Skip to content

[Cases] Auto extract observables not working for events when triggering from bulk actions #242319

New issue
New issue
Closed
Bug
Closed
[Cases] Auto extract observables not working for events when triggering from bulk actions#242319
Bug
Assignees
christineweng
Labels
Team: SecuritySolutionSecurity Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.Team:CasesSecurity Solution Cases teambugFixes for quality problems that affect the customer experiencefixedimpact:mediumAddressing this issue will have a medium level of impact on the quality/strength of our product.
@christineweng

Description

@christineweng
christineweng
opened on Nov 7, 2025

Describe the bug:
When attaching multiple events to a new case, enabling 'Auto extract observables' does not add observables properly

Kibana/Elasticsearch Stack version:
9.2

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
Cases

Steps to reproduce:

  1. Generate some events
  2. Go to Explore->Host page, select multiple events and add to a new case
  3. Populate the form and enable auto extract observables
  4. Go the the created case, notice the observables were not added

Current behavior:
Observables are not extracted in bulk adding events

Expected behavior:
Observables should be extracted in bulk adding events

Screenshots (if relevant):

event-observable-test.mp4

Metadata

Metadata

Assignees

Labels

Team: SecuritySolutionSecurity Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.Team:CasesSecurity Solution Cases teambugFixes for quality problems that affect the customer experiencefixedimpact:mediumAddressing this issue will have a medium level of impact on the quality/strength of our product.

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions