POST /forensics/case_management/cases
Creates a new case.
Creates a new case.
| MIME Type |
|---|
application/json |
| Parameter | Type | Optionality | Data Type | MIME Type | Description |
|---|---|---|---|---|---|
fields |
header |
Optional |
String |
text/plain |
Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. |
| Parameter | Data Type | MIME Type | Description | Sample |
|---|---|---|---|---|
case |
Object |
application/json |
null |
{ "assigned_to": [ "String" ], "name": "String" } |
| HTTP Response Code | Unique Code | Description |
|---|---|---|
201 |
The case was created. |
|
403 |
1009 |
The user or targeted user does not have the capability to perform this request. |
422 |
1005 |
A request parameter is not valid. |
500 |
1020 |
An error occurred during the creation of the case. |
Response Description
The case create status contains the following fields:
- assigned_to - String Array - Usernames of users to give access to the case once it is created. Users must have the FORENSICS role. Authorized services are not allowed. If the case is not assign to anyone, it is assigned to the creator if they are a user (not authorized service). Otherwise, it is only accessible by an administrator. NOTE: During creation the assigned_to list can contain at most one username.
- case_id - Long - ID for the created case.
- case_name - String - Name to give the created case. The case name must include alphanumeric characters only, and be 1-15 characters long with no spaces. Case names are unique.
- id - Long - ID for the case create task.
- status - String - Possible values are:
- COMPLETE - The case has been created across all managed hosts.
- PARTIALLY_COMPLETE - The case has been created on at least one managed host, but not all of them. The case is considered to be usable, but functionality might be limited. This usually means one or more managed hosts are down and the case is not created yet. The task completes after all offending managed hosts either complete the task or are removed from the deployment.
- PROCESSING - The task was picked up by QRadar and is actively being processed. Cases are being created on the managed hosts.
- WAITING - The task is waiting for its time to be processed. Nothing is being done at this time.
Response Sample
{
"assigned_to": [
"String"
],
"case_id": 42,
"id": 42,
"name": "String",
"state": "String <one of: COMPLETE, PARTIALLY_COMPLETE, PROCESSING, WAITING>"
}