github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

[DOCS] Add find case APIs (#127686)

Browse source
This commit is contained in:
Lisa Cawley 2022-03-22 15:58:57 -07:00 committed by GitHub
parent 88d64dc3bb
commit 130823ac27
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 260 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

9
docs/api/cases.asciidoc
View file

@ -10,9 +10,9 @@ these APIs:
* {security-guide}/cases-api-delete-all-comments.html[Delete all comments]
* {security-guide}/cases-api-delete-comment.html[Delete comment]
* {security-guide}/cases-api-find-alert.html[Find all alerts attached to a case]
* {security-guide}/cases-api-find-cases.html[Find cases]
* <<cases-api-find-cases>>
* {security-guide}/cases-api-find-cases-by-alert.html[Find cases by alert]
* {security-guide}/cases-api-find-connectors.html[Find connectors]
* <<cases-api-find-connectors>>
* {security-guide}/cases-api-get-case-activity.html[Get all case activity]
* {security-guide}/cases-api-get-all-case-comments.html[Get all case comments]
* {security-guide}/cases-api-get-case.html[Get case]
@ -27,5 +27,10 @@ these APIs:
* <<cases-api-update>>
* {security-guide}/cases-api-update-comment.html[Update comment]
//CREATE
include::cases/cases-api-create.asciidoc[leveloffset=+1]
//FIND
include::cases/cases-api-find-cases.asciidoc[leveloffset=+1]
include::cases/cases-api-find-connectors.asciidoc[leveloffset=+1]
//UPDATE
include::cases/cases-api-update.asciidoc[leveloffset=+1]

193
docs/api/cases/cases-api-find-cases.asciidoc Normal file
View file

@ -0,0 +1,193 @@
[[cases-api-find-cases]]
== Find cases API
++++
<titleabbrev>Find cases</titleabbrev>
++++
Retrieves a paginated subset of cases.
=== Request
`GET <kibana host>:<port>/api/cases/_find`
`GET <kibana host>:<port>/s/<space_id>/api/cases/_find`
=== Prerequisite
You must have `read` privileges for the *Cases* feature in the *Management*,
*{observability}*, or *Security* section of the
<<kibana-feature-privileges,{kib} feature privileges>>, depending on the
`owner` of the cases you're seeking.
=== Path parameters
`<space_id>`::
(Optional, string) An identifier for the space. If it is not specified, the
default space is used.
=== Query parameters
`defaultSearchOperator`::
(Optional, string) The default operator to use for the `simple_query_string`.
Defaults to `OR`.
////
`fields`::
(Optional, array of strings) The fields in the entity to return in the response.
////
`owner`::
(Optional, string or array of strings) A filter to limit the retrieved cases to
a specific set of applications. Valid values are: `cases`, `observability`,
and `securitySolution`. If this parameter is omitted, the response contains all
cases that the user has access to read.
`page`::
(Optional, integer) The page number to return. Defaults to `1`.
`perPage`::
(Optional, integer) The number of rules to return per page. Defaults to `20`.
`reporters`::
(Optional, string or array of strings) Filters the returned cases by the
reporter's `username`.
`search`::
(Optional, string) An {es}
{ref}/query-dsl-simple-query-string-query.html[simple_query_string] query that
filters the objects in the response.
`searchFields`::
(Optional, string or array of strings) The fields to perform the
`simple_query_string` parsed query against.
`sortField`::
(Optional, string) Determines which field is used to sort the results,
`createdAt` or `updatedAt`. Defaults to `createdAt`.
+
NOTE: Even though the JSON case object uses `created_at` and `updated_at`
fields, you must use `createdAt` and `updatedAt` fields in the URL
query.
`sortOrder`::
(Optional, string) Determines the sort order, which can be `desc` or `asc`.
Defaults to `desc`.
`status`::
(Optional, string) Filters the returned cases by state, which can be `open`,
`in-progress`, or `closed`.
`tags`::
(Optional, string or array of strings) Filters the returned cases by tags.
=== Response code
`200`::
Indicates a successful call.
=== Example
Retrieve the first five cases with the `phishing` tag, in ascending order by
last update time:
[source,sh]
--------------------------------------------------
GET api/cases/_find?page=1&perPage=5&sortField=updatedAt&sortOrder=asc&tags=phishing
--------------------------------------------------
// KIBANA
The API returns a JSON object listing the retrieved cases. For example:
[source,json]
--------------------------------------------------
{
"page": 1,
"per_page": 5,
"total": 2,
"cases": [
{
"id": "abed3a70-71bd-11ea-a0b2-c51ea50a58e2",
"version": "WzExMCwxXQ==",
"comments": [],
"totalComment": 0,
"totalAlerts": 0,
"title": "The Long Game",
"tags": [
"windows",
"phishing"
],
"description": "Windows 95",
"settings": {
"syncAlerts": true
},
"owner": "securitySolution",
"closed_at": null,
"closed_by": null,
"created_at": "2022-03-29T13:03:23.533Z",
"created_by": {
"email": "rhustler@email.com",
"full_name": "Rat Hustler",
"username": "rhustler"
},
"status": "open",
"updated_at": null,
"updated_by": null,
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"issueType": "10006",
"priority": null,
}
}
"external_service": null,
},
{
"id": "a18b38a0-71b0-11ea-a0b2-c51ea50a58e2",
"version": "Wzk4LDFd",
"comments": [],
"totalComment": 0,
"totalAlerts": 0,
"title": "This case will self-destruct in 5 seconds",
"tags": [
"phishing",
"social engineering",
"bubblegum"
],
"description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active!",
"settings": {
"syncAlerts": false
},
"owner": "cases",
"closed_at": null,
"closed_by": null,
"created_at": "2022-03-29T11:30:02.658Z",
"created_by": {
"email": "ahunley@imf.usa.gov",
"full_name": "Alan Hunley",
"username": "ahunley"
},
"status": "open",
"updated_at": "2022-03-29T12:01:50.244Z",
"updated_by": {
"full_name": "Classified",
"email": "classified@hms.oo.gov.uk",
"username": "M"
},
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".resilient",
"fields": {
"issueTypes": [13],
"severityCode": 6,
}
},
"external_service": null,
}
],
"count_open_cases": 2,
"count_in_progress_cases":0,
"count_closed_cases": 0
}
--------------------------------------------------

60
docs/api/cases/cases-api-find-connectors.asciidoc Normal file
View file

@ -0,0 +1,60 @@
[[cases-api-find-connectors]]
== Find connectors API
++++
<titleabbrev>Find connectors</titleabbrev>
++++
Retrieves information about <<action-types,connectors>>.
In particular, only the connectors that are supported for use in cases are
returned. Refer to the list of supported external incident management systems in
<<add-case-connectors>>.
=== Request
`GET <kibana host>:<port>/api/cases/configure/connectors/_find`
`GET <kibana host>:<port>/s/<space_id>/api/cases/configure/connectors/_find`
=== Prerequisite
You must have `read` privileges for the *Actions and Connectors* feature in the
*Management* section of the
<<kibana-feature-privileges,{kib} feature privileges>>.
=== Path parameters
`<space_id>`::
(Optional, string) An identifier for the space. If it is not specified, the
default space is used.
=== Response code
`200`::
Indicates a successful call.
=== Example
[source,sh]
--------------------------------------------------
GET api/cases/configure/connectors/_find
--------------------------------------------------
// KIBANA
The API returns a JSON object describing the connectors and their settings:
[source,json]
--------------------------------------------------
[{
"id":"61787f53-4eee-4741-8df6-8fe84fa616f7",
"actionTypeId": ".jira",
"name":"my-Jira",
"isMissingSecrets":false,
"config": {
"apiUrl":"https://elastic.atlassian.net/",
"projectKey":"ES"
},
"isPreconfigured":false,
"referencedByCount":0
}]
--------------------------------------------------