Authentication

The API accepts 2 different authentication methods:

Api key auth (http_api_key)

These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: Authorization: ApiKey base64AccessApiKey

Basic auth (http)

Basic auth tokens are constructed with the Basic keyword, followed by a space, followed by a base64-encoded string of your username:password (separated by a : colon).

Example: send a Authorization: Basic aGVsbG86aGVsbG8= HTTP header with your requests to authenticate with the API.

Get the alerting framework health

GET /api/alerting/_health
Api key auth Basic auth

You must have read privileges for the Management > Stack Rules feature or for at least one of the Analytics > Discover, Analytics > Machine Learning, Observability, or Security features.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • alerting_framework_health object

      Three substates identify the health of the alerting framework: decryption_health, execution_health, and read_health.

      Hide alerting_framework_health attributes Show alerting_framework_health attributes object
      • decryption_health object

        The timestamp and status of the rule decryption.

        Hide decryption_health attributes Show decryption_health attributes object
      • execution_health object

        The timestamp and status of the rule run.

        Hide execution_health attributes Show execution_health attributes object
      • read_health object

        The timestamp and status of the rule reading events.

        Hide read_health attributes Show read_health attributes object
    • has_permanent_encryption_key boolean

      If false, the encrypted saved object plugin does not have a permanent encryption key.

    • is_sufficiently_secure boolean

      If false, security is enabled but TLS is not.
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/alerting/_health 
curl \
 --request GET 'http://localhost:5622/api/alerting/_health' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "is_sufficiently_secure": true,
  "alerting_framework_health": {
    "read_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    },
    "execution_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    },
    "decryption_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    }
  },
  "has_permanent_encryption_key": true
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Disable a rule

POST /api/alerting/rule/{id}/_disable
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

application/json

Body

  • untrack boolean

    Defines whether this rule's alerts should be untracked.

Responses

  • 204

    Indicates a successful call.

  • 400

    Indicates an invalid schema.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_disable 
curl \
 --request POST 'http://localhost:5622/api/alerting/rule/{id}/_disable' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"untrack":true}'
Request examples 
# Headers
kbn-xsrf: true

# Payload
{
  "untrack": true
}

Mute all alerts

POST /api/alerting/rule/{id}/_mute_all
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • 204

    Indicates a successful call.

  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_mute_all 
curl \
 --request POST 'http://localhost:5622/api/alerting/rule/{id}/_mute_all' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Mute an alert

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • rule_id string Required

    The identifier for the rule.

  • alert_id string Required

    The identifier for the alert.

Responses

  • 204

    Indicates a successful call.

  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule or alert with the given ID does not exist.

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute 
curl \
 --request POST 'http://localhost:5622/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Unmute an alert

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • rule_id string Required

    The identifier for the rule.

  • alert_id string Required

    The identifier for the alert.

Responses

  • 204

    Indicates a successful call.

  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule or alert with the given ID does not exist.

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute 
curl \
 --request POST 'http://localhost:5622/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Create or update agent configuration

PUT /api/apm/settings/agent-configuration
Api key auth Basic auth

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

  • overwrite boolean

    If the config exists ?overwrite=true is required

application/json

Body Required

  • agent_name string

    Agent name

  • service object Required

    Service

    Hide service attributes Show service attributes object
  • settings object Required

    Agent configuration settings

    Hide settings attribute Show settings attribute object
    • * string Additional properties

Responses

  • 200 application/json

    Successful response

    Additional properties are NOT allowed.
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
PUT /api/apm/settings/agent-configuration 
curl \
 --request PUT 'http://localhost:5622/api/apm/settings/agent-configuration' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"agent_name":"string","service":{"environment":"prod","name":"node"},"settings":{"additionalProperty1":"string","additionalProperty2":"string"}}'
Request examples 
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "agent_name": "string",
  "service": {
    "environment": "prod",
    "name": "node"
  },
  "settings": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  }
}
Response examples (200) 
{}
Response examples (400) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (404) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Create an APM agent key

POST /api/apm/agent_keys
Api key auth Basic auth

Create a new agent key for APM.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body Required

  • name string Required

    Agent name

  • privileges array[string] Required

    Privileges configuration

    Values are event:write or config_agent:read.

Responses

  • 200 application/json

    Agent key created successfully

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal Server Error response

    Hide response attributes Show response attributes object
POST /api/apm/agent_keys 
curl \
 --request POST 'http://localhost:5622/api/apm/agent_keys' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"name":"string","privileges":["event:write"]}'
Request examples 
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "name": "string",
  "privileges": [
    "event:write"
  ]
}
Response examples (200) 
{
  "agentKey": {
    "api_key": "string",
    "encoded": "string",
    "expiration": 42,
    "id": "string",
    "name": "string"
  }
}
Response examples (400) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (500) 
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}

APM sourcemaps

Configure APM source maps. A source map allows minified files to be mapped back to original source code--allowing you to maintain the speed advantage of minified code, without losing the ability to quickly and easily debug your application. For best results, uploading source maps should become a part of your deployment procedure, and not something you only do when you see unhelpful errors. That's because uploading source maps after errors happen won't make old errors magically readable--errors must occur again for source mapping to occur.

Get source maps

GET /api/apm/sourcemaps
Api key auth Basic auth

Get an array of Fleet artifacts, including source map uploads. You must have read or all Kibana privileges for the APM and User Experience feature.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

GET /api/apm/sourcemaps 
curl -X GET "http://localhost:5601/api/apm/sourcemaps" \
-H 'Content-Type: application/json' \
-H 'kbn-xsrf: true' \
-H 'Authorization: ApiKey ${YOUR_API_KEY}'
Response examples (200)
A successful response from `GET /api/apm/sourcemaps`. 
{
  "artifacts": [
    {
      "type": "sourcemap",
      "identifier": "foo-1.0.0",
      "relative_url": "/api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
      "body": {
        "serviceName": "foo",
        "serviceVersion": "1.0.0",
        "bundleFilepath": "/test/e2e/general-usecase/bundle.js",
        "sourceMap": {
          "version": 3,
          "file": "static/js/main.chunk.js",
          "sources": [
            "fleet-source-map-client/src/index.css",
            "fleet-source-map-client/src/App.js",
            "webpack:///./src/index.css?bb0a",
            "fleet-source-map-client/src/index.js",
            "fleet-source-map-client/src/reportWebVitals.js"
          ],
          "sourcesContent": [
            "content"
          ],
          "mappings": "mapping",
          "sourceRoot": ""
        }
      },
      "created": "2021-07-09T20:47:44.812Z",
      "id": "apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
      "compressionAlgorithm": "zlib",
      "decodedSha256": "644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
      "decodedSize": 441,
      "encodedSha256": "024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24",
      "encodedSize": 237,
      "encryptionAlgorithm": "none",
      "packageName": "apm"
    }
  ]
}
Response examples (400) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (500) 
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}
Response examples (501) 
{
  "error": "Not Implemented",
  "message": "Not Implemented",
  "statusCode": 501
}

Upload a source map

POST /api/apm/sourcemaps
Api key auth Basic auth

Upload a source map for a specific service and version. You must have all Kibana privileges for the APM and User Experience feature. The maximum payload size is 1mb. If you attempt to upload a source map that exceeds the maximum payload size, you will get a 413 error. Before uploading source maps that exceed this default, change the maximum payload size allowed by Kibana with the server.maxPayload variable.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

multipart/form-data

Body Required

Responses

POST /api/apm/sourcemaps 
curl -X POST "http://localhost:5601/api/apm/sourcemaps" \
-H 'Content-Type: multipart/form-data' \
-H 'kbn-xsrf: true' \
-H 'Authorization: ApiKey ${YOUR_API_KEY}' \
-F 'service_name="foo"' \
-F 'service_version="1.0.0"' \
-F 'bundle_filepath="/test/e2e/general-usecase/bundle.js"' \
-F 'sourcemap="{\"version\":3,\"file\":\"static/js/main.chunk.js\",\"sources\":[\"fleet-source-map-client/src/index.css\",\"fleet-source-map-client/src/App.js\",\"webpack:///./src/index.css?bb0a\",\"fleet-source-map-client/src/index.js\",\"fleet-source-map-client/src/reportWebVitals.js\"],\"sourcesContent\":[\"content\"],\"mappings\":\"mapping\",\"sourceRoot\":\"\"}"'
Response examples (200)
A successful response from `POST /api/apm/sourcemaps`. 
{
  "id": "apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
  "body": "eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI",
  "type": "sourcemap",
  "created": "2021-07-09T20:47:44.812Z",
  "identifier": "foo-1.0.0",
  "decodedSize": 441,
  "encodedSize": 237,
  "packageName": "apm",
  "relative_url": "/api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
  "decodedSha256": "644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
  "encodedSha256": "024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24",
  "encryptionAlgorithm": "none",
  "compressionAlgorithm": "zlib"
}
Response examples (400) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (500) 
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}
Response examples (501) 
{
  "error": "Not Implemented",
  "message": "Not Implemented",
  "statusCode": 501
}

Create a case

POST /api/cases
Api key auth Basic auth

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body Required

  • assignees array[object] | null

    An array containing users that are assigned to the case.

    Not more than 10 elements.

    Hide assignees attribute Show assignees attribute object
    • uid string Required

      A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

  • category string

    A word or phrase that categorizes the case.

    Maximum length is 50.

  • connector object Required

    One of:
    Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object

    Defines properties for connectors when type is .none.

    Hide attributes Show attributes
    • fields string | null Required

      An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

    • id string Required

      The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

    • name string Required

      The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

    • type string Required

      The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

      Value is .none.

  • customFields array[object]

    Custom field values for a case. Any optional custom fields that are not specified in the request are set to null.

    At least 0 but not more than 10 elements.

    Hide customFields attributes Show customFields attributes object
    • key string Required

      The unique identifier for the custom field. The key value must exist in the case configuration settings.

    • type string Required

      The custom field type. It must match the type specified in the case configuration settings.

      Values are text or toggle.

    • value string | null | boolean Required

      The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

      One of:
      string-1 string | null boolean-2 boolean

      Minimum length is 1, maximum length is 160.

  • description string Required

    The description for the case.

    Maximum length is 30000.

  • owner string Required

    The application that owns the cases: Stack Management, Observability, or Elastic Security.

    Values are cases, observability, or securitySolution.

  • settings object Required

    An object that contains the case settings.

    Hide settings attribute Show settings attribute object
    • syncAlerts boolean Required

      Turns alert syncing on or off.

  • severity string

    The severity of the case.

    Values are critical, high, low, or medium. Default value is low.

  • tags array[string] Required

    The words and phrases that help categorize cases. It can be an empty array.

    Not more than 200 elements. Maximum length of each is 256.

  • title string Required

    A title for the case.

    Maximum length is 160.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required
      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
      Hide attributes Show attributes

    • connector object Required

      One of:
      Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required
      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:
        string-1 string | null boolean-2 boolean

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required
      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required
      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/cases 
curl \
 --request POST 'http://localhost:5622/api/cases' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"tags":["tag-1"],"owner":"cases","title":"Case title 1","settings":{"syncAlerts":true},"connector":{"id":"131d4448-abe0-4789-939d-8ef60680b498","name":"My connector","type":".jira","fields":{"parent":null,"priority":"High","issueType":"10006"}},"description":"A case description.","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My field value"}]}'
Request example 
{
  "tags": [
    "tag-1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "settings": {
    "syncAlerts": true
  },
  "connector": {
    "id": "131d4448-abe0-4789-939d-8ef60680b498",
    "name": "My connector",
    "type": ".jira",
    "fields": {
      "parent": null,
      "priority": "High",
      "issueType": "10006"
    }
  },
  "description": "A case description.",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "My field value"
    }
  ]
}
Response examples (200) 
{
  "id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzUzMiwxXQ==",
  "comments": [],
  "duration": null,
  "settings": {
    "syncAlerts": true
  },
  "severity": "low",
  "assignees": [],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "131d4448-abe0-4789-939d-8ef60680b498",
    "name": "My connector",
    "type": ".jira",
    "fields": {
      "parent": null,
      "priority": "High",
      "issueType": "10006"
    }
  },
  "created_at": "2022-10-13T15:33:50.604Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": null,
  "updated_by": null,
  "description": "A case description.",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "My field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": null
    }
  ],
  "totalComment": 0,
  "external_service": null
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}