Find cases
editFind cases
editRetrieves a paginated subset of cases. By default, the first page is returned with 20 results per page.
The Kibana Console supports only Elasticsearch APIs. You cannot interact with the Kibana APIs with the Console and must use curl
or another HTTP tool instead. For more information, refer to Console.
Cases are saved objects. See Find objects API for more query parameters.
Request URL
editGET <kibana host>:<port>/api/cases/_find
URL query parameters
editAll parameters are optional:
Name | Type | Description |
---|---|---|
|
Integer |
The page number to return. |
|
Integer |
The number of rules to return per page. |
|
String |
Determines which field is used to sort the results,
|
|
String |
Determines the sort order, which can be |
|
String |
Filters the returned cases by state, which can be |
|
String |
Filters the returned cases by tags. |
|
String |
Filters the returned cases by the reporter’s |
Even though the JSON case object uses created_at
and updated_at
fields, you must use createdAt
and updatedAt
fields in the URL
query.
Example request
editRetrieves the first five cases with the phishing
tag, in ascending order by
last update time.
GET api/cases/_find?page=1&perPage=5&sortField=updatedAt&sortOrder=asc&tags=phishing
Response code
edit-
200
- Indicates a successful call.
Response payload
editA JSON object listing the retrieved cases.
Response example
edit{ "page": 1, "per_page": 5, "total": 2, "cases": [ { "id": "abed3a70-71bd-11ea-a0b2-c51ea50a58e2", "version": "WzExMCwxXQ==", "comments": [], "totalComment": 0, "closed_at": null, "closed_by": null, "created_at": "2020-03-29T13:03:23.533Z", "created_by": { "email": "rhustler@aol.com", "full_name": "Rat Hustler", "username": "rhustler" }, "external_service": null, "updated_at": null, "updated_by": null, "title": "The Long Game", "tags": [ "windows", "phishing" ], "description": "Windows 95", "status": "open", "connector": { "id": "131d4448-abe0-4789-939d-8ef60680b498", "name": "My connector", "type": ".jira", "fields": { "issueType": "10006", "priority": null, } }, "settings": { "syncAlerts": true } }, { "id": "a18b38a0-71b0-11ea-a0b2-c51ea50a58e2", "version": "Wzk4LDFd", "comments": [], "totalComment": 0, "closed_at": null, "closed_by": null, "created_at": "2020-03-29T11:30:02.658Z", "created_by": { "email": "ahunley@imf.usa.gov", "full_name": "Alan Hunley", "username": "ahunley" }, "external_service": null, "updated_at": "2020-03-29T12:01:50.244Z", "updated_by": { "full_name": "Classified", "email": "classified@hms.oo.gov.uk", "username": "M" }, "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active!", "title": "This case will self-destruct in 5 seconds", "status": "open", "connector": { "id": "131d4448-abe0-4789-939d-8ef60680b498", "name": "My connector", "type": ".resilient", "fields": { "issueTypes": [13], "severityCode": 6, } }, "settings": { "syncAlerts": false }, "tags": [ "phishing", "social engineering", "bubblegum" ] } ], "count_open_cases": 2, "count_closed_cases": 0 }