Create case

edit

Creates a new case.

The Kibana Console supports only Elasticsearch APIs. You cannot interact with the Kibana APIs with the Console and must use curl or another HTTP tool instead. For more information, refer to Console.

Request URL

edit

POST <kibana host>:<port>/api/cases

Request body

edit

A JSON object with these fields:

Name Type Description Required

title

String

The case’s title.

Yes

description

String

The case’s description.

Yes

tags

String[]

String array containing words and phrases that help categorize cases.

Yes, can be an empty array.

connector

connector

Object containing the connector’s configuration.

Yes

settings

settings

Object containing the case’s settings.

Yes

connector schema

Name Type Description Required

id

String

ID of the connector used for pushing case updates to external systems (returned when calling Find connectors).

Yes

name

String

The connector name.

Yes

type

String

The type of the connector.

Must be one of these:

  • .servicenow
  • .jira
  • .resilient
  • .none

Yes

fields

Object

Object containing the connector’s fields.

For ServiceNow connectors:

  • urgency (string | null): The urgency of the incident.
  • severity (string | null): The severity of the incident.
  • impact (string | null): The impact of the incident.

For Jira connectors:

  • issueType (string): The issue type of the issue.
  • priority (string | null): The priority of the issue.
  • parent (string | null): The key of the parent issue (Valid when the issue type is Sub-task).

For IBM Resilient connectors:

  • issueTypes (number[]): The issue types of the issue.
  • severityCode (number): The severity code of the issue.

Yes

settings schema

Name Type Description Required

syncAlerts

Boolean

Turn on or off synching with alerts.

Yes

Example request

edit
POST api/cases
{
  "description": "James Bond clicked on a highly suspicious email
  banner advertising cheap holidays for underpaid civil servants.",
  "title": "This case will self-destruct in 5 seconds",
  "tags": [
    "phishing",
    "social engineering"
  ],
  "connector": {
    "id": "131d4448-abe0-4789-939d-8ef60680b498",
    "name": "My connector",
    "type": ".jira",
    "fields": {
      "issueType": "10006",
      "priority": "High",
    }
  },
  "settings": {
    "syncAlerts": true
  }
}

Response code

edit
200
Indicates a successful call.

Response payload

edit

A JSON object that includes the user who created the case and the case’s ID, version, and creation time. The case’s ID is also its saved object ID (savedObjectId), used when pushing cases to external systems.

Example response

edit
{
  "id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
  "version": "WzUzMiwxXQ==",
  "comments": [],
  "totalComment": 0,
  "title": "This case will self-destruct in 5 seconds",
  "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active",
  "tags": [
    "phishing",
    "social engineering",
    "bubblegum"
  ],
  "closed_at": null,
  "closed_by": null,
  "created_at": "2020-05-13T09:16:17.416Z",
  "created_by": {
    "email": "ahunley@imf.usa.gov",
    "full_name": "Alan Hunley",
    "username": "ahunley"
  },
  "external_service": null, 
  "status": "open",
  "updated_at": null,
  "updated_by": null,
  "connector": {
    "id": "131d4448-abe0-4789-939d-8ef60680b498", 
    "name": "My connector",
    "type": ".jira",
    "fields": {
      "issueType": "10006",
      "priority": "High",
    }
  },
  "settings": {
    "syncAlerts": true
  }
}

The external_service object stores information when the case is pushed to external systems. For more information, see Actions API (for pushing cases to external systems).

The default connector ID used to push cases to external services (see Set default Elastic Security UI connector).