Create case

edit

Creates a new case.

Console supports only Elasticsearch APIs. Console doesn’t allow interactions with Kibana APIs. You must use curl or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.

Request URL

edit

POST <kibana host>:<port>/api/cases

Request body

edit

A JSON object with these fields:

Name Type Description Required

title

String

The case’s title.

Yes

description

String

The case’s description.

Yes

tags

String[]

String array containing words and phrases that help categorize cases.

Yes, can be an empty array.

connector

connector

Object containing the connector’s configuration.

Yes

settings

settings

Object containing the case’s settings.

Yes

owner

String

The application that owns the case.

Yes

Must be a valid application owner that is registered within the Cases role-based access control system (securitySolution).

connector schema

Name Type Description Required

id

String

ID of the connector used for pushing case updates to external systems (returned when calling Find connectors).

Yes

name

String

The connector name.

Yes

type

String

The type of the connector.

Must be one of these:

  • .servicenow
  • .servicenow-sir
  • .jira
  • .resilient
  • .swimlane
  • .none

Yes

fields

Object

Object containing the connector’s fields.

For ServiceNow ITSM connectors:

  • urgency (string | null): The urgency of the incident.
  • severity (string | null): The severity of the incident.
  • impact (string | null): The impact of the incident.
  • category (string | null): The category of the incident.
  • subcategory (string | null): The subcategory of the incident.

For ServiceNow SecOps connectors:

  • destIp (string | null): A comma separated list of destination IPs.
  • malwareHash (string | null): A comma separated list of malware hashes.
  • malwareUrl (string | null): A comma separated list of malware URLs.
  • sourceIp (string | null): A comma separated list of source IPs.
  • priority (string | null): The priority of the incident.
  • category (string | null): The category of the incident.
  • subcategory (string | null): The subcategory of the incident.

For Jira connectors:

  • issueType (string): The issue type of the issue.
  • priority (string | null): The priority of the issue.
  • parent (string | null): The key of the parent issue (Valid when the issue type is Sub-task).

For IBM Resilient connectors:

  • issueTypes (number[]): The issue types of the issue.
  • severityCode (number): The severity code of the issue.

For Swimlane connectors:

  • caseId (string | null): The case ID.

Yes

settings schema

Name Type Description Required

syncAlerts

Boolean

Turns alert syncing on or off.

Yes

Example request

edit
POST api/cases
{
  "description": "James Bond clicked on a highly suspicious email
  banner advertising cheap holidays for underpaid civil servants.",
  "title": "This case will self-destruct in 5 seconds",
  "tags": [
    "phishing",
    "social engineering"
  ],
  "connector": {
    "id": "131d4448-abe0-4789-939d-8ef60680b498",
    "name": "My connector",
    "type": ".jira",
    "fields": {
      "issueType": "10006",
      "priority": "High",
    }
  },
  "settings": {
    "syncAlerts": true
  },
  "owner": "securitySolution"
}

Creates a case with no connector:

POST api/cases
{
  "description": "James Bond clicked on a highly suspicious email
  banner advertising cheap holidays for underpaid civil servants.",
  "title": "This case will self-destruct in 5 seconds",
  "tags": [
    "phishing",
    "social engineering"
  ],
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "settings": {
    "syncAlerts": true
  },
  "owner": "securitySolution"
}

Response code

edit
200
Indicates a successful call.

Response payload

edit

A JSON object that includes the user who created the case and the case’s ID, version, and creation time. The case’s ID is also its saved object ID (savedObjectId), used when pushing cases to external systems.

Example response

edit
{
  "id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
  "version": "WzUzMiwxXQ==",
  "comments": [],
  "totalComment": 0,
  "title": "This case will self-destruct in 5 seconds",
  "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active",
  "tags": [
    "phishing",
    "social engineering",
    "bubblegum"
  ],
  "closed_at": null,
  "closed_by": null,
  "created_at": "2020-05-13T09:16:17.416Z",
  "created_by": {
    "email": "ahunley@imf.usa.gov",
    "full_name": "Alan Hunley",
    "username": "ahunley"
  },
  "external_service": null, 
  "status": "open",
  "updated_at": null,
  "updated_by": null,
  "connector": {
    "id": "131d4448-abe0-4789-939d-8ef60680b498", 
    "name": "My connector",
    "type": ".jira",
    "fields": {
      "issueType": "10006",
      "priority": "High",
    }
  },
  "settings": {
    "syncAlerts": true
  },
  "owner": "securitySolution",
}

The external_service object stores information when the case is pushed to external systems. For more information, see Actions API (for pushing cases to external systems).

The default connector ID used to push cases to external services (see Set default Elastic Security UI connector).