Add commentedit
Adds a comment to an existing case.
Console supports only Elasticsearch APIs. Console doesn’t allow interactions with Kibana APIs. You must use curl
or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.
Request URLedit
POST <kibana host>:<port>/api/cases/<case ID>/comments
URL partsedit
The URL must include the case ID
of the case to which you are adding a comment. Use Find cases to retrieve case IDs.
Request bodyedit
A JSON object with a comment
field:
Name | Type | Description | Required |
---|---|---|---|
|
String |
The alert identifier. |
Yes, only when the |
|
String |
The new comment. |
Yes, only when the |
|
String |
The alert index. |
Yes, only when the |
|
String |
The application that owns the case. Valid values are:
|
Yes, whether the type is |
|
String |
The rule associated with the alert. Required properties are:
|
Yes, only when the |
|
String |
The comment type. Must be |
Yes. |
Only Elastic Security alerts (signals) are supported.
Example requestedit
Adds a comment to case ID 293f1bc0-74f6-11ea-b83a-553aecdb28b6
:
POST api/cases/293f1bc0-74f6-11ea-b83a-553aecdb28b6/comments { "type": "user", "comment": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.", "owner": "securitySolution" }
Response codeedit
-
200
- Indicates a successful call.
Response payloadedit
The response contains an updated JSON case object with the newly added comment, the user who created it, and the comment’s ID, version, and creation time.
Example responseedit
{ "comments":[ { "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6", "version": "WzIwNDMxLDFd", "type":"user", "owner":"cases", "comment":"That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.", "created_at":"2022-03-24T00:49:47.716Z", "created_by": { "email": "moneypenny@hms.gov.uk", "full_name": "Ms Moneypenny", "username": "moneypenny" }, "pushed_at":null, "pushed_by":null, "updated_at":null, "updated_by":null } ], "totalAlerts":0, "id":"293f1bc0-74f6-11ea-b83a-553aecdb28b6", "version":"WzIzMzgsMV0=", "totalComment":1, "title": "This case will self-destruct in 5 seconds", "tags": ["phishing","social engineering"], "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants.", "settings": { "syncAlerts":false }, "owner": "cases", "closed_at": null, "closed_by": null, "created_at": "2022-03-24T00:37:03.906Z", "created_by": { "email": "ahunley@imf.usa.gov", "full_name": "Alan Hunley", "username": "ahunley" }, "status": "open", "updated_at": "2022-03-24T00:49:47.716Z", "updated_by": { "email": "moneypenny@hms.gov.uk", "full_name": "Ms Moneypenny", "username": "moneypenny" }, "connector": { "id": "none", "name": "none", "type": ".none", "fields": null }, "external_service": null }