IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Find cases API
editFind cases API
editRetrieves a paginated subset of cases.
Request
editGET <kibana host>:<port>/api/cases/_find
GET <kibana host>:<port>/s/<space_id>/api/cases/_find
Prerequisites
editYou must have read
privileges for the Cases feature in the Management,
Observability, or Security section of the
Kibana feature privileges, depending on the
owner
of the cases you’re seeking.
Path parameters
edit-
<space_id>
- (Optional, string) An identifier for the space. If it is not specified, the default space is used.
Query parameters
edit-
defaultSearchOperator
-
(Optional, string) The default operator to use for the
simple_query_string
. Defaults toOR
. -
fields
- (Optional, array of strings) The fields in the entity to return in the response.
-
owner
-
(Optional, string or array of strings) A filter to limit the retrieved cases to
a specific set of applications. Valid values are:
cases
,observability
, andsecuritySolution
. If this parameter is omitted, the response contains all cases that the user has access to read. -
page
-
(Optional, integer) The page number to return. Defaults to
1
. -
perPage
-
(Optional, integer) The number of rules to return per page. Defaults to
20
. -
reporters
-
(Optional, string or array of strings) Filters the returned cases by the
reporter’s
username
. -
search
- (Optional, string) An Elasticsearch simple_query_string query that filters the objects in the response.
-
searchFields
-
(Optional, string or array of strings) The fields to perform the
simple_query_string
parsed query against. -
sortField
-
(Optional, string) Determines which field is used to sort the results,
createdAt
orupdatedAt
. Defaults tocreatedAt
.Even though the JSON case object uses
created_at
andupdated_at
fields, you must usecreatedAt
andupdatedAt
fields in the URL query. -
sortOrder
-
(Optional, string) Determines the sort order, which can be
desc
orasc
. Defaults todesc
. -
status
-
(Optional, string) Filters the returned cases by state, which can be
open
,in-progress
, orclosed
. -
tags
- (Optional, string or array of strings) Filters the returned cases by tags.
Response codes
edit-
200
- Indicates a successful call.
Examples
editRetrieve the first five cases with the phishing
tag, in ascending order by
last update time:
GET api/cases/_find?page=1&perPage=5&sortField=updatedAt&sortOrder=asc&tags=phishing
The API returns a JSON object listing the retrieved cases. For example:
{ "page": 1, "per_page": 5, "total": 2, "cases": [ { "id": "abed3a70-71bd-11ea-a0b2-c51ea50a58e2", "version": "WzExMCwxXQ==", "comments": [], "totalComment": 0, "totalAlerts": 0, "title": "The Long Game", "tags": [ "windows", "phishing" ], "description": "Windows 95", "settings": { "syncAlerts": true }, "owner": "securitySolution", "closed_at": null, "closed_by": null, "created_at": "2022-03-29T13:03:23.533Z", "created_by": { "email": "[email protected]", "full_name": "Rat Hustler", "username": "rhustler" }, "status": "open", "updated_at": null, "updated_by": null, "connector": { "id": "131d4448-abe0-4789-939d-8ef60680b498", "name": "My connector", "type": ".jira", "fields": { "issueType": "10006", "priority": null, } } "external_service": null, }, { "id": "a18b38a0-71b0-11ea-a0b2-c51ea50a58e2", "version": "Wzk4LDFd", "comments": [], "totalComment": 0, "totalAlerts": 0, "title": "This case will self-destruct in 5 seconds", "tags": [ "phishing", "social engineering", "bubblegum" ], "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active!", "settings": { "syncAlerts": false }, "owner": "cases", "closed_at": null, "closed_by": null, "created_at": "2022-03-29T11:30:02.658Z", "created_by": { "email": "[email protected]", "full_name": "Alan Hunley", "username": "ahunley" }, "status": "open", "updated_at": "2022-03-29T12:01:50.244Z", "updated_by": { "full_name": "Classified", "email": "[email protected]", "username": "M" }, "connector": { "id": "131d4448-abe0-4789-939d-8ef60680b498", "name": "My connector", "type": ".resilient", "fields": { "issueTypes": [13], "severityCode": 6, } }, "external_service": null, } ], "count_open_cases": 2, "count_in_progress_cases":0, "count_closed_cases": 0 }