Find cases
editFind cases
editRetrieves a paginated subset of cases. By default, the first page is returned with 20 results per page.
Console supports only Elasticsearch APIs. Console doesn’t allow interactions with Kibana APIs. You must use curl
or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.
Cases are saved objects. See Find objects API for more query parameters.
Request URL
editGET <kibana host>:<port>/api/cases/_find
URL query parameters
editAll parameters are optional:
Name | Type | Description |
---|---|---|
|
String or String[] |
A filter to limit the retrieved cases to a specific set of applications. If this parameter is omitted, the response will contain all cases that the user has access to read. |
|
Integer |
The page number to return. |
|
Integer |
The number of rules to return per page. |
|
String |
Determines which field is used to sort the results,
|
|
String |
Determines the sort order, which can be |
|
String |
Filters the returned cases by state, which can be |
|
String |
Filters the returned cases by tags. |
|
String |
Filters the returned cases by the reporter’s |
Even though the JSON case object uses created_at
and updated_at
fields, you must use createdAt
and updatedAt
fields in the URL
query.
Example request
editRetrieves the first five cases with the phishing
tag, in ascending order by
last update time.
GET api/cases/_find?page=1&perPage=5&sortField=updatedAt&sortOrder=asc&tags=phishing
Response code
edit-
200
- Indicates a successful call.
Response payload
editA JSON object listing the retrieved cases.
Response example
edit{ "page": 1, "per_page": 5, "total": 2, "cases": [ { "id": "abed3a70-71bd-11ea-a0b2-c51ea50a58e2", "version": "WzExMCwxXQ==", "comments": [], "totalComment": 0, "closed_at": null, "closed_by": null, "created_at": "2020-03-29T13:03:23.533Z", "created_by": { "email": "rhustler@aol.com", "full_name": "Rat Hustler", "username": "rhustler" }, "external_service": null, "updated_at": null, "updated_by": null, "title": "The Long Game", "tags": [ "windows", "phishing" ], "description": "Windows 95", "status": "open", "connector": { "id": "131d4448-abe0-4789-939d-8ef60680b498", "name": "My connector", "type": ".jira", "fields": { "issueType": "10006", "priority": null, } }, "settings": { "syncAlerts": true }, "owner": "securitySolution", }, { "id": "a18b38a0-71b0-11ea-a0b2-c51ea50a58e2", "version": "Wzk4LDFd", "comments": [], "totalComment": 0, "closed_at": null, "closed_by": null, "created_at": "2020-03-29T11:30:02.658Z", "created_by": { "email": "ahunley@imf.usa.gov", "full_name": "Alan Hunley", "username": "ahunley" }, "external_service": null, "updated_at": "2020-03-29T12:01:50.244Z", "updated_by": { "full_name": "Classified", "email": "classified@hms.oo.gov.uk", "username": "M" }, "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active!", "title": "This case will self-destruct in 5 seconds", "status": "open", "connector": { "id": "131d4448-abe0-4789-939d-8ef60680b498", "name": "My connector", "type": ".resilient", "fields": { "issueTypes": [13], "severityCode": 6, } }, "settings": { "syncAlerts": false }, "owner": "securitySolution", "tags": [ "phishing", "social engineering", "bubblegum" ] } ], "count_open_cases": 2, "count_closed_cases": 0 }