Add external details to case

edit

Adds the data returned from an external system to the specified case.

The Kibana Console supports only Elasticsearch APIs. You cannot interact with the Kibana APIs with the Console and must use curl or another HTTP tool instead. For more information, refer to Console.

After sending a new or updated case to an external system using the Actions API, you must associate the external system’s returned object with the case in Elastic Security.

Request URL

edit

POST <kibana host>:<port>/api/cases/<case ID>/_push

URL parts

edit

The URL must include the case ID of the case you are updating. Call Find cases to retrieve case IDs.

Request body

edit

A JSON object with the data returned from the external system:

Name Type Description Required

connector_id

String

The ID of the connector used to send the case to the external system.

Yes

connector_name

String

The name of the connector used to send the case to the external system..

Yes

external_id

String

The id returned when calling Create or update an external incident.

Yes

external_title

String

The title returned when calling Create or update an external incident.

Yes

external_url

String

The url returned when calling Create or update an external incident.

Yes

Example request

edit
POST api/cases/718265d0-733a-11ea-a0b2-c51ea50a58e2/_push

  "connector_id": "61787f53-4eee-4741-8df6-8fe84fa616f7",
  "connector_name": "ServiceNow",
  "external_id": "74c15d07dbb300106ba884da0b9619a0",
  "external_title": "INC0010016",
  "external_url": "https://dev78437.service-now.com/nav_to.do?uri=incident.do?sys_id=74c15d07dbb300106ba884da0b9619a0"
}

Response code

edit
200
Indicates a successful call.

Response payload

edit

The updated JSON case object.

Example response

edit
{
  "id": "718265d0-733a-11ea-a0b2-c51ea50a58e2",
  "version": "WzMyNywxXQ==",
  "comments": [],
  "totalComment": 0,
  "closed_at": null,
  "closed_by": null,
  "created_at": "2020-03-31T10:29:03.781Z",
  "created_by": {
    "email": "ahunley@imf.usa.gov",
    "full_name": "Alan Hunley",
    "username": "ahunley"
  },
  "external_service": {
    "pushed_at": "2020-03-31T10:56:10.959Z",
    "pushed_by": {
      "username": "ahunley",
      "full_name": "Alan Hunley",
      "email": "ahunley@imf.usa.gov"
    },
    "connector_id": "61787f53-4eee-4741-8df6-8fe84fa616f7",
    "connector_name": "ServiceNow",
    "external_id": "74c15d07dbb300106ba884da0b9619a0",
    "external_title": "INC0010016",
    "external_url": "https://dev78437.service-now.com/nav_to.do?uri=incident.do?sys_id=74c15d07dbb300106ba884da0b9619a0"
  },
  "updated_at": "2020-03-31T10:56:10.959Z",
  "updated_by": {
    "username": "ahunley",
    "full_name": "Alan Hunley",
    "email": "ahunley@imf.usa.gov"
  },
  "title": "This case will self-destruct in 5 seconds",
  "tags": [],
  "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants.",
  "status": "open",
  "connector": {
    "id": "61787f53-4eee-4741-8df6-8fe84fa616f7",
    "name": "ServiceNow",
    "type": ".servicenow",
    "fields": null
  },
  "settings": {
    "syncAlerts": true
  },
}