IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
Elastic Docs Elastic Security Solution [7.12] Elastic Security APIs Cases API
« Push case Actions API (for pushing cases to external systems) »

Add external details to caseedit

Adds the data returned from an external system to the specified case.

The Kibana Console supports only Elasticsearch APIs. You cannot interact with the Kibana APIs with the Console and must use curl or another HTTP tool instead. For more information, refer to Console.

After sending a new or updated case to an external system using the Actions API, you must associate the external system’s returned object with the case in Elastic Security.

Request URLedit

POST <kibana host>:<port>/api/cases/<case ID>/_push

URL partsedit

The URL must include the case ID of the case you are updating. Call Find cases to retrieve case IDs.

Request bodyedit

A JSON object with the data returned from the external system:

Name Type Description Required

connector_id

String

The ID of the connector used to send the case to the external system.

Yes

connector_name

String

The name of the connector used to send the case to the external system..

Yes

external_id

String

The id returned when calling Create or update an external incident.

Yes

external_title

String

The title returned when calling Create or update an external incident.

Yes

external_url

String

The url returned when calling Create or update an external incident.

Yes

Example requestedit

POST api/cases/718265d0-733a-11ea-a0b2-c51ea50a58e2/_push

  "connector_id": "61787f53-4eee-4741-8df6-8fe84fa616f7",
  "connector_name": "ServiceNow",
  "external_id": "74c15d07dbb300106ba884da0b9619a0",
  "external_title": "INC0010016",
  "external_url": "https://dev78437.service-now.com/nav_to.do?uri=incident.do?sys_id=74c15d07dbb300106ba884da0b9619a0"
}

Response codeedit

200
Indicates a successful call.

Response payloadedit

The updated JSON case object.

Example responseedit

{
  "id": "718265d0-733a-11ea-a0b2-c51ea50a58e2",
  "version": "WzMyNywxXQ==",
  "comments": [],
  "totalComment": 0,
  "closed_at": null,
  "closed_by": null,
  "created_at": "2020-03-31T10:29:03.781Z",
  "created_by": {
    "email": "ahunley@imf.usa.gov",
    "full_name": "Alan Hunley",
    "username": "ahunley"
  },
  "external_service": {
    "pushed_at": "2020-03-31T10:56:10.959Z",
    "pushed_by": {
      "username": "ahunley",
      "full_name": "Alan Hunley",
      "email": "ahunley@imf.usa.gov"
    },
    "connector_id": "61787f53-4eee-4741-8df6-8fe84fa616f7",
    "connector_name": "ServiceNow",
    "external_id": "74c15d07dbb300106ba884da0b9619a0",
    "external_title": "INC0010016",
    "external_url": "https://dev78437.service-now.com/nav_to.do?uri=incident.do?sys_id=74c15d07dbb300106ba884da0b9619a0"
  },
  "updated_at": "2020-03-31T10:56:10.959Z",
  "updated_by": {
    "username": "ahunley",
    "full_name": "Alan Hunley",
    "email": "ahunley@imf.usa.gov"
  },
  "title": "This case will self-destruct in 5 seconds",
  "tags": [],
  "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants.",
  "status": "open",
  "connector": {
    "id": "61787f53-4eee-4741-8df6-8fe84fa616f7",
    "name": "ServiceNow",
    "type": ".servicenow",
    "fields": null
  },
  "settings": {
    "syncAlerts": true
  },
}
« Push case Actions API (for pushing cases to external systems) »