About the Case and Incident APIs 
Stellar Cyber introduced the Case Management interface in the 4.3.7 release, replacing the Incident feature available in previous releases.
As part of this transition, Stellar Cyber is working to ensure that the Case API provides equivalent support to what was available in the Incident API. Because the Case Management feature is implemented differently than Incidents, there is not always a strict one-to-one mapping between tasks. This topic helps you understand the current state of the Case API, as well as the specific differences with the Incident API.
Refer to the interactive API Reference for details on all available APIs.
Performing Different Tasks in the Incident and Case APIs
The table below summarizes the differences in how some common tasks are performed in the Incident and Case APIs:
|
Task |
Incident API Method |
Incident API Path |
Releases |
Case API Method |
Case API Path |
Release Introduced |
|---|---|---|---|---|---|---|
| Get a list of incidents/cases with common fields | GET | /incidents | 4.3.6, 4.3.7 | GET | /cases | 4.3.7 |
| Update an incident/case | POST | /incidents | 4.3.6, 4.3.7 | PUT | /cases/{id} | 4.3.7 |
|
Get the observables for an incident/case |
GET |
/incidents/{id}/observables |
4.3.6, 4.3.7 |
GET |
/cases/{id}/observables | 4.3.7 |
|
Get all alerts for an incident/case |
GET |
/incidents |
4.3.6, 4.3.7 |
GET |
/cases/{id}/alerts | 4.3.7 |
|
Get the history of an incident/case (all activities) |
GET |
/incidents |
4.3.6 |
GET |
/cases/{id}/activities |
4.3.7.002, 5.1.1 |
|
Get the score history of an incident/case |
GET |
/incidents |
4.3.6 |
GET |
/cases/{id}/activity/score |
4.3.7.002, 5.1.1 |
|
Update the resolution of an incident |
POST |
/incidents |
4.3.6 |
|
Not available. Use the comments features, below, instead. |
|
|
Get all case comments |
These tasks do not apply to incidents. |
GET |
/cases/{id}/comments | 4.3.7 | ||
|
Get a case summary |
GET |
/cases/{id}/summary | 4.3.7 | |||
|
Add a comment to a case |
POST |
/cases/{id}/comments | 4.3.7 | |||
|
Update a case comment |
PUT |
/cases/{id}/comments/{commentId} | 4.3.7 | |||
|
Delete a comment from a case |
DELETE |
/cases/{id}/comments/{commentId} | 4.3.7 | |||
Specific Differences
This section lists specific differences between common activities in the Incident and Case APIs.
Updating the Name of an Incident/Case
As shown below, both the Incident and Case API use the name field:
Updating the Status of an Incident/Case
As shown below, both the Incident and Case API use the status field:
Changing the Assignee of an Incident/Case
As shown below, both the Incident and Case API use the assignee field:
Changing the Priority/Severity of an Incident/Case
As shown below, Incidents uses the priority field while Cases use the severity field.
Adding Alerts to an Incident/Case
As shown in the highlighted sections below, Incidents uses the event_idsfield while Cases use the alerts field. In addition, the syntax is different.
Deleting Alerts from an Incident/Case
As shown in the highlighted sections below, Incidents uses the event_idsfield while Cases use the alerts field. In addition, the syntax is different.
Creating an Incident/Case
You can create incidents via the API but not cases. Stellar Cyber may add this feature in a future release.
