Get case activity
Deprecated
Returns all user activity for a case. Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; use the find user actions API instead. You must have read
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.
Path parameters
-
caseId
string Required The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
Responses
-
200 application/json
Indicates a successful call.
Hide response attributes Show response attributes object
-
action
string Required Values are
add
,create
,delete
,push_to_service
, orupdate
. -
action_id
string Required -
case_id
string Required -
comment_id
string | null Required -
created_at
string(date-time) Required -
created_by
object Required Hide created_by attributes Show created_by attributes object
-
email
string | null Required -
full_name
string | null Required -
profile_uid
string -
username
string | null Required
-
-
owner
string Required The application that owns the cases: Stack Management, Observability, or Elastic Security.
Values are
cases
,observability
, orsecuritySolution
. payload
object | null Required One of: Cases_payload_alert_commentobject Cases_payload_assigneesobject Cases_payload_connectorobject Cases_payload_create_caseobject Cases_payload_deleteobject | null Cases_payload_descriptionobject Cases_payload_pushedobject Cases_payload_settingsobject Cases_payload_severityobject Cases_payload_statusobject Cases_payload_tagsobject Cases_payload_titleobject Cases_payload_user_commentobject Hide attribute Show attribute
-
comment
object Hide comment attributes Show comment attributes object
Hide attribute Show attribute
-
assignees
array[object] | null An array containing users that are assigned to the case.
Not more than
10
elements.Hide assignees attribute Show assignees attribute object
-
uid
string Required A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
-
Hide attribute Show attribute
-
connector
object Hide connector attributes Show connector attributes object
-
fields
object | null An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.
Hide fields attributes Show fields attributes object | null
-
caseId
string The case identifier for Swimlane connectors.
-
category
string The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.
-
destIp
boolean | null Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors.
-
impact
string The effect an incident had on business for ServiceNow ITSM connectors.
-
issueType
string The type of issue for Jira connectors.
-
issueTypes
array[string] The type of incident for IBM Resilient connectors.
-
malwareHash
boolean | null Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors.
-
malwareUrl
boolean | null Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors.
-
parent
string The key of the parent issue, when the issue type is sub-task for Jira connectors.
-
priority
string The priority of the issue for Jira and ServiceNow SecOps connectors.
-
severity
string The severity of the incident for ServiceNow ITSM connectors.
-
severityCode
string The severity code of the incident for IBM Resilient connectors.
-
sourceIp
boolean | null Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors.
-
subcategory
string The subcategory of the incident for ServiceNow ITSM connectors.
-
urgency
string The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.
-
-
id
string The identifier for the connector. To create a case without a connector, use
none
. -
name
string The name of the connector. To create a case without a connector, use
none
. -
type
string The type of connector.
Values are
.cases-webhook
,.jira
,.none
,.resilient
,.servicenow
,.servicenow-sir
, or.swimlane
.
-
Hide attributes Show attributes
-
assignees
array[object] | null An array containing users that are assigned to the case.
Not more than
10
elements.Hide assignees attribute Show assignees attribute object
-
uid
string Required A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
-
-
connector
object Hide connector attributes Show connector attributes object
-
fields
object | null An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.
Hide fields attributes Show fields attributes object | null
-
caseId
string The case identifier for Swimlane connectors.
-
category
string The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.
-
destIp
boolean | null Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors.
-
impact
string The effect an incident had on business for ServiceNow ITSM connectors.
-
issueType
string The type of issue for Jira connectors.
-
issueTypes
array[string] The type of incident for IBM Resilient connectors.
-
malwareHash
boolean | null Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors.
-
malwareUrl
boolean | null Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors.
-
parent
string The key of the parent issue, when the issue type is sub-task for Jira connectors.
-
priority
string The priority of the issue for Jira and ServiceNow SecOps connectors.
-
severity
string The severity of the incident for ServiceNow ITSM connectors.
-
severityCode
string The severity code of the incident for IBM Resilient connectors.
-
sourceIp
boolean | null Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors.
-
subcategory
string The subcategory of the incident for ServiceNow ITSM connectors.
-
urgency
string The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.
-
-
id
string The identifier for the connector. To create a case without a connector, use
none
. -
name
string The name of the connector. To create a case without a connector, use
none
. -
type
string The type of connector.
Values are
.cases-webhook
,.jira
,.none
,.resilient
,.servicenow
,.servicenow-sir
, or.swimlane
.
-
-
description
string -
owner
string The application that owns the cases: Stack Management, Observability, or Elastic Security.
Values are
cases
,observability
, orsecuritySolution
. -
settings
object An object that contains the case settings.
Hide settings attribute Show settings attribute object
-
syncAlerts
boolean Required Turns alert syncing on or off.
-
-
severity
string The severity of the case.
Values are
critical
,high
,low
, ormedium
. Default value islow
. -
status
string The status of the case.
Values are
closed
,in-progress
, oropen
. -
tags
array[string] -
title
string
If the
action
isdelete
and thetype
isdelete_case
, the payload is nullable.Hide attribute Show attribute
-
description
string
Hide attribute Show attribute
-
externalService
object | null Hide externalService attributes Show externalService attributes object | null
-
connector_id
string -
connector_name
string -
external_id
string -
external_title
string -
external_url
string -
pushed_at
string(date-time) -
pushed_by
object | null Hide pushed_by attributes Show pushed_by attributes object | null
-
email
string | null -
full_name
string | null -
profile_uid
string -
username
string | null
-
-
Hide attribute Show attribute
-
settings
object An object that contains the case settings.
Hide settings attribute Show settings attribute object
-
syncAlerts
boolean Required Turns alert syncing on or off.
-
Hide attribute Show attribute
-
severity
string The severity of the case.
Values are
critical
,high
,low
, ormedium
. Default value islow
.
Hide attribute Show attribute
-
status
string The status of the case.
Values are
closed
,in-progress
, oropen
.
Hide attribute Show attribute
-
tags
array[string]
Hide attribute Show attribute
-
title
string
-
-
type
string Required The type of action.
Values are
assignees
,create_case
,comment
,connector
,delete_case
,description
,pushed
,tags
,title
,status
,settings
, orseverity
.
-
-
401 application/json
Authorization information is missing or invalid.
Hide response attributes Show response attributes object
-
error
string -
message
string -
statusCode
integer
-
curl \
--request GET 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/user_actions' \
--header "Authorization: $API_KEY"