Update case
editUpdate case
editUpdates existing cases.
Console supports only Elasticsearch APIs. Console doesn’t allow interactions with Kibana APIs. You must use curl or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.
Request URL
editPATCH <kibana host>:<port>/api/cases
Request body
editA JSON array containing one or more case objects with updated field values:
| Name | Type | Description | Required |
|---|---|---|---|
|
Array containing one or more case objects. |
Yes |
cases schema
edit| Name | Type | Description | Required |
|---|---|---|---|
|
String |
The ID of the case being updated. |
Yes |
|
Object containing the connector’s configuration. |
No |
|
|
String |
The updated case description. |
No |
|
Object containing the case’s settings. |
No |
|
|
String |
The updated case status, which can be:
|
No |
|
String[] |
The updated case tags. |
No |
|
String |
The updated case title. |
No |
|
String |
The current case version (returned when calling Get case or Find cases). |
Yes |
The Case owner field cannot be updated.
| Name | Type | Description | Required |
|---|---|---|---|
|
String |
ID of the connector used for pushing case updates to external systems (returned when calling Find connectors). |
Yes |
|
String |
The connector name. |
Yes |
|
String |
The type of the connector. Must be one of these:
|
Yes |
|
Object |
Object containing the connector’s fields. For ServiceNow connectors:
For ServiceNow SecOps connectors:
For Jira connectors:
For IBM Resilient connectors:
For Swimlane connectors:
|
Yes |
| Name | Type | Description | Required |
|---|---|---|---|
|
Boolean |
Turn on or off synching with alerts. |
Yes |
Example request
editUpdates the description, tags, and connector of case ID
a18b38a0-71b0-11ea-a0b2-c51ea50a58e2:
PATCH api/cases
{
"cases": [
{
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"issueType": "10006",
"priority": null,
}
},
"id": "a18b38a0-71b0-11ea-a0b2-c51ea50a58e2",
"description": "James Bond clicked on a highly suspicious email
banner advertising cheap holidays for underpaid civil servants.
Operation bubblegum is active. Repeat - operation bubblegum is
now active!",
"tags": [
"phishing",
"social engineering",
"bubblegum"
],
"settings": {
"syncAlerts": true
}
"version": "WzIzLDFd"
}
]
}
Response code
edit-
200 - Indicates a successful call.
Response payload
editThe updated case with a new version value.
Example response
edit[
{
"id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
"version": "WzU0OCwxXQ==",
"comments": [],
"totalComment": 0,
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"issueType": "10006",
"priority": null,
}
},
"title": "This case will self-destruct in 5 seconds",
"description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active!",
"tags": [
"phishing",
"social engineering",
"bubblegum"
],
"settings": {
"syncAlerts": true
}
"closed_at": null,
"closed_by": null,
"created_at": "2020-05-13T09:16:17.416Z",
"created_by": {
"email": "ahunley@imf.usa.gov",
"full_name": "Alan Hunley",
"username": "ahunley"
},
"external_service": {
"external_title": "IS-4",
"pushed_by": {
"full_name": "Classified",
"email": "classified@hms.oo.gov.uk",
"username": "M"
},
"external_url": "https://hms.atlassian.net/browse/IS-4",
"pushed_at": "2020-05-13T09:20:40.672Z",
"connector_id": "05da469f-1fde-4058-99a3-91e4807e2de8",
"external_id": "10003",
"connector_name": "Jira"
},
"owner": "securitySolution",
"status": "open",
"updated_at": "2020-05-13T09:48:33.043Z",
"updated_by": {
"email": "classified@hms.oo.gov.uk",
"full_name": "Classified",
"username": "M"
}
}
]