Create case
editCreate case
editCreates a new case.
The Kibana Console supports only Elasticsearch APIs. You cannot interact with the Kibana APIs with the Console and must use curl or another HTTP tool instead. For more information, refer to Console.
Request URL
editPOST <kibana host>:<port>/api/cases
Request body
editA JSON object with these fields:
| Name | Type | Description | Required |
|---|---|---|---|
|
String |
The case’s title. |
Yes |
|
String |
The case’s description. |
Yes |
|
String[] |
String array containing words and phrases that help categorize cases. |
Yes, can be an empty array. |
|
Object containing the connector’s configuration. |
Yes |
|
|
Object containing the case’s settings. |
Yes |
| Name | Type | Description | Required |
|---|---|---|---|
|
String |
ID of the connector used for pushing case updates to external systems (returned when calling Find connectors). |
Yes |
|
String |
The connector name. |
Yes |
|
String |
The type of the connector. Must be one of these:
|
Yes |
|
Object |
Object containing the connector’s fields. For ServiceNow connectors:
For Jira connectors:
For IBM Resilient connectors:
|
Yes |
| Name | Type | Description | Required |
|---|---|---|---|
|
Boolean |
Turn on or off synching with alerts. |
Yes |
Example request
editPOST api/cases
{
"description": "James Bond clicked on a highly suspicious email
banner advertising cheap holidays for underpaid civil servants.",
"title": "This case will self-destruct in 5 seconds",
"tags": [
"phishing",
"social engineering"
],
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"issueType": "10006",
"priority": "High",
}
},
"settings": {
"syncAlerts": true
}
}
Response code
edit-
200 - Indicates a successful call.
Response payload
editA JSON object that includes the user who created the case and the case’s ID,
version, and creation time. The case’s ID is also its saved object ID
(savedObjectId), used when pushing cases to
external systems.
Example response
edit{
"id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
"version": "WzUzMiwxXQ==",
"comments": [],
"totalComment": 0,
"title": "This case will self-destruct in 5 seconds",
"description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active",
"tags": [
"phishing",
"social engineering",
"bubblegum"
],
"closed_at": null,
"closed_by": null,
"created_at": "2020-05-13T09:16:17.416Z",
"created_by": {
"email": "ahunley@imf.usa.gov",
"full_name": "Alan Hunley",
"username": "ahunley"
},
"external_service": null,
"status": "open",
"updated_at": null,
"updated_by": null,
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"issueType": "10006",
"priority": "High",
}
},
"settings": {
"syncAlerts": true
}
}
|
The |
|
|
The default connector ID used to push cases to external services (see Set default Elastic Security UI connector). |