The SIEM app is now a part of the Elastic Security solution. Click here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
« Cases API Add comment »
Elastic Docs SIEM Guide [7.8] SIEM APIs Cases API

Create case

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Create case

edit

Creates a new case.

Request URL

edit

POST <kibana host>:<port>/api/cases

Request body

edit

A JSON object with these fields:

Name Type Description Required

title

String

The case’s title.

Yes

description

String

The case’s description.

Yes

tags

String[]

String array containing words and phrases that help categorize cases.

Yes, can be an empty array.

Example request

edit
POST api/cases
{
  "description": "James Bond clicked on a highly suspicious email
  banner advertising cheap holidays for underpaid civil servants.",
  "title": "This case will self-destruct in 5 seconds",
  "tags": [
    "phishing",
    "social engineering"
  ]
}

Response code

edit
200
Indicates a successful call.

Response payload

edit

A JSON object that includes the user who created the case and the case’s ID, version, and creation time.

Example response

edit
{
  "id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
  "version": "WzUzMiwxXQ==",
  "comments": [],
  "totalComment": 0,
  "connector_id": "05da469f-1fde-4058-99a3-91e4807e2de8", 
  "title": "This case will self-destruct in 5 seconds",
  "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active",
  "tags": [
    "phishing",
    "social engineering",
    "bubblegum"
  ],
  "closed_at": null,
  "closed_by": null,
  "created_at": "2020-05-13T09:16:17.416Z",
  "created_by": {
    "email": "ahunley@imf.usa.gov",
    "full_name": "Alan Hunley",
    "username": "ahunley"
  },
  "external_service": null, 
  "status": "open",
  "updated_at": null,
  "updated_by": null
}

The default connector ID used to push cases to external services (see Set default SIEM UI connector).

The external_service object stores information when the case is pushed to external systems. For more information, see Actions API (for pushing cases to external systems).
« Cases API Add comment »