IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Get comment Get tags »
Elastic Docs Elastic Security Solution [7.16] Elastic Security APIs Cases API

Get all case activity

edit

Get all case activity

edit

Returns all user activity for the specified case.

Console supports only Elasticsearch APIs. Console doesn’t allow interactions with Kibana APIs. You must use curl or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.

Request URL

edit

GET <kibana host>:<port>/api/cases/<case ID>/user_actions

URL parts

edit

The URL must include the case ID of the case for which you are retrieving activity. Call Find cases to retrieve case IDs.

Example request

edit

Gets all comments for case ID a18b38a0-71b0-11ea-a0b2-c51ea50a58e2:

GET api/cases/a18b38a0-71b0-11ea-a0b2-c51ea50a58e2/user_actions

Response code

edit
200
Indicates a successful call.

Response payload

edit

A JSON array containing all user activity for the specified case.

Response example

edit
[
  {
    "action_field": [
      "description",
      "status",
      "tags",
      "title",
      "connector",
      "settings"
    ],
    "action": "create",
    "action_at": "2020-04-02T15:25:19.088Z",
    "action_by": {
      "email": "[email protected]",
      "full_name": "Alan Hunley",
      "username": "ahunley"
    },
    "new_value": "{\"title\":\"This case will self-destruct in 5 seconds\",\"tags\":[\"phishing\",\"social engineering\"],\"description\":\"James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants.\"},\"connector\":{\"id\":\"none\",\"name\":\"none\",\"type\":\".none\",\"fields\":null},\"settings\":{\"syncAlerts\":true}",
    "old_value": null,
    "action_id": "29ce6370-74f6-11ea-b83a-553aecdb28b6",
    "case_id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
    "comment_id": null,
    "owner": "securitySolution",
  },
  {
    "action_field": [
      "comment"
    ],
    "action": "create",
    "action_at": "2020-04-02T15:28:03.034Z",
    "action_by": {
      "email": "[email protected]",
      "full_name": "Ms Moneypenny",
      "username": "moneypenny"
    },
    "new_value": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.",
    "old_value": null,
    "action_id": "8b0d6870-74f6-11ea-b83a-553aecdb28b6",
    "case_id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
    "comment_id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
    "owner": "securitySolution",
  },
  {
    "action_field": [
      "comment"
    ],
    "action": "update",
    "action_at": "2020-04-02T15:34:01.118Z",
    "action_by": {
      "email": "[email protected]",
      "full_name": "James Bond",
      "username": "_007"
    },
    "new_value": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives. Even worse, he likes baked beans.",
    "old_value": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.",
    "action_id": "60dafd50-74f7-11ea-b83a-553aecdb28b6",
    "case_id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
    "comment_id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
    "owner": "securitySolution",
  },
  {
    "action_field": [
      "comment"
    ],
    "action": "create",
    "action_at": "2020-04-02T17:48:16.293Z",
    "action_by": {
      "email": "[email protected]",
      "full_name": "Classified",
      "username": "M"
    },
    "new_value": "I'm on it.",
    "old_value": null,
    "action_id": "223f7bd0-750a-11ea-b83a-553aecdb28b6",
    "case_id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
    "comment_id": "21a844e0-750a-11ea-b83a-553aecdb28b6",
    "owner": "securitySolution",
  },
  {
    "action_field":[
        "connector"
    ],
    "action":"update",
    "action_at":"2020-10-12T16:03:34.940Z",
    "action_by":{
        "email":"[email protected]",
        "full_name":"Classified",
        "username":"M"
    },
    "new_value":"{\"id\":\"18bc18cf-bd5d-4c88-bcdd-c7bb52a692cd\",\"name\":\"Resilient\",\"type\":\".resilient\",\"fields\":{\"incidentTypes\":[\"1001\"],\"severityCode\":\"5\"}}",
    "old_value":"{\"id\":\"72b9fa3a-b081-487d-9358-61d5da2968c1\",\"name\":\"Jira\",\"type\":\".jira\",\"fields\":{\"issueType\":\"10006\",\"parent\":null,\"priority\":\"Medium\"}}",
    "action_id":"7c326760-0ca4-11eb-8a58-a3c589db8483",
    "case_id":"7498ae50-0c8c-11eb-aefc-797bf7d42db4",
    "comment_id":null,
    "owner": "securitySolution",
  },
  {
    "action_field":[
        "settings"
    ],
    "action":"update",
    "action_at":"2020-10-12T16:03:34.940Z",
    "action_by":{
        "email":"[email protected]",
        "full_name":"Classified",
        "username":"M"
    },
    "new_value":"{\"syncAlerts\":false}",
    "old_value":"{\"syncAlerts\":true}",
    "action_id":"6c326760-0ca4-21eb-8a58-a3c589db8483",
    "case_id":"4498ae50-0c8c-11eb-eefc-797bf7d42db4",
    "comment_id":null,
    "owner": "securitySolution",
  }
]
« Get comment Get tags »