Skip to content

Fix: createCaseTool owner should be securitySolution, not observability #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
one3qualsone wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix: createCaseTool owner should be securitySolution, not observability #6

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 23 additions & 40 deletions workflows/security/response/createcasetool.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,76 +2,59 @@
# Workflow: createCaseTool
# Category: security/response
#
# The `createCaseTool` workflow allows an agent to manually create a case
# with a specified title and description. It is enabled and categorized under
# "Observability" and "AgentTool" tags. The workflow includes a single step
# that utilizes the Kibana API to create a case in the default space, with
# settings that specify high severity and automatic tagging.
# Creates a new case using the Kibana Cases API. Supports configurable
# severity and creates cases under the Security Solution owner so they
# appear in Security > Cases rather than Observability.
#
# Author: Elastic
# Created: 2025-11-19
# Tags: Observability, AgentTool
# Tags: Security, AgentTool
# =============================================================================
name: createCaseTool
description: A tool that let an Agent to create a case
description: A tool that lets an Agent create a Security case
enabled: true

# ---------------------------------------------------------------------------
# TRIGGERS
# ---------------------------------------------------------------------------
# Defines how and when this workflow is executed. Supported trigger types:
# - manual: Run on-demand from the Kibana UI or API
# - scheduled: Run on a recurring schedule (every: "5m" or rrule)
# - alert: Run automatically when a security alert is triggered
# ---------------------------------------------------------------------------
triggers:
- type: manual

# ---------------------------------------------------------------------------
# TAGS
# ---------------------------------------------------------------------------
# Categories and labels for organizing, filtering, and discovering workflows
# in the Kibana UI. Tags help with:
# - Categorizing workflows by use case (security, observability, etc.)
# - Filtering in the workflow library
# - Grouping related workflows together
tags: ["Security", "AgentTool"]

# ---------------------------------------------------------------------------
# INPUTS
# ---------------------------------------------------------------------------
tags: ["Observability", "AgentTool"]
inputs:
- name: caseDescription
required: true
type: string
description: "Detailed description of the incident or investigation"
- name: caseTitle
required: true
type: string

description: "Title for the case"
- name: severity
type: string
description: "Case severity: low, medium, high, critical"
default: "medium"

# ---------------------------------------------------------------------------
# STEPS
# ---------------------------------------------------------------------------
# The sequence of actions this workflow performs. Each step executes an
# action and can reference outputs from previous steps. Key properties:
# - name: Unique identifier for referencing this step's output
# - type: The action to perform (http, elasticsearch.search, foreach, etc.)
# - with: Parameters passed to the action
# - condition: Optional expression to conditionally run the step
# - on-failure: Error handling configuration (retry, continue, etc.)
# Access step outputs using {{ steps.step_name.output.field }} syntax
# ---------------------------------------------------------------------------
steps:

# -------------------------------------------------------------------------
# STEP 1: kibana_createCaseDefaultSpace_step
# -------------------------------------------------------------------------
# Creates a new case using the Kibana Cases API (POST /api/cases).
# Cases provide a workspace for investigating and tracking security
# incidents.
# Required: title, description, owner (e.g., "securitySolution"), tags,
# severity.
# Output: {{ steps.kibana_createCaseDefaultSpace_step.output.id }} contains
# the new case ID.
# Liquid syntax used:
# - References workflow input parameter(s)
# Owner is set to "securitySolution" so cases appear under
# Security > Cases in Kibana, not the Observability cases view.
# Severity is configurable via the severity input (defaults to medium).
# Output: {{ steps.kibana_createCaseDefaultSpace_step.output.id }}
# -------------------------------------------------------------------------
- name: kibana_createCaseDefaultSpace_step
type: kibana.createCaseDefaultSpace
Expand All @@ -82,11 +65,11 @@ steps:
name: none
type: .none
description: |
"{{ inputs.caseDescription }}"
owner: observability
{{ inputs.caseDescription }}
owner: securitySolution
settings:
syncAlerts: false
severity: high
syncAlerts: true
severity: "{{ inputs.severity }}"
tags:
- Automatic
title: "{{ inputs.caseTitle }}"