Update case

edit

Updates existing cases.

Console supports only Elasticsearch APIs. Console doesn’t allow interactions with Kibana APIs. You must use curl or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.

Request URL

edit

PATCH <kibana host>:<port>/api/cases

Request body

edit

A JSON array containing one or more case objects with updated field values:

Name Type Description Required

cases

cases[]

Array containing one or more case objects.

Yes

cases schema

edit
Name Type Description Required

id

String

The ID of the case being updated.

Yes

connector

connector

Object containing the connector’s configuration.

No

description

String

The updated case description.

No

settings

settings

Object containing the case’s settings.

No

status

String

The updated case status, which can be:

  • open
  • in-progress
  • closed

No

tags

String[]

The updated case tags.

No

title

String

The updated case title.

No

version

String

The current case version (returned when calling Get case or Find cases).

Yes

The Case owner field cannot be updated.

connector schema

Name Type Description Required

id

String

ID of the connector used for pushing case updates to external systems (returned when calling Find connectors).

Yes

name

String

The connector name.

Yes

type

String

The type of the connector.

Must be one of these:

  • .servicenow
  • .servicenow-sir
  • .jira
  • .resilient
  • .swimlane
  • .none

Yes

fields

Object

Object containing the connector’s fields.

For ServiceNow connectors:

  • urgency (string | null): The urgency of the incident.
  • severity (string | null): The severity of the incident.
  • impact (string | null): The impact of the incident.
  • category (string | null): The category of the incident.
  • subcategory (string | null): The subcategory of the incident.

For ServiceNow SecOps connectors:

  • destIp (string | null): A comma separated list of destination IPs.
  • malwareHash (string | null): A comma separated list of malware hashes.
  • malwareUrl (string | null): A comma separated list of malware URLs.
  • sourceIp (string | null): A comma separated list of source IPs.
  • priority (string | null): The priority of the incident.
  • category (string | null): The category of the incident.
  • subcategory (string | null): The subcategory of the incident.

For Jira connectors:

  • issueType (string): The issue type of the issue.
  • priority (string | null): The priority of the issue.
  • parent (string | null): The key of the parent issue (Valid when the issue type is Sub-task).

For IBM Resilient connectors:

  • issueTypes (number[]): The issue types of the issue.
  • severityCode (number): The severity code of the issue.

For Swimlane connectors:

  • caseId (string | null): The case ID.

Yes

settings schema

Name Type Description Required

syncAlerts

Boolean

Turn on or off synching with alerts.

Yes

Example request

edit

Updates the description, tags, and connector of case ID a18b38a0-71b0-11ea-a0b2-c51ea50a58e2:

PATCH api/cases
{
  "cases": [
    {
      "connector": {
        "id": "131d4448-abe0-4789-939d-8ef60680b498",
        "name": "My connector",
        "type": ".jira",
        "fields": {
          "issueType": "10006",
          "priority": null,
        }
      },
      "id": "a18b38a0-71b0-11ea-a0b2-c51ea50a58e2",
      "description": "James Bond clicked on a highly suspicious email
      banner advertising cheap holidays for underpaid civil servants.
      Operation bubblegum is active. Repeat - operation bubblegum is
      now active!",
      "tags": [
        "phishing",
        "social engineering",
        "bubblegum"
      ],
      "settings": {
        "syncAlerts": true
      }
      "version": "WzIzLDFd"
    }
  ]
}

Response code

edit
200
Indicates a successful call.

Response payload

edit

The updated case with a new version value.

Example response

edit
[
  {
    "id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
    "version": "WzU0OCwxXQ==",
    "comments": [],
    "totalComment": 0,
    "connector": {
      "id": "131d4448-abe0-4789-939d-8ef60680b498",
      "name": "My connector",
      "type": ".jira",
      "fields": {
        "issueType": "10006",
        "priority": null,
      }
    },
    "title": "This case will self-destruct in 5 seconds",
    "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active!",
    "tags": [
      "phishing",
      "social engineering",
      "bubblegum"
    ],
    "settings": {
      "syncAlerts": true
    }
    "closed_at": null,
    "closed_by": null,
    "created_at": "2020-05-13T09:16:17.416Z",
    "created_by": {
      "email": "ahunley@imf.usa.gov",
      "full_name": "Alan Hunley",
      "username": "ahunley"
    },
    "external_service": {
      "external_title": "IS-4",
      "pushed_by": {
        "full_name": "Classified",
        "email": "classified@hms.oo.gov.uk",
        "username": "M"
      },
      "external_url": "https://hms.atlassian.net/browse/IS-4",
      "pushed_at": "2020-05-13T09:20:40.672Z",
      "connector_id": "05da469f-1fde-4058-99a3-91e4807e2de8",
      "external_id": "10003",
      "connector_name": "Jira"
    },
    "owner": "securitySolution",
    "status": "open",
    "updated_at": "2020-05-13T09:48:33.043Z",
    "updated_by": {
      "email": "classified@hms.oo.gov.uk",
      "full_name": "Classified",
      "username": "M"
    }
  }
]