Skip to content


Model definition#

Required attributes: - title (text) : title of the case - description (text) : description of the case - severity (number) : severity of the case (1: low; 2: medium; 3: high) default=2 - startDate (date) : date and time of the begin of the case default=now - owner (string) : user to whom the case has been assigned default=use who create the case - flag (boolean) : flag of the case default=false - tlp (number) : TLP (0: white; 1: green; 2: amber; 3: red) default=2 - tags (multi-string) : case tags default=empty

Optional attributes: - resolutionStatus (caseResolutionStatus) : resolution status of the case (Indeterminate, FalsePositive, TruePositive, Other or Duplicated) - impactStatus (caseImpactStatus) : impact status of the case (NoImpact, WithImpact or NotApplicable) - summary (text) : summary of the case, to be provided when closing a case - endDate (date) : resolution date - metrics (metrics) : list of metrics

Attributes generated by the backend: - status (caseStatus) : status of the case (Open, Resolved or Deleted) default=Open - caseId (number) : Id of the case (auto-generated) - mergeInto (string) : ID of the case created by the merge - mergeFrom (multi-string) : IDs of the cases that were merged

Case Manipulation#

Case methods#

HTTP Method URI Action
GET /api/case List cases
POST /api/case/_search Find cases
PATCH /api/case/_bulk Update cases in bulk
POST /api/case/_stats Compute stats on cases
POST /api/case Create a case
GET /api/case/:caseId Get a case
PATCH /api/case/:caseId Update a case
DELETE /api/case/:caseId Remove a case
GET /api/case/:caseId/links Get list of cases linked to this case
POST /api/case/:caseId1/_merge/:caseId2 Merge two cases

Create a Case#

A case can be created using the following url :

POST     /api/case
Required case attributes (cf. models) must be provided.

This call returns attributes of the created case.


Creation of a simple case:

curl -XPOST -H 'Authorization: Bearer ***API*KEY***' -H 'Content-Type: application/json' -d '{
  "title": "My first case",
  "description": "This case has been created by my custom script"
It returns:
  "severity": 3,
  "createdBy": "myuser",
  "createdAt": 1488918582777,
  "caseId": 1,
  "title": "My first case",
  "startDate": 1488918582836,
  "owner": "myuser",
  "status": "Open",
  "description": "This case has been created by my custom script",
  "user": "myuser",
  "tlp": 2,
  "flag": false,
  "id": "AVqqdpY2yQ6w1DNC8aDh",
  "_id": "AVqqdpY2yQ6w1DNC8aDh",

Creation of another case:

curl -XPOST -H 'Authorization: Bearer ***API*KEY***' -H 'Content-Type: application/json' -d '{
  "title": "My second case",
  "description": "This case has been created by my custom script, its severity is high, tlp is red and it contains tags",
  "severity": 3,
  "tlp": 3,
  "tags": ["automatic", "creation"]

Creating a case with Tasks & Customfields:

curl -XPOST -H 'Authorization: Bearer ***API*KEY***' -H 'Content-Type: application/json' -d '{
    "title": "My first case",
    "description": "This case has been created by my custom script"
    "tasks": [{
        "title": "mytask",
        "description": "description of my task"
    "customFields": {
        "cvss": {
            "number": 9,
        "businessImpact": {
            "string": "HIGH"
For the customFields object, the attribute names should correspond to the ExternalReference (cvss and businessImpact in the example above) not to the name of custom fields.

Last update: March 2, 2021 11:39:03