Update cases

PATCH /api/cases

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

application/json; Elastic-Api-Version=2023-10-31

Body

cases array[object] Required

An array containing one or more case objects.

At least 1 but not more than 100 elements.
Hide cases attributes Show cases attributes object
- assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
- category string
  
  A word or phrase that categorizes the case.
  
  Maximum length is 50.
- connector object
  
  One of:
  Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object
  
  Defines properties for connectors when type is .none.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.
  
  id string Required
  
  The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  name string Required
  
  The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  type string Required
  
  The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.
  
  Value is .none.
  
  Defines properties for connectors when type is .cases-webhook.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required
  
  The type of connector.
  
  Value is .cases-webhook.
  
  Defines properties for connectors when type is .jira.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Additional properties are allowed.
  
  Hide fields attributes Show fields attributes object
  
  issueType string | null Required
  
  The type of issue.
  
  parent string | null Required
  
  The key of the parent issue, when the issue type is sub-task.
  
  priority string | null Required
  
  The priority of the issue.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required
  
  The type of connector.
  
  Value is .jira.
  
  Defines properties for connectors when type is .resilient.
  
  Hide attributes Show attributes
  
  fields object | null Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Additional properties are allowed.
  
  Hide fields attributes Show fields attributes object | null
  
  issueTypes array[string] Required
  
  The type of incident.
  
  severityCode string Required
  
  The severity code of the incident.
  
  id string Required
  
  The identifier for the connector.
  
  name string Required
  
  The name of the connector.
  
  type string Required
  
  The type of connector.
  
  Value is .resilient.
  
  Defines properties for connectors when type is .servicenow.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Additional properties are allowed.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  impact string | null Required
  
  The effect an incident had on business.
  
  severity string | null Required
  
  The severity of the incident.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  urgency string | null Required
  
  The extent to which the incident resolution can be delayed.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required
  
  The type of connector.
  
  Value is .servicenow.
  
  Defines properties for connectors when type is .servicenow-sir.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Additional properties are allowed.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  destIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of destination IPs.
  
  malwareHash boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware hashes.
  
  malwareUrl boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware URLs.
  
  priority string | null Required
  
  The priority of the issue.
  
  sourceIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of source IPs.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required
  
  The type of connector.
  
  Value is .servicenow-sir.
  
  Defines properties for connectors when type is .swimlane.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Additional properties are allowed.
  
  Hide fields attribute Show fields attribute object
  
  caseId string | null Required
  
  The case identifier for Swimlane connectors.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required
  
  The type of connector.
  
  Value is .swimlane.
- customFields array[object]
  
  Custom field values for a case. Any optional custom fields that are not specified in the request are set to null.
  
  At least 0 but not more than 10 elements.
  Hide customFields attributes Show customFields attributes object
  
  key string Required
  
  The unique identifier for the custom field. The key value must exist in the case configuration settings.
  
  type string Required
  
  The custom field type. It must match the type specified in the case configuration settings.
  
  Values are text or toggle.
  
  value string | null | boolean Required
  
  The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.
  
  One of:
  string-1 string | null boolean-2 boolean
  
  Minimum length is 1, maximum length is 160.
- description string
  
  The description for the case.
  
  Maximum length is 30000.
- id string Required
  
  The identifier for the case.
  
  Maximum length is 30000.
- settings object
  
  An object that contains the case settings.
  
  Additional properties are allowed.
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
- severity string
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
- status string
  
  The status of the case.
  
  Values are closed, in-progress, or open.
- tags array[string]
  
  The words and phrases that help categorize cases. It can be an empty array.
  
  Not more than 200 elements. Maximum length of each is 256.
- title string
  
  A title for the case.
  
  Maximum length is 160.
- version string Required
  
  The current version of the case. To determine this value, use the get case or find cases APIs.

Responses

200 application/json; Elastic-Api-Version=2023-10-31

Indicates a successful call.
Hide response attributes Show response attributes object
- assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
- category string | null
  
  The case category.
- closed_at string(date-time) | null Required
- closed_by object | null Required
  
  Additional properties are allowed.
  
  Hide closed_by attributes Show closed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- comments array[object] Required
  
  An array of comment objects for the case.
  
  Not more than 10000 elements.
  
  One of:
  Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
  
  Hide attributes Show attributes
  
  alertId array[string]
  
  created_at string(date-time)
  
  created_by object
  
  Additional properties are allowed.
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  index array[string]
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Additional properties are allowed.
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  rule object
  
  Additional properties are allowed.
  
  Hide rule attributes Show rule attributes object
  
  id string
  
  The rule identifier.
  
  name string
  
  The rule name.
  
  type string Required Discriminator
  
  Value is alert.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Additional properties are allowed.
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
  
  Hide attributes Show attributes
  
  comment string
  
  created_at string(date-time)
  
  created_by object
  
  Additional properties are allowed.
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Additional properties are allowed.
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  type string Required Discriminator
  
  Value is user.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Additional properties are allowed.
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
- connector object Required
  
  One of:
  Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object
  
  Defines properties for connectors when type is .none.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.
  
  id string Required
  
  The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  name string Required
  
  The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  type string Required Discriminator
  
  The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.
  
  Value is .none.
  
  Defines properties for connectors when type is .cases-webhook.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .cases-webhook.
  
  Defines properties for connectors when type is .jira.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Additional properties are allowed.
  
  Hide fields attributes Show fields attributes object
  
  issueType string | null Required
  
  The type of issue.
  
  parent string | null Required
  
  The key of the parent issue, when the issue type is sub-task.
  
  priority string | null Required
  
  The priority of the issue.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .jira.
  
  Defines properties for connectors when type is .resilient.
  
  Hide attributes Show attributes
  
  fields object | null Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Additional properties are allowed.
  
  Hide fields attributes Show fields attributes object | null
  
  issueTypes array[string] Required
  
  The type of incident.
  
  severityCode string Required
  
  The severity code of the incident.
  
  id string Required
  
  The identifier for the connector.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .resilient.
  
  Defines properties for connectors when type is .servicenow.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Additional properties are allowed.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  impact string | null Required
  
  The effect an incident had on business.
  
  severity string | null Required
  
  The severity of the incident.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  urgency string | null Required
  
  The extent to which the incident resolution can be delayed.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow.
  
  Defines properties for connectors when type is .servicenow-sir.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Additional properties are allowed.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  destIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of destination IPs.
  
  malwareHash boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware hashes.
  
  malwareUrl boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware URLs.
  
  priority string | null Required
  
  The priority of the issue.
  
  sourceIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of source IPs.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow-sir.
  
  Defines properties for connectors when type is .swimlane.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Additional properties are allowed.
  
  Hide fields attribute Show fields attribute object
  
  caseId string | null Required
  
  The case identifier for Swimlane connectors.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .swimlane.
- created_at string(date-time) Required
- created_by object Required
  
  Additional properties are allowed.
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- customFields array[object]
  
  Custom field values for the case.
  
  Hide customFields attributes Show customFields attributes object
  
  key string
  
  The unique identifier for the custom field. The key value must exist in the case configuration settings.
  
  type string
  
  The custom field type. It must match the type specified in the case configuration settings.
  
  Values are text or toggle.
  
  value string | null | boolean
  
  The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.
  
  One of:
  string-1 string | null boolean-2 boolean
  
  Minimum length is 1, maximum length is 160.
- description string Required
- duration integer | null Required
  
  The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.
- external_service object | null Required
  
  Additional properties are allowed.
  
  Hide external_service attributes Show external_service attributes object | null
  
  connector_id string
  
  connector_name string
  
  external_id string
  
  external_title string
  
  external_url string
  
  pushed_at string(date-time)
  
  pushed_by object | null
  
  Additional properties are allowed.
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null
  
  full_name string | null
  
  profile_uid string
  
  username string | null
- id string Required
- owner string Required
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
- settings object Required
  
  An object that contains the case settings.
  
  Additional properties are allowed.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
- severity string Required
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
- status string Required
  
  The status of the case.
  
  Values are closed, in-progress, or open.
- tags array[string] Required
- title string Required
- totalAlerts integer Required
- totalComment integer Required
- updated_at string(date-time) | null Required
- updated_by object | null Required
  
  Additional properties are allowed.
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- version string Required
401 application/json; Elastic-Api-Version=2023-10-31

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

PATCH /api/cases

curl \
 -X PATCH https://localhost:5601/api/cases \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: string"

Request example

{
  "cases": [
    {
      "id": "a18b38a0-71b0-11ea-a0b2-c51ea50a58e2",
      "tags": [
        "tag-1"
      ],
      "version": "WzIzLDFd",
      "settings": {
        "syncAlerts": true
      },
      "connector": {
        "id": "131d4448-abe0-4789-939d-8ef60680b498",
        "name": "My connector",
        "type": ".jira",
        "fields": {
          "parent": null,
          "priority": null,
          "issueType": "10006"
        }
      },
      "description": "A case description.",
      "customFields": [
        {
          "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
          "type": "toggle",
          "value": false
        },
        {
          "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
          "type": "text",
          "value": "My new field value"
        }
      ]
    }
  ]
}

Response examples (200)

[
  {
    "id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
    "tags": [
      "tag-1"
    ],
    "owner": "cases",
    "title": "Case title 1",
    "status": "open",
    "version": "WzU0OCwxXQ==",
    "category": null,
    "comments": [],
    "duration": null,
    "settings": {
      "syncAlerts": true
    },
    "severity": "low",
    "assignees": [],
    "closed_at": null,
    "closed_by": null,
    "connector": {
      "id": "131d4448-abe0-4789-939d-8ef60680b498",
      "name": "My connector",
      "type": ".jira",
      "fields": {
        "parent": null,
        "priority": null,
        "issueType": "10006"
      }
    },
    "created_at": "2023-10-13T09:16:17.416Z",
    "created_by": {
      "email": null,
      "username": "elastic",
      "full_name": null,
      "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
    },
    "updated_at": "2023-10-13T09:48:33.043Z",
    "updated_by": {
      "email": null,
      "username": "elastic",
      "full_name": null,
      "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
    },
    "description": "A case description.",
    "totalAlerts": 0,
    "customFields": [
      {
        "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
        "type": "text",
        "value": "My new field value"
      },
      {
        "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
        "type": "toggle",
        "value": false
      }
    ],
    "totalComment": 0,
    "external_service": {
      "pushed_at": "2023-10-13T09:20:40.672Z",
      "pushed_by": {
        "email": null,
        "username": "elastic",
        "full_name": null
      },
      "external_id": "10003",
      "connector_id": "05da469f-1fde-4058-99a3-91e4807e2de8",
      "external_url": "https://hms.atlassian.net/browse/IS-4",
      "connector_name": "Jira",
      "external_title": "IS-4"
    }
  }
]

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Update cases

Headers

Body

connector object

value string | null | boolean Required

Responses

connector object Required

value string | null | boolean