Add comment
editAdd comment
editAdds a comment to an existing case.
Console supports only Elasticsearch APIs. Console doesn’t allow interactions with Kibana APIs. You must use curl
or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.
Request URL
editPOST <kibana host>:<port>/api/cases/<case ID>/comments
URL parts
editThe URL must include the case ID
of the case to which you are adding a comment. Use Find cases to retrieve case IDs.
Request body
editA JSON object with a comment
field:
Name | Type | Description | Required |
---|---|---|---|
|
String |
The alert identifier. |
Yes, only when the |
|
String |
The new comment. |
Yes, only when the |
|
String |
The alert index. |
Yes, only when the |
|
String |
The application that owns the case. Valid values are:
|
Yes, whether the type is |
|
String |
The rule associated with the alert. Required properties are:
|
Yes, only when the |
|
String |
The comment type. Must be |
Yes. |
Only Elastic Security alerts (signals) are supported.
Example request
editAdds a comment to case ID 293f1bc0-74f6-11ea-b83a-553aecdb28b6
:
POST api/cases/293f1bc0-74f6-11ea-b83a-553aecdb28b6/comments { "type": "user", "comment": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.", "owner": "securitySolution" }
Response code
edit-
200
- Indicates a successful call.
Response payload
editThe response contains an updated JSON case object with the newly added comment, the user who created it, and the comment’s ID, version, and creation time.
Example response
edit{ "comments":[ { "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6", "version": "WzIwNDMxLDFd", "type":"user", "owner":"cases", "comment":"That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.", "created_at":"2022-03-24T00:49:47.716Z", "created_by": { "email": "moneypenny@hms.gov.uk", "full_name": "Ms Moneypenny", "username": "moneypenny" }, "pushed_at":null, "pushed_by":null, "updated_at":null, "updated_by":null } ], "totalAlerts":0, "id":"293f1bc0-74f6-11ea-b83a-553aecdb28b6", "version":"WzIzMzgsMV0=", "totalComment":1, "title": "This case will self-destruct in 5 seconds", "tags": ["phishing","social engineering"], "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants.", "settings": { "syncAlerts":false }, "owner": "cases", "closed_at": null, "closed_by": null, "created_at": "2022-03-24T00:37:03.906Z", "created_by": { "email": "ahunley@imf.usa.gov", "full_name": "Alan Hunley", "username": "ahunley" }, "status": "open", "updated_at": "2022-03-24T00:49:47.716Z", "updated_by": { "email": "moneypenny@hms.gov.uk", "full_name": "Ms Moneypenny", "username": "moneypenny" }, "connector": { "id": "none", "name": "none", "type": ".none", "fields": null }, "external_service": null }