- Kibana Guide: other versions:
- What is Kibana?
- What’s new in 8.2
- Kibana concepts
- Quick start
- Set up
- Install Kibana
- Configure Kibana
- Alerting and action settings
- APM settings
- Banners settings
- Enterprise Search settings
- Fleet settings
- i18n settings
- Logging settings
- Logs settings
- Metrics settings
- Monitoring settings
- Reporting settings
- Search sessions settings
- Secure settings
- Security settings
- Spaces settings
- Task Manager settings
- Telemetry settings
- URL drilldown settings
- Start and stop Kibana
- Access Kibana
- Securing access to Kibana
- Add data
- Upgrade Kibana
- Configure security
- Configure reporting
- Configure logging
- Configure monitoring
- Command line tools
- Production considerations
- Discover
- Dashboard and visualizations
- Canvas
- Maps
- Build a map to compare metrics by country or region
- Track, visualize, and alert on assets in real time
- Map custom regions with reverse geocoding
- Heat map layer
- Tile layer
- Vector layer
- Plot big data
- Search geographic data
- Configure map settings
- Connect to Elastic Maps Service
- Import geospatial data
- Troubleshoot
- Reporting and sharing
- Machine learning
- Graph
- Alerting
- Observability
- APM
- Security
- Dev Tools
- Fleet
- Osquery
- Stack Monitoring
- Stack Management
- REST API
- Get features API
- Kibana spaces APIs
- Kibana role management APIs
- User session management APIs
- Saved objects APIs
- Data views API
- Index patterns APIs
- Alerting APIs
- Action and connector APIs
- Cases APIs
- Import and export dashboard APIs
- Logstash configuration management APIs
- Machine learning APIs
- Short URLs APIs
- Get Task Manager health
- Upgrade assistant APIs
- Kibana plugins
- Troubleshooting
- Accessibility
- Release notes
- Developer guide
Find cases API
editFind cases API
editRetrieves a paginated subset of cases.
Request
editGET <kibana host>:<port>/api/cases/_find
GET <kibana host>:<port>/s/<space_id>/api/cases/_find
Prerequisites
editYou must have read
privileges for the Cases feature in the Management,
Observability, or Security section of the
Kibana feature privileges, depending on the
owner
of the cases you’re seeking.
Path parameters
edit-
<space_id>
- (Optional, string) An identifier for the space. If it is not specified, the default space is used.
Query parameters
edit-
defaultSearchOperator
-
(Optional, string) The default operator to use for the
simple_query_string
. Defaults toOR
. -
fields
- (Optional, array of strings) The fields in the entity to return in the response.
-
owner
-
(Optional, string or array of strings) A filter to limit the retrieved cases to
a specific set of applications. Valid values are:
cases
,observability
, andsecuritySolution
. If this parameter is omitted, the response contains all cases that the user has access to read. -
page
-
(Optional, integer) The page number to return. Defaults to
1
. -
perPage
-
(Optional, integer) The number of rules to return per page. Defaults to
20
. -
reporters
-
(Optional, string or array of strings) Filters the returned cases by the
reporter’s
username
. -
search
- (Optional, string) An Elasticsearch simple_query_string query that filters the objects in the response.
-
searchFields
-
(Optional, string or array of strings) The fields to perform the
simple_query_string
parsed query against. -
sortField
-
(Optional, string) Determines which field is used to sort the results,
createdAt
orupdatedAt
. Defaults tocreatedAt
.Even though the JSON case object uses
created_at
andupdated_at
fields, you must usecreatedAt
andupdatedAt
fields in the URL query. -
sortOrder
-
(Optional, string) Determines the sort order, which can be
desc
orasc
. Defaults todesc
. -
status
-
(Optional, string) Filters the returned cases by state, which can be
open
,in-progress
, orclosed
. -
tags
- (Optional, string or array of strings) Filters the returned cases by tags.
Response codes
edit-
200
- Indicates a successful call.
Examples
editRetrieve the first five cases with the phishing
tag, in ascending order by
last update time:
GET api/cases/_find?page=1&perPage=5&sortField=updatedAt&sortOrder=asc&tags=phishing
The API returns a JSON object listing the retrieved cases. For example:
{ "page": 1, "per_page": 5, "total": 2, "cases": [ { "id": "abed3a70-71bd-11ea-a0b2-c51ea50a58e2", "version": "WzExMCwxXQ==", "comments": [], "totalComment": 0, "totalAlerts": 0, "title": "The Long Game", "tags": [ "windows", "phishing" ], "description": "Windows 95", "settings": { "syncAlerts": true }, "owner": "securitySolution", "closed_at": null, "closed_by": null, "created_at": "2022-03-29T13:03:23.533Z", "created_by": { "email": "rhustler@email.com", "full_name": "Rat Hustler", "username": "rhustler" }, "status": "open", "updated_at": null, "updated_by": null, "connector": { "id": "131d4448-abe0-4789-939d-8ef60680b498", "name": "My connector", "type": ".jira", "fields": { "issueType": "10006", "priority": null, } } "external_service": null, }, { "id": "a18b38a0-71b0-11ea-a0b2-c51ea50a58e2", "version": "Wzk4LDFd", "comments": [], "totalComment": 0, "totalAlerts": 0, "title": "This case will self-destruct in 5 seconds", "tags": [ "phishing", "social engineering", "bubblegum" ], "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active!", "settings": { "syncAlerts": false }, "owner": "cases", "closed_at": null, "closed_by": null, "created_at": "2022-03-29T11:30:02.658Z", "created_by": { "email": "ahunley@imf.usa.gov", "full_name": "Alan Hunley", "username": "ahunley" }, "status": "open", "updated_at": "2022-03-29T12:01:50.244Z", "updated_by": { "full_name": "Classified", "email": "classified@hms.oo.gov.uk", "username": "M" }, "connector": { "id": "131d4448-abe0-4789-939d-8ef60680b498", "name": "My connector", "type": ".resilient", "fields": { "issueTypes": [13], "severityCode": 6, } }, "external_service": null, } ], "count_open_cases": 2, "count_in_progress_cases":0, "count_closed_cases": 0 }