Add comment

edit

Adds a comment to an existing case.

Console supports only Elasticsearch APIs. Console doesn’t allow interactions with Kibana APIs. You must use curl or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.

Request URL

edit

POST <kibana host>:<port>/api/cases/<case ID>/comments

URL parts

edit

The URL must include the case ID of the case to which you are adding a comment. Use Find cases to retrieve case IDs.

Request body

edit

A JSON object with a comment field:

Name Type Description Required

alertId

String

The alert identifier.

Yes, only when the type is alert.

comment

String

The new comment.

Yes, only when the type is user.

index

String

The alert index.

Yes, only when the type is alert.

owner

String

The application that owns the case. Valid values are:

  • cases
  • observability
  • securitySolution

Yes, whether the type is user or alert.

rule

String

The rule associated with the alert. Required properties are:

  • id (string): The rule identifier.
  • name (string): The rule name.

Yes, only when the type is alert.

type

String

The comment type. Must be user or alert.

Yes.

Only Elastic Security alerts (signals) are supported.

Example request

edit

Adds a comment to case ID 293f1bc0-74f6-11ea-b83a-553aecdb28b6:

POST api/cases/293f1bc0-74f6-11ea-b83a-553aecdb28b6/comments
{
  "type": "user",
  "comment": "That is nothing - Ethan Hunt answered a targeted social
  media campaign promoting phishy pension schemes to IMF operatives.",
  "owner": "securitySolution"
}

Response code

edit
200
Indicates a successful call.

Response payload

edit

The response contains an updated JSON case object with the newly added comment, the user who created it, and the comment’s ID, version, and creation time.

Example response

edit
{
  "comments":[
    {
      "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
      "version": "WzIwNDMxLDFd",
      "type":"user",
      "owner":"cases",
      "comment":"That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.",
      "created_at":"2022-03-24T00:49:47.716Z",
      "created_by": {
        "email": "moneypenny@hms.gov.uk",
        "full_name": "Ms Moneypenny",
        "username": "moneypenny"
      },
      "pushed_at":null,
      "pushed_by":null,
      "updated_at":null,
      "updated_by":null
    }
  ],
  "totalAlerts":0,
  "id":"293f1bc0-74f6-11ea-b83a-553aecdb28b6",
  "version":"WzIzMzgsMV0=",
  "totalComment":1,
  "title": "This case will self-destruct in 5 seconds",
  "tags": ["phishing","social engineering"],
  "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants.",
  "settings": {
    "syncAlerts":false
  },
  "owner": "cases",
  "closed_at": null,
  "closed_by": null,
  "created_at": "2022-03-24T00:37:03.906Z",
  "created_by": {
    "email": "ahunley@imf.usa.gov",
    "full_name": "Alan Hunley",
    "username": "ahunley"
  },
  "status": "open",
  "updated_at": "2022-03-24T00:49:47.716Z",
  "updated_by": {
    "email": "moneypenny@hms.gov.uk",
    "full_name": "Ms Moneypenny",
    "username": "moneypenny"
  },
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "external_service": null
}