Create case

edit

Creates a new case.

Request URL

edit

POST <kibana host>:<port>/api/cases

Request body

edit

A JSON object with these fields:

Name Type Description Required

title

String

The case’s title.

Yes

description

String

The case’s description.

Yes

tags

String[]

String array containing words and phrases that help categorize cases.

Yes, can be an empty array.

Example request

edit
POST api/cases
{
  "description": "James Bond clicked on a highly suspicious email
  banner advertising cheap holidays for underpaid civil servants.",
  "title": "This case will self-destruct in 5 seconds",
  "tags": [
    "phishing",
    "social engineering"
  ]
}

Response code

edit
200
Indicates a successful call.

Response payload

edit

A JSON object that includes the user who created the case and the case’s ID, version, and creation time. The case’s ID is also its saved object ID (savedObjectId), used when pushing cases to external systems.

Example response

edit
{
  "id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
  "version": "WzUzMiwxXQ==",
  "comments": [],
  "totalComment": 0,
  "connector_id": "05da469f-1fde-4058-99a3-91e4807e2de8", 
  "title": "This case will self-destruct in 5 seconds",
  "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active",
  "tags": [
    "phishing",
    "social engineering",
    "bubblegum"
  ],
  "closed_at": null,
  "closed_by": null,
  "created_at": "2020-05-13T09:16:17.416Z",
  "created_by": {
    "email": "ahunley@imf.usa.gov",
    "full_name": "Alan Hunley",
    "username": "ahunley"
  },
  "external_service": null, 
  "status": "open",
  "updated_at": null,
  "updated_by": null
}

The default connector ID used to push cases to external services (see Set default Elastic Security UI connector).

The external_service object stores information when the case is pushed to external systems. For more information, see Actions API (for pushing cases to external systems).