IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Get case activity API Get case status API »
Elastic Docs Kibana Guide [8.2] REST API Cases APIs

Get case API

edit

Get case API

edit

Returns a specified case.

Request

edit

GET <kibana host>:<port>/api/cases/<case ID>

GET <kibana host>:<port>/s/<space_id>/api/cases/<case ID>

Prerequisites

edit

You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you’re seeking.

Path parameters

edit
<case_id>
(Required, string) An identifier for the case to retrieve. Use Find cases to retrieve case IDs.
<space_id>
(Optional, string) An identifier for the space. If it is not specified, the default space is used.

Query parameters

edit
includeComments
(Optional, boolean) Determines whether case comments are returned. Defaults to true. [8.1.0] Deprecated in 8.1.0. The includeComments query parameter is deprecated and will be removed in a future release.

Response codes

edit
200
Indicates a successful call.

Examples

edit

Returns case ID a18b38a0-71b0-11ea-a0b2-c51ea50a58e2 without comments:

GET api/cases/a18b38a0-71b0-11ea-a0b2-c51ea50a58e2

The API returns a JSON object with the retrieved case. For example:

{
  "id": "a18b38a0-71b0-11ea-a0b2-c51ea50a58e2",
  "version": "Wzk4LDFd",
  "comments": [],
  "totalComment": 0,
  "closed_at": null,
  "closed_by": null,
  "created_at": "2020-03-29T11:30:02.658Z",
  "created_by": {
    "email": "[email protected]",
    "full_name": "Alan Hunley",
    "username": "ahunley"
  },
  "external_service": null,
  "updated_at": "2020-03-29T12:01:50.244Z",
  "updated_by": {
    "full_name": "Classified",
    "email": "[email protected]",
    "username": "M"
  },
  "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active!",
  "title": "This case will self-destruct in 5 seconds",
  "status": "open",
  "connector": {
    "id": "131d4448-abe0-4789-939d-8ef60680b498",
    "name": "My connector",
    "type": ".jira",
    "fields": {
      "issueType": "10006",
      "priority": "High",
    }
  },
  "settings": {
    "syncAlerts": true
  },
  "owner": "securitySolution",
  "tags": [
    "phishing",
    "social engineering",
    "bubblegum"
  ]
}
« Get case activity API Get case status API »