <n>
更新案例
case_manager
update (case-id, status/severity/tags changes)
查找主机相关案例:使用
find --search "<hostname>"
在标题、描述和注释中按主机名搜索。如果已知agent ID,也可以使用
find --tags "agent_id:<agent_id>"
。始终添加
--status open
以仅筛选活跃案例。报告API响应中的准确
total
计数和每个案例的原文标题。
bash
undefined

Create (syncAlerts enabled by default; disable with --sync-alerts false)

创建(默认启用syncAlerts;使用--sync-alerts false禁用)

node skills/security/case-management/scripts/case-manager.js create --title "Malicious DLL sideloading on host1" --description "Crypto clipper malware detected via DLL sideloading..." --tags "classification:malicious" "confidence:88" "mitre:T1574.002" --severity critical --yes
node skills/security/case-management/scripts/case-manager.js create --title "Malicious DLL sideloading on host1" --description "Crypto clipper malware detected via DLL sideloading..." --tags "classification:malicious" "confidence:88" "mitre:T1574.002" --severity critical --yes

Find, list, get

查找、列出、获取

node skills/security/case-management/scripts/case-manager.js find --tags "agent_id:550888e5-357d-4bc1-a154-486eb7b4e076" node skills/security/case-management/scripts/case-manager.js find --search "DLL sideloading" --status open node skills/security/case-management/scripts/case-manager.js list --status open --per-page 10 node skills/security/case-management/scripts/case-manager.js get --case-id <case_id>
node skills/security/case-management/scripts/case-manager.js find --tags "agent_id:550888e5-357d-4bc1-a154-486eb7b4e076" node skills/security/case-management/scripts/case-manager.js find --search "DLL sideloading" --status open node skills/security/case-management/scripts/case-manager.js list --status open --per-page 10 node skills/security/case-management/scripts/case-manager.js get --case-id <case_id>

Attach single alert

关联单个警报

node skills/security/case-management/scripts/case-manager.js attach-alert --case-id <case_id> --alert-id <alert_doc_id> --alert-index .ds-.alerts-security.alerts-default-2025.12.01-000013 --rule-id <rule_uuid> --rule-name "Malware Detection Alert"
node skills/security/case-management/scripts/case-manager.js attach-alert --case-id <case_id> --alert-id <alert_doc_id> --alert-index .ds-.alerts-security.alerts-default-2025.12.01-000013 --rule-id <rule_uuid> --rule-name "Malware Detection Alert"

Attach multiple alerts (batch)

关联多个警报(批量)

node skills/security/case-management/scripts/case-manager.js attach-alerts --case-id <case_id> --alert-ids <id1> <id2> <id3> --alert-index .ds-.alerts-security.alerts-default-2026.02.16-000016 --rule-id <rule_uuid> --rule-name "Malware Detection Alert"
node skills/security/case-management/scripts/case-manager.js attach-alerts --case-id <case_id> --alert-ids <id1> <id2> <id3> --alert-index .ds-.alerts-security.alerts-default-2026.02.16-000016 --rule-id <rule_uuid> --rule-name "Malware Detection Alert"

Add comment, update (--tags merges with existing tags, does not replace)

添加注释、更新(--tags会与现有标签合并,而非替换)

node skills/security/case-management/scripts/case-manager.js add-comment --case-id <case_id> --comment "Process tree analysis shows..." node skills/security/case-management/scripts/case-manager.js update --case-id <case_id> --status closed --severity low --yes

Write operations (`create`, `update`) prompt for confirmation by default. Pass `--yes` to skip the prompt (required when
called by an agent).
node skills/security/case-management/scripts/case-manager.js add-comment --case-id <case_id> --comment "Process tree analysis shows..." node skills/security/case-management/scripts/case-manager.js update --case-id <case_id> --status closed --severity low --yes

写入操作(`create`、`update`)默认会提示确认。传递`--yes`可跳过提示(由agent调用时必填)。

Reporting list and find results

报告列表和查找结果

When reporting results from 
list
or 
find
:
  1. State the exact 
    total
    count from the JSON response (e.g., "There are 12 open cases total").
  2. Present each case as a compact one-line entry: 
    <title> | <severity> | <case_id_short> | <created_at>
    . Copy the exact title verbatim from the 
    title
    field — do not rephrase, abbreviate, or summarize.
  3. If the user asked for N cases, present exactly N entries (or fewer if fewer exist). Do not add extra columns (alerts count, description, status) unless the user specifically requested them.
  4. Do not add information beyond what the API returned. If a field is null or missing, omit it.
  5. After presenting the results, stop. Do not add analysis, commentary, or observations about the cases.
报告
list
find
的结果时:
  1. 说明JSON响应中的准确
    total
    计数(例如:“总共有12个未关闭案例”)。
  2. 将每个案例以紧凑的单行条目呈现:
    <title> | <severity> | <case_id_short> | <created_at>
    。精确复制
    title
    字段中的原文标题——不要改写、缩写或总结。
  3. 如果用户要求返回N个案例,就呈现恰好N个条目(如果数量不足则呈现现有条目)。除非用户特别要求,否则不要添加额外列(警报计数、描述、状态)。
  4. 不要添加API返回内容之外的信息。如果字段为null或缺失,则省略。
  5. 呈现结果后即停止。不要添加对案例的分析、评论或观察。

Tag conventions

标签约定

Use structured tags for machine-searchable metadata:
Tag patternExamplePurpose
classification:<value>
classification:malicious
Triage classification (benign/unknown/malicious)
confidence:<score>
confidence:85
Confidence score 0-100
mitre:<technique>
mitre:T1574.002
MITRE ATT&CK technique IDs
agent_id:<id>
agent_id:550888e5-...
Elastic agent ID for correlation
rule:<name>
rule:Malicious Behavior Detection
Detection rule name
使用结构化标签以实现可机器搜索的元数据:
标签模式示例用途
classification:<value>
classification:malicious
分诊分类(良性/未知/恶意)
confidence:<score>
confidence:85
置信度分数0-100
mitre:<technique>
mitre:T1574.002
MITRE ATT&CK技术ID
agent_id:<id>
agent_id:550888e5-...
Elastic agent ID,用于关联
rule:<name>
rule:Malicious Behavior Detection
检测规则名称

Case severity mapping

案例严重性映射

ClassificationKibana severity
benign (score 0-19)
low
unknown (score 20-60)
medium
malicious (score 61-80)
high
malicious (score 81-100)
critical
分类Kibana 级别
良性(分数0-19)
low
未知(分数20-60)
medium
恶意(分数61-80)
high
恶意(分数81-100)
critical

Known limitations

已知限制

syncAlerts is security-only

syncAlerts仅适用于安全领域

The 
syncAlerts
setting (enabled by default) synchronizes case status with attached alert statuses. This feature is only available for Security Solution cases. Pass 
--sync-alerts false
when creating a case if alert sync is not needed.
syncAlerts
设置(默认启用)会同步案例状态与关联的警报状态。此功能仅适用于Security Solution案例。如果不需要警报同步,创建案例时传递
--sync-alerts false

Rate limiting

速率限制

The Kibana API enforces rate limits. When attaching multiple alerts, the 
attach-alerts
batch command automatically handles 429 responses with retry. If using 
attach-alert
one at a time, space calls ~10 seconds apart.
Kibana API会实施速率限制。关联多个警报时,
attach-alerts
批量命令会自动处理429响应并重试。如果逐个使用
attach-alert
,请将调用间隔设置为约10秒。

find --search
on Serverless

Serverless上的
find --search

The 
find --search
parameter may return 500 errors on Kibana Serverless deployments. Use 
find --tags
for filtering instead, or 
list
to browse recent cases.
在Kibana Serverless部署中,
find --search
参数可能返回500错误。请改用
find --tags
进行过滤,或使用
list
浏览近期案例。

find --tags
requires exact match

find --tags
需要精确匹配

Tag searches are exact-match only. 
find --tags "agent_id:abc123"
works, but partial matches do not.
标签搜索仅支持精确匹配。
find --tags "agent_id:abc123"
有效,但部分匹配无效。

Kibana Cases API reference

Kibana Cases API参考

For detailed API endpoints, request/response formats, and examples, see references/kibana-cases-api.md.
有关详细的API端点、请求/响应格式和示例,请参阅references/kibana-cases-api.md

Examples

示例

  • "Create a case for the phishing alert I triaged with severity high"
  • "Search for open cases related to brute force attacks"
  • "Add the investigation findings as a comment to case ID abc-123"
  • “为我分诊的钓鱼警报创建一个高严重性案例”
  • “搜索与暴力攻击相关的未关闭案例”
  • “将调查结果作为注释添加到案例ID abc-123中”

Guidelines

指南

  • Report only tool output — do not invent IDs, hostnames, IPs, or details not present in the tool response.
  • Preserve identifiers from the request — use exact values the user provides in tool calls and responses.
  • Confirm actions concisely using the tool's return data.
  • Distinguish facts from inference — label conclusions beyond tool output as your assessment.
  • When presenting case lists or search results, copy the exact title from each case. Do not paraphrase, abbreviate, or summarize titles. Include the total count from the API 
    total
    field.
  • Start executing tools immediately. Do not read SKILL.md, browse directories, or list files before acting.
  • 仅报告工具输出——不要编造ID、主机名、IP或工具响应中不存在的细节。
  • 保留请求中的标识符——在工具调用和响应中使用用户提供的精确值。
  • 使用工具的返回数据简洁地确认操作。
  • 区分事实与推断——将工具输出之外的结论标记为你的评估。
  • 呈现案例列表或搜索结果时,复制每个案例的原文标题。不要改写、缩写或总结标题。包含API
    total
    字段中的总计数。
  • 立即执行工具。不要先读取SKILL.md、浏览目录或列出文件。

Production use

生产环境使用

  • Write operations (
    create
    , 
    update
    ) prompt for confirmation. Pass 
    --yes
    or 
    -y
    to skip when called by an agent.
  • Verify 
    KIBANA_URL
    and 
    KIBANA_API_KEY
    point to the intended cluster before running any command.
  • Cases are scoped to 
    securitySolution
    — this skill does not affect Observability or other Kibana case owners.
  • 写入操作(
    create
    update
    )会提示确认。由agent调用时,传递
    --yes
    -y
    以跳过。
  • 运行任何命令前,验证
    KIBANA_URL
    KIBANA_API_KEY
    指向目标集群。
  • 案例的作用域为
    securitySolution
    ——本技能不会影响Observability或其他Kibana案例所有者。

Environment variables

环境变量

VariableRequiredDescription
KIBANA_URL
YesKibana base URL (e.g., 
https://my-kibana.kb.cloud.example.com
)
KIBANA_API_KEY
YesKibana API key for authentication
变量是否必填描述
KIBANA_URL
Kibana基础URL(例如:
https://my-kibana.kb.cloud.example.com
KIBANA_API_KEY
用于身份验证的Kibana API密钥