Find casesedit

Retrieves a paginated subset of cases. By default, the first page is returned with 20 results per page.

Console supports only Elasticsearch APIs. Console doesn’t allow interactions with Kibana APIs. You must use curl or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.

Cases are saved objects. See Find objects API for more query parameters.

Request URLedit

GET <kibana host>:<port>/api/cases/_find

URL query parametersedit

All parameters are optional:

Name Type Description

owner

String or String[]

A filter to limit the retrieved cases to a specific set of applications. If this parameter is omitted, the response will contain all cases that the user has access to read.

page

Integer

The page number to return.

perPage

Integer

The number of rules to return per page.

sortField

String

Determines which field is used to sort the results, createdAt or updatedAt.

sortOrder

String

Determines the sort order, which can be desc or asc.

status

String

Filters the returned cases by state, which can be open, in-progress, or closed.

tags

String

Filters the returned cases by tags.

reporters

String

Filters the returned cases by the reporter’s username.

Even though the JSON case object uses created_at and updated_at fields, you must use createdAt and updatedAt fields in the URL query.

Example requestedit

Retrieves the first five cases with the phishing tag, in ascending order by last update time.

GET api/cases/_find?page=1&perPage=5&sortField=updatedAt&sortOrder=asc&tags=phishing

Response codeedit

200
Indicates a successful call.

Response payloadedit

A JSON object listing the retrieved cases.

Response exampleedit

{
  "page": 1,
  "per_page": 5,
  "total": 2,
  "cases": [
    {
      "id": "abed3a70-71bd-11ea-a0b2-c51ea50a58e2",
      "version": "WzExMCwxXQ==",
      "comments": [],
      "totalComment": 0,
      "closed_at": null,
      "closed_by": null,
      "created_at": "2020-03-29T13:03:23.533Z",
      "created_by": {
        "email": "rhustler@aol.com",
        "full_name": "Rat Hustler",
        "username": "rhustler"
      },
      "external_service": null,
      "updated_at": null,
      "updated_by": null,
      "title": "The Long Game",
      "tags": [
        "windows",
        "phishing"
      ],
      "description": "Windows 95",
      "status": "open",
      "connector": {
        "id": "131d4448-abe0-4789-939d-8ef60680b498",
        "name": "My connector",
        "type": ".jira",
        "fields": {
          "issueType": "10006",
          "priority": null,
        }
      },
      "settings": {
        "syncAlerts": true
      },
      "owner": "securitySolution",
    },
    {
      "id": "a18b38a0-71b0-11ea-a0b2-c51ea50a58e2",
      "version": "Wzk4LDFd",
      "comments": [],
      "totalComment": 0,
      "closed_at": null,
      "closed_by": null,
      "created_at": "2020-03-29T11:30:02.658Z",
      "created_by": {
        "email": "ahunley@imf.usa.gov",
        "full_name": "Alan Hunley",
        "username": "ahunley"
      },
      "external_service": null,
      "updated_at": "2020-03-29T12:01:50.244Z",
      "updated_by": {
        "full_name": "Classified",
        "email": "classified@hms.oo.gov.uk",
        "username": "M"
      },
      "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active!",
      "title": "This case will self-destruct in 5 seconds",
      "status": "open",
      "connector": {
        "id": "131d4448-abe0-4789-939d-8ef60680b498",
        "name": "My connector",
        "type": ".resilient",
        "fields": {
          "issueTypes": [13],
          "severityCode": 6,
        }
      },
      "settings": {
        "syncAlerts": false
      },
      "owner": "securitySolution",
      "tags": [
        "phishing",
        "social engineering",
        "bubblegum"
      ]
    }
  ],
  "count_open_cases": 2,
  "count_closed_cases": 0
}