Case Attributes

A Case Attribute is a key/value data set that users can add to a Workflow Case. These Attributes enrich a Case’s data and aid security teams as they investigate a threat and determine the appropriate escalation path for a Case.

Endpoint: /api/v3/caseAttributes

Available Fields

You can retrieve a list of available fields for the /v3/caseAttributes endpoint, including the field’s name, description, and accepted data type, by using the following query:

OPTIONS /v3/caseAttributes

Note

To view all fields, including read-only fields, include the ?show=readonly query parameter.

Create Case Attributes

The basic format for creating a Case Attribute and adding it to a Case is:

POST /v3/caseAttributes/
{
  "caseId": 1,
  "type": "Case Attribute Type",
  "value": "Case Attribute Value"
}

Additional fields can be included when adding a Case Attribute to a Case, Refer to the following table for a list of available fields for the caseAttributes object:

Field Description Required Type Example Value(s)
caseId The ID of the Case associated to the Attribute TRUE Integer 1, 2, 3
source The Attribute’s source FALSE String “Hybrid analysis”
type The Attribute’s type TRUE String “Detection percentage”
value The Attribute’s value TRUE String “50”

Note

Attribute Types for Cases must first be created in the System or Organization in which a Case resides before they can be added to the Case. See the Creating Custom Attribute Types knowledge base article for more information.

Warning

Trying to add an Attribute to a Case when the Case Attribute Type’s Max Allowed limit has been reached will result in an error.

For example, the following query will add a Case Attribute to the Case with ID 1.

POST /v3/caseAttributes/
{
  "caseId": 1,
  "type": "Detection Percentage",
  "value": "50",
  "source": "Hybrid analysis"
}

JSON Response:

{
  "data": {
      "id": 13,
      "type": "Detection Percentage",
      "value": "50",
      "source": "Hybrid analysis"
  },
  "message": "Created",
  "status": "Success"
}

Retrieve Case Attributes

Retrieve All Case Attributes

To retrieve all Case Attributes, use the following query:

GET /v3/caseAttributes/

JSON Response:

{
  "data": [{
    "id": 1,
    "type": "Detection Percentage",
    "value": "50",
    "source": "Hybrid analysis"
  }, {
    "id": 2,
    "type": "Phishing Open Rate",
    "value": "20"
  }],
  "status": "Success"
}

Retrieve a Single Case Attribute

To retrieve a specific Case Attribute, use a query in the following format:

GET /v3/caseAttributes/{caseAttributeId}

For example, the following query will return information about the Case Attribute with ID 1:

GET /v3/notes/1

JSON Response:

{
  "data": {
    "id": 1,
    "type": "Detection Percentage",
    "value": "50",
    "source": "Hybrid analysis"
  },
  "status": "Success"
}

Request Additional Fields

To request additional fields not automatically provided with each returned object, refer to Include Additional Fields for Returned Objects.

Filter Results

To filter returned objects using ThreatConnect Query Language (TQL), refer to Filter Results with TQL.

Update Case Attributes

The basic format for updating a Case Attribute is:

PUT /v3/caseAttributes/{caseAttributeId}
{
  "value": "Case Attribute Value"
}

Additional fields can be included when updating a Case Attribute to a Case, Refer to the following table for a list of available fields for the caseAttributes object:

Field Description Type Example Value(s)
source The Attribute’s source String “Hybrid analysis”
value The Attribute’s value String “50”

For example, the following query will update the value of a Case Attribute with ID 1.

POST /v3/caseAttributes/1
{
  "value": "75"
}

JSON Response:

{
  "data": {
      "id": 1,
      "type": "Detection Percentage",
      "value": "75",
      "source": "Hybrid analysis"
  },
  "message": "Updated",
  "status": "Success"
}

Delete Case Attributes

The basic format to delete a Case Attribute and remove it from a Case is:

DELETE /v3/caseAttributes/{caseAttributeId}

For example, the following query will delete the Case Attribute with ID 1:

DELETE /v3/caseAttributes/1

JSON Response:

{
  "message": "Deleted",
  "status": "Success"
}

Delete Case Attributes in Bulk

To delete Case Attributes in bulk, refer to Delete Case Objects in Bulk.