Sharing Case ID value using Elastic Case Management webhook

yzaritskyi · March 27, 2023, 7:06pm

Greetings!

I'm on the way to implementing the automation solution for our Elastic Security Cases. While working on some automation scripts, I got a problem with the response to Cases.

For example, when the Case is created, Elastic sends the data about it to our SOAR. SOAR does some stuff then I'd like to create a script that will respond to the Case that triggered the script with some data.

I found good REST API documentation and discovered that I can use the comments section and store there some data I want.

But to create a comment in a Case I need to provide a particular case ID. And the problem is - I can not provide the Case ID in the webhook configuration as a variable, cause it is not available there (only the title, description, tags, and the incident id of the third-party system).

And my question is: how can I share a Case ID using the Case Management webhook? If it is not possible at this time, maybe it is an awesome feature request for further Kibana updates.

yzaritskyi · March 27, 2023, 7:09pm

Currently, I'm using this logic:

I make a GET request to /api/cases/_find and then find there a Case with the same title;
I retrieve the case id from the response.

But this way is not convenient, because if there are two cases with the same title - the process may fail.

stephmilovic · March 30, 2023, 2:05pm

Hi @yzaritskyi , glad to see you're using the Cases webhook connector. There is definitely not a built in way to do this currently, but I remember making a POC a while back with this functionality. I just wrote up an enhancement request and try to get it prioritized for the upcoming release cycle.

That's a clever workaround using the _find API. We will get you a clean way to do this soon!

system · April 27, 2023, 2:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.