Add comment to case APIedit

Adds a comment or alert to a case.

Requestedit

POST <kibana host>:<port>/api/cases/<case_id>/comments

POST <kibana host>:<port>/s/<space_id>/api/cases/<case_id>/comments

Prerequisitesedit

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you’re updating.

Path parametersedit

<case_id>
(Required,string) The identifier for the case. To retrieve case IDs, use Find cases.
<space_id>
(Optional, string) An identifier for the space. If it is not specified, the default space is used.

Request bodyedit

alertId
(Required*, string or array of strings) The alert identifier. It is required only when type is alert. If it is an array, index must also be an array. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
comment
(Required*, string) The new comment. It is required only when type is user.
index
(Required*, string or array of strings) The alert index. It is required only when type is alert. If it is an array, alertId must also be an array. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
owner
(Required, string) The application that owns the case. Valid values are: cases, observability, or securitySolution.
rule

(Required*, object) The rule that is associated with the alert. It is required only when type is alert. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Properties of rule
id
(Required, string) The rule identifier. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
name
(Required, string) The rule name. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
type
(Required, string) The comment type, which must be user or alert.

Response codesedit

200
Indicates a successful call.

Examplesedit

Add a comment to case ID 293f1bc0-74f6-11ea-b83a-553aecdb28b6:

POST api/cases/293f1bc0-74f6-11ea-b83a-553aecdb28b6/comments
{
  "type": "user",
  "comment": "A new comment.",
  "owner": "cases"
}

The API returns details about the case and its comments. For example:

{
  "comments":[
    {
      "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
      "version": "WzIwNDMxLDFd",
      "type": "user",
      "owner": "cases",
      "comment": "A new comment.",
      "created_at": "2022-03-24T00:49:47.716Z",
      "created_by": {
        "email": null,
        "full_name": null,
        "username": "elastic"
      },
      "pushed_at": null,
      "pushed_by": null,
      "updated_at": null,
      "updated_by": null
    }
  ],
  "totalAlerts": 0,
  "id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
  "version": "WzIzMzgsMV0=",
  "totalComment": 1,
  "title": "Case title 1",
  "tags": ["tag 1"],
  "description": "A case description.",
  "settings": {
    "syncAlerts": false
  },
  "owner": "cases",
  "duration": null,
  "severity": "low",
  "closed_at": null,
  "closed_by": null,
  "created_at": "2022-03-24T00:37:03.906Z",
  "created_by": {
    "email": null,
    "full_name": null,
    "username": "elastic"
  },
  "status": "open",
  "updated_at": "2022-03-24T00:49:47.716Z",
  "updated_by": {
    "email": null,
    "full_name": null,
    "username": "elastic"
  },
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "external_service": null
}

Add an alert to the case:

POST api/cases/293f1bc0-74f6-11ea-b83a-553aecdb28b6/comments
{
  "alertId": "6b24c4dc44bc720cfc92797f3d61fff952f2b2627db1fb4f8cc49f4530c4ff42",
  "index": ".internal.alerts-security.alerts-default-000001",
  "type": "alert",
  "owner": "cases",
  "rule": {
    "id":"94d80550-aaf4-11ec-985f-97e55adae8b9",
    "name":"security_rule"
  }
}