Retrieve Cases based on filters

Cortex XSIAM Platform APIs
post /public_api/v1/case/search

This endpoint retrieves a list of cases that match the specified filter criteria. It supports filtering by case_id, case_domain, status_progress, severity, and creation_time, along with sorting and pagination.

Request Body:

  • request_data: Object containing filter criteria
    • filters: Array of filter objects
      • field: String (enum: 'case_id', 'case_domain', 'severity', 'creation_time', 'status_progress')
      • operator: String (enum: 'in', 'gte', 'lte')
      • value: Array of integers/strings or single integer
  • search_from: Integer (default: 0) - Starting index for pagination
  • search_to: Integer (default: 100) - Ending index for pagination
  • sort: Object for sorting results
    • field: String (enum: 'creation_time', 'severity', 'case_id')
    • keyword: String (enum: 'asc', 'desc') - Sort order
CLIENT REQUEST
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
'https://api-yourfqdn/public_api/v1/case/search'
-d ''
import http.client conn = http.client.HTTPSConnection("api-") payload = "{\"request_data\":{\"filters\":[{\"field\":\"case_id\",\"operator\":\"in\",\"value\":[0]}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"case_id\",\"keyword\":\"asc\"}}}" headers = { 'content-type': "application/json" } conn.request("POST", "%7B%7Bfqdn%7D%7D/public_api/v1/case/search", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8"))
require 'uri' require 'net/http' require 'openssl' url = URI("https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/case/search") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["content-type"] = 'application/json' request.body = "{\"request_data\":{\"filters\":[{\"field\":\"case_id\",\"operator\":\"in\",\"value\":[0]}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"case_id\",\"keyword\":\"asc\"}}}" response = http.request(request) puts response.read_body
const data = JSON.stringify({ "request_data": { "filters": [ { "field": "case_id", "operator": "in", "value": [ 0 ] } ], "search_from": 0, "search_to": 100, "sort": { "field": "case_id", "keyword": "asc" } } }); const xhr = new XMLHttpRequest(); xhr.withCredentials = true; xhr.addEventListener("readystatechange", function () { if (this.readyState === this.DONE) { console.log(this.responseText); } }); xhr.open("POST", "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/case/search"); xhr.setRequestHeader("content-type", "application/json"); xhr.send(data);
HttpResponse<String> response = Unirest.post("https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/case/search") .header("content-type", "application/json") .body("{\"request_data\":{\"filters\":[{\"field\":\"case_id\",\"operator\":\"in\",\"value\":[0]}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"case_id\",\"keyword\":\"asc\"}}}") .asString();
import Foundation let headers = ["content-type": "application/json"] let parameters = ["request_data": [ "filters": [ [ "field": "case_id", "operator": "in", "value": [0] ] ], "search_from": 0, "search_to": 100, "sort": [ "field": "case_id", "keyword": "asc" ] ]] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/case/search")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume()
<?php $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/case/search", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "{\"request_data\":{\"filters\":[{\"field\":\"case_id\",\"operator\":\"in\",\"value\":[0]}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"case_id\",\"keyword\":\"asc\"}}}", CURLOPT_HTTPHEADER => [ "content-type: application/json" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; }
CURL *hnd = curl_easy_init(); curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST"); curl_easy_setopt(hnd, CURLOPT_URL, "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/case/search"); struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "content-type: application/json"); curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"filters\":[{\"field\":\"case_id\",\"operator\":\"in\",\"value\":[0]}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"case_id\",\"keyword\":\"asc\"}}}"); CURLcode ret = curl_easy_perform(hnd);
var client = new RestClient("https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/case/search"); var request = new RestRequest(Method.POST); request.AddHeader("content-type", "application/json"); request.AddParameter("application/json", "{\"request_data\":{\"filters\":[{\"field\":\"case_id\",\"operator\":\"in\",\"value\":[0]}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"case_id\",\"keyword\":\"asc\"}}}", ParameterType.RequestBody); IRestResponse response = client.Execute(request);
Body parameters
required
application/json
request_dataobject
filtersarray
[
fieldstring (Enum)

Specifies the field to filter cases by.

Allowed values:"case_id""case_domain""severity""creation_time""status_progress"
operatorstring (Enum)

Comparison operator to use with the filter.

Allowed values:"in""gte""lte"
valueobject

Value(s) for filtering the cases.

Array
Array
integer

Value(s) for filtering the cases.

]
search_frominteger

Starting index for pagination.

search_tointeger

Ending index for pagination.

Default:100
sortobject
fieldstring (Enum)
Allowed values:"case_id""severity""creation_time"
keywordstring (Enum)

Sort order (ascending or descending).

Allowed values:"asc""desc"
REQUEST
{ "request_data": { "filters": [ { "field": "case_id", "operator": "in", "value": [ 0 ] } ], "search_from": 0, "search_to": 0, "sort": { "field": "case_id", "keyword": "asc" } } }
Responses

Successful response with cases

Body
application/json
replyobject
TOTAL_COUNTinteger
FILTER_COUNTinteger
DATAarray
[
case_idstring

Unique identifier for the case

Example:"123"
creation_timestringdate-time

Timestamp of case creation

Example:"2024-02-26T12:34:56Z"
ownerstring

Owner of the case

Example:"CWP"
case_domainstring

Domain associated with the case

Example:"SECURITY"
auto_resolve_caseboolean

Indicates if the case is auto-resolved

custom_fieldsobject

Custom fields for additional metadata

status_progressstring (Enum)
Example:"UNDER_INVESTIGATION"
Allowed values:"NEW""UNDER_INVESTIGATION""RESOLVED"
resolve_reasonstring (Enum)
Example:"RESOLVED_OTHER"
Allowed values:"RESOLVED_KNOWN_ISSUE""RESOLVED_DUPLICATE""RESOLVED_FALSE_POSITIVE""RESOLVED_OTHER""RESOLVED_TRUE_POSITIVE""RESOLVED_SECURITY_TESTING""RESOLVED_FIXED""RESOLVED_DISMISSED"
resolve_commentstring
Example:"Case has been marked as a false positive."
last_modifiedintegerint64

Timestamp of last modification

Example:1708950896000
scoreintegerint32

Score assigned to the case

Example:85
severitystring (Enum)
Example:"HIGH"
Allowed values:"INFO""LOW""MEDIUM""HIGH""CRITICAL"
descriptionstring

Detailed description of the case

Example:"Unauthorized access detected"
scoring_typestring

Scoring type applied to the case

Example:"Risk-Based"
assigned_tostring

ID of the assigned user

Example:"U56789"
assigned_to_namestring

Name of the assigned user

Example:"JaneSmith"
is_cloudboolean

Indicates if the case is cloud-based

Example:true
is_automatedboolean

Indicates if the case is automated

issuesarray[string]
assetsarray[string]
artifactsarray[string]
]
RESPONSE
{ "reply": { "TOTAL_COUNT": 0, "FILTER_COUNT": 0, "DATA": [ { "case_id": "123", "creation_time": "2024-02-26T12:34:56Z", "owner": "CWP", "case_domain": "SECURITY", "auto_resolve_case": false, "custom_fields": { "priority": "High", "incident_id": "INC98765" }, "status_progress": "UNDER_INVESTIGATION", "resolve_reason": "RESOLVED_OTHER", "resolve_comment": "Case has been marked as a false positive.", "last_modified": 1708950896000, "score": 85, "severity": "HIGH", "description": "Unauthorized access detected", "scoring_type": "Risk-Based", "assigned_to": "U56789", "assigned_to_name": "JaneSmith", "is_cloud": true, "is_automated": false, "issues": [ "123" ], "assets": [ "6f1d9b9361f8a6964bf3e79e6667e5fe" ], "artifacts": [ "12345" ] } ] } }

Bad request

Body
application/json
errorstring
Example:"Invalid request data"
RESPONSE
{ "error": "Invalid request data" }

Unauthorized access

Body
application/json
errorstring
Example:"Unauthorized request"
RESPONSE
{ "error": "Unauthorized request" }

Internal server error

Body
application/json
errorstring
Example:"Internal server error"
RESPONSE
{ "error": "Internal server error" }