Skip to main content

core.cases.create_case

Create a new case.

Inputs

description
string
required
The description of the case.
summary
string
required
The summary of the case.
dropdown_values
array[CaseDropdownValueInput] | null
Dropdown selections to set on the case. Each item must include either definition_id or definition_ref, and either option_id or option_ref (or null to clear).Default: null.
fields
object | null
Custom fields for the case.Default: null.
payload
object | null
Payload for the case.Default: null.
priority
string
The priority of the case.Default: "unknown".Allowed values: unknown, low, medium, high, critical, other.
severity
string
The severity of the case.Default: "unknown".Allowed values: unknown, informational, low, medium, high, critical, fatal, other.
status
string
The status of the case.Default: "unknown".Allowed values: unknown, new, in_progress, on_hold, resolved, closed, other.
tags
array[string] | null
List of tag identifiers (IDs or refs) to add to the case.Default: null.

Examples

Create and fetch a case 
- ref: create_case
  action: core.cases.create_case
  args:
    summary: "Investigate alert ${{ TRIGGER.alert_id }}"
    description: "Created from workflow trigger."
    priority: high
    severity: high
    tags:
      - phishing
- ref: get_case
  action: core.cases.get_case
  depends_on:
    - create_case
  args:
    case_id: ${{ ACTIONS.create_case.result.id }}

core.cases.get_case

Get details of a specific case by ID.

Inputs

case_id
string
required
The ID of the case to retrieve.

Examples

Create and fetch a case 
- ref: create_case
  action: core.cases.create_case
  args:
    summary: "Investigate alert ${{ TRIGGER.alert_id }}"
    description: "Created from workflow trigger."
    priority: high
    severity: high
    tags:
      - phishing
- ref: get_case
  action: core.cases.get_case
  depends_on:
    - create_case
  args:
    case_id: ${{ ACTIONS.create_case.result.id }}

core.cases.update_case

Update an existing case.

Inputs

case_id
string
required
The ID of the case to update.
append
boolean
If true, append the provided description to the existing description when it is not empty.Default: false.
description
string | null
The updated description of the case.Default: null.
dropdown_values
array[CaseDropdownValueInput] | null
Dropdown selections to set or clear. Each item must include either definition_id or definition_ref, and either option_id or option_ref (or null to clear).Default: null.
fields
object | null
Updated custom fields for the case.Default: null.
payload
object | null
Updated payload for the case.Default: null.
priority
string | null
The updated priority of the case.Default: null.
severity
string | null
The updated severity of the case.Default: null.
status
string | null
The updated status of the case.Default: null.
summary
string | null
The updated summary of the case.Default: null.
tags
array[string] | null
List of tag identifiers (IDs or refs) to set on the case. This will replace all existing tags.Default: null.

Examples

Update case fields 
- ref: update_case
  action: core.cases.update_case
  args:
    case_id: ${{ TRIGGER.case_id }}
    status: in_progress
    priority: critical
    append: true
    description: |
      Analyst note:
      - Escalated after credential theft indicators were confirmed.

core.cases.list_cases

List all cases.

Inputs

cursor
string | null
Pagination cursor used to fetch a specific page when paginate=true.Default: null.
limit
integer
Maximum number of cases to return.Default: 100.
order_by
string | null
The field to order the cases by.Default: null.
paginate
boolean
If true, return cursor pagination metadata along with items.Default: false.
reverse
boolean
Reverse pagination direction when paginate=true.Default: false.
sort
string | null
The direction to order the cases by.Default: null.

Examples

List, search, and inspect case activity 
- ref: list_cases
  action: core.cases.list_cases
  args:
    limit: 25
    order_by: updated_at
    sort: desc
- ref: search_cases
  action: core.cases.search_cases
  args:
    search_term: phishing
    status:
      - new
      - in_progress
    limit: 25
- ref: case_events
  action: core.cases.list_case_events
  args:
    case_id: ${{ TRIGGER.case_id }}

core.cases.search_cases

Search cases based on various criteria.

Inputs

assignee_id
string | array[string] | null
Filter by assignee ID or ‘unassigned’.Default: null.
cursor
string | null
Pagination cursor used to fetch a specific page when paginate=true.Default: null.
dropdown
array[string] | null
Filter by dropdown values in definition_ref:option_ref format.Default: null.
end_time
string | null
Filter cases created before this time.Default: null.
limit
integer
Maximum number of cases to return.Default: 100.
order_by
string | null
The field to order the cases by.Default: null.
paginate
boolean
If true, return cursor pagination metadata along with items.Default: false.
priority
string | array[string] | null
Filter by case priority.Default: null.
reverse
boolean
Reverse pagination direction when paginate=true.Default: false.
search_term
string | null
Text to search for in case summary and description.Default: null.
severity
string | array[string] | null
Filter by case severity.Default: null.
sort
string | null
The direction to order the cases by.Default: null.
start_time
string | null
Filter cases created after this time.Default: null.
status
string | array[string] | null
Filter by case status.Default: null.
tags
array[string] | null
Filter by tag IDs or refs (AND logic).Default: null.
updated_after
string | null
Filter cases updated after this time.Default: null.
updated_before
string | null
Filter cases updated before this time.Default: null.

Examples

List, search, and inspect case activity 
- ref: list_cases
  action: core.cases.list_cases
  args:
    limit: 25
    order_by: updated_at
    sort: desc
- ref: search_cases
  action: core.cases.search_cases
  args:
    search_term: phishing
    status:
      - new
      - in_progress
    limit: 25
- ref: case_events
  action: core.cases.list_case_events
  args:
    case_id: ${{ TRIGGER.case_id }}

core.cases.list_case_events

List all events for a case in chronological order.

Inputs

case_id
string
required
The ID of the case to get events for.

Examples

List, search, and inspect case activity 
- ref: list_cases
  action: core.cases.list_cases
  args:
    limit: 25
    order_by: updated_at
    sort: desc
- ref: search_cases
  action: core.cases.search_cases
  args:
    search_term: phishing
    status:
      - new
      - in_progress
    limit: 25
- ref: case_events
  action: core.cases.list_case_events
  args:
    case_id: ${{ TRIGGER.case_id }}

core.cases.assign_user

Assign a user to an existing case.

Inputs

assignee_id
string
required
The ID of the user to assign to the case.
case_id
string
required
The ID of the case to assign a user to.

Examples

Assign a case 
- ref: assign_by_id
  action: core.cases.assign_user
  args:
    case_id: ${{ TRIGGER.case_id }}
    assignee_id: ${{ TRIGGER.assignee_id }}
- ref: assign_by_email
  action: core.cases.assign_user_by_email
  args:
    case_id: ${{ TRIGGER.case_id }}
    assignee_email: analyst@example.com

core.cases.assign_user_by_email

Assign a user to an existing case by email.

Inputs

assignee_email
string
required
The email of the user to assign to the case.
case_id
string
required
The ID of the case to assign a user to.

Examples

Assign a case 
- ref: assign_by_id
  action: core.cases.assign_user
  args:
    case_id: ${{ TRIGGER.case_id }}
    assignee_id: ${{ TRIGGER.assignee_id }}
- ref: assign_by_email
  action: core.cases.assign_user_by_email
  args:
    case_id: ${{ TRIGGER.case_id }}
    assignee_email: analyst@example.com

core.cases.add_case_tag

Add a tag to a case by tag ID or ref.

Inputs

case_id
string
required
The ID of the case to add a tag to.
tag
string
required
The tag identifier (ID or ref) to add to the case.
create_if_missing
boolean
If true, create the tag if it does not exist.Default: false.

Examples

Add and remove tags 
- ref: add_tag
  action: core.cases.add_case_tag
  args:
    case_id: ${{ TRIGGER.case_id }}
    tag: credential-theft
    create_if_missing: true
- ref: remove_tag
  action: core.cases.remove_case_tag
  args:
    case_id: ${{ TRIGGER.case_id }}
    tag: needs-triage

core.cases.remove_case_tag

Remove a tag from a case by tag ID or ref.

Inputs

case_id
string
required
The ID of the case to remove a tag from.
tag
string
required
The tag identifier (ID or ref) to remove from the case.

Examples

Add and remove tags 
- ref: add_tag
  action: core.cases.add_case_tag
  args:
    case_id: ${{ TRIGGER.case_id }}
    tag: credential-theft
    create_if_missing: true
- ref: remove_tag
  action: core.cases.remove_case_tag
  args:
    case_id: ${{ TRIGGER.case_id }}
    tag: needs-triage

core.cases.delete_case

Delete a case.

Inputs

case_id
string
required
The ID of the case to delete.

Examples

Delete a case 
- ref: close_case
  action: core.cases.update_case
  args:
    case_id: ${{ TRIGGER.case_id }}
    status: closed
- ref: delete_case
  action: core.cases.delete_case
  depends_on:
    - close_case
  args:
    case_id: ${{ TRIGGER.case_id }}