Create case
editCreate case
editCreates a new case.
Console supports only Elasticsearch APIs. Console doesn’t allow interactions with Kibana APIs. You must use curl
or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.
Request URL
editPOST <kibana host>:<port>/api/cases
Request body
editA JSON object with these fields:
Name | Type | Description | Required |
---|---|---|---|
|
String |
The case’s title. |
Yes |
|
String |
The case’s description. |
Yes |
|
String[] |
String array containing words and phrases that help categorize cases. |
Yes, can be an empty array. |
|
Object containing the connector’s configuration. |
Yes |
|
|
Object containing the case’s settings. |
Yes |
|
|
String |
The application that owns the case. |
Yes Must be a valid application owner that is registered within the Cases role-based access control system ( |
Name | Type | Description | Required |
---|---|---|---|
|
String |
ID of the connector used for pushing case updates to external systems (returned when calling Find connectors). |
Yes |
|
String |
The connector name. |
Yes |
|
String |
The type of the connector. Must be one of these:
|
Yes |
|
Object |
Object containing the connector’s fields. For ServiceNow ITSM connectors:
For ServiceNow SecOps connectors:
For Jira connectors:
For IBM Resilient connectors:
For Swimlane connectors:
|
Yes |
Name | Type | Description | Required |
---|---|---|---|
|
Boolean |
Turns alert syncing on or off. |
Yes |
Example request
editPOST api/cases { "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants.", "title": "This case will self-destruct in 5 seconds", "tags": [ "phishing", "social engineering" ], "connector": { "id": "131d4448-abe0-4789-939d-8ef60680b498", "name": "My connector", "type": ".jira", "fields": { "issueType": "10006", "priority": "High", } }, "settings": { "syncAlerts": true }, "owner": "securitySolution" }
Creates a case with no connector:
POST api/cases { "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants.", "title": "This case will self-destruct in 5 seconds", "tags": [ "phishing", "social engineering" ], "connector": { "id": "none", "name": "none", "type": ".none", "fields": null }, "settings": { "syncAlerts": true }, "owner": "securitySolution" }
Response code
edit-
200
- Indicates a successful call.
Response payload
editA JSON object that includes the user who created the case and the case’s ID,
version, and creation time. The case’s ID is also its saved object ID
(savedObjectId
), used when pushing cases to
external systems.
Example response
edit{ "id": "66b9aa00-94fa-11ea-9f74-e7e108796192", "version": "WzUzMiwxXQ==", "comments": [], "totalComment": 0, "title": "This case will self-destruct in 5 seconds", "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active", "tags": [ "phishing", "social engineering", "bubblegum" ], "closed_at": null, "closed_by": null, "created_at": "2020-05-13T09:16:17.416Z", "created_by": { "email": "ahunley@imf.usa.gov", "full_name": "Alan Hunley", "username": "ahunley" }, "external_service": null, "status": "open", "updated_at": null, "updated_by": null, "connector": { "id": "131d4448-abe0-4789-939d-8ef60680b498", "name": "My connector", "type": ".jira", "fields": { "issueType": "10006", "priority": "High", } }, "settings": { "syncAlerts": true }, "owner": "securitySolution", }
The |
|
The default connector ID used to push cases to external services (see Set default Elastic Security UI connector). |