Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Case Management

Case management allows analysts to track and manage the lifecycle of findings produced by Security Analytics detectors. Each finding can be annotated with case metadata enabling triage workflows directly on the indexed data.

Overview

When a detection rule matches an event, Security Analytics creates a finding. By default, findings contain only detection fields. Case management extends findings with a wazuh.case object that supports:

  • Status tracking - move findings through a workflow (e.g., ACTIVEACKNOWLEDGEDCOMPLETED)
  • Comments - attach free-form notes to findings
  • Tags - organize findings with keyword labels
  • User attribution - record which analyst updated the finding
  • Timestamps - track when the case was created and last updated

Case fields

The following fields are available under wazuh.case in the findings data stream:

FieldTypeDescription
wazuh.case.statuskeywordCurrent status. One of: ACTIVE, ACKNOWLEDGED, COMPLETED, ERROR, DELETED, AUDIT
wazuh.case.commentmatch_only_textFree-form comment attached to the finding
wazuh.case.tagskeyword[]Tags for organization and filtering
wazuh.case.created_atdateTimestamp when the case was first created. Managed by the UI
wazuh.case.updated_atdateTimestamp of the last update. Managed by the UI
wazuh.case.user.namekeywordName of the user who last updated the case. Managed by the UI

Updating findings

Use the Update Findings endpoint to set or modify case fields on one or more existing findings.

Request

PUT /_plugins/_security_analytics/findings/_update

Body

{
  "findings": [
    {
      "_id": "<finding-document-id>",
      "_index": "<finding-index-name>",
      "case": {
        "status": "ACKNOWLEDGED",
        "comment": "Reviewed by SOC analyst",
        "tags": ["critical", "reviewed"],
        "created_at": "2026-06-10T08:00:00.000Z",
        "updated_at": "2026-06-10T09:00:00.000Z",
        "user": {
          "name": "analyst1"
        }
      }
    }
  ]
}

Note: The fields created_at, updated_at, and user.name are automatically managed by the Wazuh Dashboard. They should not be set manually.

FieldRequiredDescription
findingsYesArray of finding updates (max 50 per request)
findings[]._idYesDocument ID of the finding
findings[]._indexYesIndex where the finding is stored
findings[].caseYesObject with the case fields to set or update

All fields inside case are optional, you can update only the fields you need (partial update).

Response

{
  "took": 12,
  "errors": false,
  "items": [
    {
      "_id": "abc123",
      "_index": "wazuh-findings-v5-threat-000001",
      "status": 200,
      "result": "updated"
    }
  ]
}

Error responses

StatusCondition
400Invalid JSON, missing required fields, empty array, or exceeding 50-item limit
207Partial failure, some items succeeded, some failed (e.g., document not found)

Example: triage workflow

Note: Case management is designed to be performed through the Wazuh Dashboard, which handles timestamps and user attribution automatically. The examples below use curl for illustration purposes.

# 1. Acknowledge a finding
curl -X PUT "https://localhost:9200/_plugins/_security_analytics/findings/_update" \
  -H "Content-Type: application/json" \
  -d '{
    "findings": [{
      "_id": "finding-001",
      "_index": "wazuh-findings-v5-threat-000001",
      "case": {
        "status": "ACKNOWLEDGED",
        "comment": "Under investigation"
      }
    }]
  }'

# 2. Close the finding after investigation
curl -X PUT "https://localhost:9200/_plugins/_security_analytics/findings/_update" \
  -H "Content-Type: application/json" \
  -d '{
    "findings": [{
      "_id": "finding-001",
      "_index": "wazuh-findings-v5-threat-000001",
      "case": {
        "status": "COMPLETED",
        "comment": "False positive - benign admin activity"
      }
    }]
  }'

Querying findings by case status

Since wazuh.case.status is a keyword field, you can filter findings by status using standard queries:

# Get all acknowledged findings
curl -XGET "https://127.0.0.1:9200/wazuh-findings-v5-*/_search" -H 'Content-Type: application/json' -d'
{
  "query": {
    "term": {
      "wazuh.case.status": {
        "value": "ACKNOWLEDGED"
      }
    }
  }
}'