[DOCS] Osquery results can be added to case #2512
Description
Description
In 8.5, users can add Osquery results from an alert to a new or an existing case. From the results table, they would click the Add to case button to do this.
The following example shows the workflow from adding query results from Osquery in Kibana to a case:
Required doc updates
The design of the results table has changed slightly to include an option to add Osquery results to a case. Will need to doc this new functionality and refresh screenshots in the Kibana and Security docs.
Kibana docs
- Need to refresh the
live-query-check-results.pngimage in section for viewing and re-running live queries. Should be:
Security docs
Need to make several changes to the Run Osquery from a detection alert topic in.
- Refresh screenshot in the Review single query results section (
single-query-results.png). Should be:
- Refresh image for reviewing query pack results. Should be:
- Will likely need to add a bullet to the list of exportable case items in the Export a case docs.
- Add a list item to the Investigate query results section for attaching Osquery results to a case. Note that if a user choose to add results to a new case, they'll also be prompted to choose the solution they want to create the case in (Security, Observability, and Stack).
Notes
- Users cannot do the following:
- Attach Osquery results to a case when creating a new case
- Add Osquery results to an existing case from the case details page
- Need to test/check on what form Osquery results are exported and imported in.