Security Case Management

Name: Security Case Management
Author: elastic

elastic/agent-skills

Create, search, update, and comment on Elastic Security cases in Kibana and link alerts for SOC-style incident tracking from your agent.

Overview

security-case-management is an agent skill for the Operate phase that automates Elastic Security case lifecycle actions via the Kibana Cases REST API.

Install

npx skills add https://github.com/elastic/agent-skills --skill security-case-management

What is this skill?

Kibana Cases REST API coverage: create, _find search, get, update, comments
Attach alerts to cases and query case↔alert relationships
Documented severity enum: low, medium, high, critical with securitySolution owner
Example payloads include MITRE-style tags (e.g. T1574.002) and connector none default
4 documented severity values (low, medium, high, critical)
7 API topic areas in readme outline (create, search, get, update, comments, attach alerts, alert lookups)

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 998 installs on skills.sh; 502 GitHub stars; 3/3 security scanners passed (skills.sh audits).

What problem does it solve?

Alerts are piling up in Elastic Security but incidents lack consistent cases, comments, and linked alert history for your small team.

Who is it for?

Indie SaaS operators or tiny SOCs on Elastic Security who want agent-driven case creation and enrichment with documented API shapes.

Skip if: Non-Elastic stacks, builders with no Kibana/API credentials, or teams that need full playbook orchestration beyond Cases API.

When should I use this skill?

You need to manage Elastic Security cases through Kibana Cases REST endpoints from an agent session.

What do I get? / Deliverables

Your agent can create and update securitySolution cases, search by tags or status, attach alerts, and keep investigation context in Kibana Cases.

Created or updated case records in Kibana
Case comments and alert attachments
Search results from /api/cases/_find

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

OperateMonitoring & observability

Case management is production security operations—triage and track live incidents after you ship—not greenfield Build work. Monitoring subphase fits ongoing visibility into open cases, severities, and alert attachment as signals stream in.

How it compares

Integration skill for Kibana Cases—not a replacement for Elastic’s detection rules UI or a generic Jira skill.

Common Questions / FAQ

Who is security-case-management for?

Developers and operators running Elastic Security who want Claude/Cursor-class agents to manage Kibana cases via REST with correct owner and severity fields.

When should I use security-case-management?

In Operate monitoring when triaging detections—open or update cases, attach correlated alerts, and document steps with API comments after Ship.

Is security-case-management safe to install?

It implies production API access to security data; scope API keys, connectors, and roles carefully and review the Security Audits panel on this Prism page.

SKILL.md

READMESKILL.md - Security Case Management

# Kibana Cases API Reference

Reference for the Kibana Cases REST API endpoints used by the case-management skill. Full documentation:
[Kibana Cases API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-cases)

## Contents

- Create a case
- Search/find cases
- Get case details
- Update cases
- Add comments
- Attach alerts
- Get alerts for a case
- Find cases for an alert

## Create a case

`POST /api/cases`

```json
{
  "title": "Malicious DLL sideloading on host1",
  "description": "Crypto clipper malware detected...",
  "tags": ["classification:malicious", "confidence:88", "mitre:T1574.002"],
  "severity": "critical",
  "owner": "securitySolution",
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "settings": {
    "syncAlerts": true
  }
}
```

**Response** returns the full case object with `id`, `version`, `created_at`, etc.

**Severity values**: `low`, `medium`, `high`, `critical`

**Owner**: Use `securitySolution` for Elastic Security cases.

## Search/find cases

`GET /api/cases/_find`

Query parameters:

| Param       | Description                                                         |
| ----------- | ------------------------------------------------------------------- |
| `search`    | Free-text search across title, description, comments                |
| `tags`      | Filter by tags (repeat for multiple)                                |
| `status`    | `open`, `in-progress`, `closed`                                     |
| `severity`  | `low`, `medium`, `high`, `critical`                                 |
| `sortField` | `createdAt`, `updatedAt`, `closedAt`, `title`, `severity`, `status` |
| `sortOrder` | `asc`, `desc`                                                       |
| `page`      | Page number (1-based)                                               |
| `perPage`   | Results per page (default 20, max 100)                              |
| `owner`     | Filter by owner (e.g., `securitySolution`)                          |

Example:

```text
GET /api/cases/_find?tags=classification:malicious&status=open&sortField=createdAt&sortOrder=desc
```

## Get case details

`GET /api/cases/{caseId}`

Returns the full case object including comments count, alerts count, and connector info.

## Update cases

`PATCH /api/cases`

Body is an array of case updates:

```json
{
  "cases": [
    {
      "id": "<case_id>",
      "version": "<case_version>",
      "status": "closed",
      "severity": "low",
      "tags": ["classification:benign", "confidence:10"]
    }
  ]
}
```

The `version` field is required for optimistic concurrency control. Get it from a prior GET request.

## Add comments

`POST /api/cases/{caseId}/comments`

User comment:

```json
{
  "type": "user",
  "comment": "Process tree analysis shows legitimate Lenovo utility loading unsigned DLL..."
}
```

## Attach alerts

`POST /api/cases/{caseId}/comments`

Alert attachment (one alert):

```json
{
  "type": "alert",
  "alertId": "<alert_doc_id>",
  "index": ".ds-.alerts-security.alerts-default-2025.12.01-000013",
  "rule": {
    "id": "<rule_id>",
    "name": "Malicious Behavior Detection Alert"
  },
  "owner": "securitySolution"
}
```

Multiple alerts can be attached by repeating the call or using bulk attachment.

## Get alerts for a case

`GET /api/cases/{caseId}/alerts`

Returns all alerts linked to the case.

## Find cases for an alert

`GET /api/cases/alerts/{alertId}`

Returns all cases that contain the given alert ID. Useful for checking if an alert is already part of a case before
creating a new one.

## Required headers

All requests require:

```text
Content-Type: application/json
kbn-xsrf: true
Authorization: ApiKey <base64_api_key>
```

These are handled automatically by `kibana-client.js` in the shared directory.

## Spaces

If using Kibana Spaces, prefix paths with `/s/<space_name>`:

```text
POST /s/security-ops/api/cases
```

The `KibanaClient` accepts a `space` parameter for this.


#

What is this skill?

Kibana Cases REST API coverage: create, _find search, get, update, comments

Attach alerts to cases and query case↔alert relationships

Documented severity enum: low, medium, high, critical with securitySolution owner

Example payloads include MITRE-style tags (e.g. T1574.002) and connector none default

4 documented severity values (low, medium, high, critical)

7 API topic areas in readme outline (create, search, get, update, comments, attach alerts, alert lookups)

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 998 installs on skills.sh; 502 GitHub stars; 3/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

OperateMonitoring & observability

SKILL.md

READMESKILL.md - Security Case Management

# Kibana Cases API Reference

Reference for the Kibana Cases REST API endpoints used by the case-management skill. Full documentation:
[Kibana Cases API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-cases)

## Contents

- Create a case
- Search/find cases
- Get case details
- Update cases
- Add comments
- Attach alerts
- Get alerts for a case
- Find cases for an alert

## Create a case

`POST /api/cases`

```json
{
  "title": "Malicious DLL sideloading on host1",
  "description": "Crypto clipper malware detected...",
  "tags": ["classification:malicious", "confidence:88", "mitre:T1574.002"],
  "severity": "critical",
  "owner": "securitySolution",
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "settings": {
    "syncAlerts": true
  }
}
```

**Response** returns the full case object with `id`, `version`, `created_at`, etc.

**Severity values**: `low`, `medium`, `high`, `critical`

**Owner**: Use `securitySolution` for Elastic Security cases.

## Search/find cases

`GET /api/cases/_find`

Query parameters:

| Param       | Description                                                         |
| ----------- | ------------------------------------------------------------------- |
| `search`    | Free-text search across title, description, comments                |
| `tags`      | Filter by tags (repeat for multiple)                                |
| `status`    | `open`, `in-progress`, `closed`                                     |
| `severity`  | `low`, `medium`, `high`, `critical`                                 |
| `sortField` | `createdAt`, `updatedAt`, `closedAt`, `title`, `severity`, `status` |
| `sortOrder` | `asc`, `desc`                                                       |
| `page`      | Page number (1-based)                                               |
| `perPage`   | Results per page (default 20, max 100)                              |
| `owner`     | Filter by owner (e.g., `securitySolution`)                          |

Example:

```text
GET /api/cases/_find?tags=classification:malicious&status=open&sortField=createdAt&sortOrder=desc
```

## Get case details

`GET /api/cases/{caseId}`

Returns the full case object including comments count, alerts count, and connector info.

## Update cases

`PATCH /api/cases`

Body is an array of case updates:

```json
{
  "cases": [
    {
      "id": "<case_id>",
      "version": "<case_version>",
      "status": "closed",
      "severity": "low",
      "tags": ["classification:benign", "confidence:10"]
    }
  ]
}
```

The `version` field is required for optimistic concurrency control. Get it from a prior GET request.

## Add comments

`POST /api/cases/{caseId}/comments`

User comment:

```json
{
  "type": "user",
  "comment": "Process tree analysis shows legitimate Lenovo utility loading unsigned DLL..."
}
```

## Attach alerts

`POST /api/cases/{caseId}/comments`

Alert attachment (one alert):

```json
{
  "type": "alert",
  "alertId": "<alert_doc_id>",
  "index": ".ds-.alerts-security.alerts-default-2025.12.01-000013",
  "rule": {
    "id": "<rule_id>",
    "name": "Malicious Behavior Detection Alert"
  },
  "owner": "securitySolution"
}
```

Multiple alerts can be attached by repeating the call or using bulk attachment.

## Get alerts for a case

`GET /api/cases/{caseId}/alerts`

Returns all alerts linked to the case.

## Find cases for an alert

`GET /api/cases/alerts/{alertId}`

Returns all cases that contain the given alert ID. Useful for checking if an alert is already part of a case before
creating a new one.

## Required headers

All requests require:

```text
Content-Type: application/json
kbn-xsrf: true
Authorization: ApiKey <base64_api_key>
```

These are handled automatically by `kibana-client.js` in the shared directory.

## Spaces

If using Kibana Spaces, prefix paths with `/s/<space_name>`:

```text
POST /s/security-ops/api/cases
```

The `KibanaClient` accepts a `space` parameter for this.


#

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is security-case-management for?

When should I use security-case-management?

Is security-case-management safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is security-case-management for?

When should I use security-case-management?

Is security-case-management safe to install?

SKILL.md