updates

docs/en/siem/cases-api-add-comment.asciidoc

@@ -44,8 +44,8 @@ POST api/cases/c2ffcea0-57d0-11ea-95da-cb9f4a010e31/comment
 
 ==== Response payload
 
-A JSON object that includes the time the comment ID, the time it was created,
-the user who created it, and its version.
+A JSON object that includes the user who created the comment and the comment's
+ID, version, and creation time.
 
 ===== Example response
 
@@ -58,7 +58,7 @@ the user who created it, and its version.
   "created_at": "2020-02-25T15:17:31.057Z",
   "created_by": {
     "full_name": "Ms Moneypenny",
-    "username": "Moneypenny"
+    "username": "moneypenny"
   },
   "updated_at": "2020-02-25T15:17:31.057Z"
 }

docs/en/siem/cases-api-create.asciidoc

@@ -52,8 +52,8 @@ POST api/cases
 
 ==== Response payload
 
-A JSON object that includes the time the case ID, the time it was created, the
-user who created it, and its version.
+A JSON object that includes the user who created the case and the case's ID,
+version, and creation time.
 
 ===== Example response
 

docs/en/siem/cases-api-get-all-cases.asciidoc

@@ -28,7 +28,6 @@ All parameters are optional:
 |`filter` |String a|Filters the returned results according to the value of the 
 specified field, using the `case-workflow.attributes.<field name>:<field value>` syntax, where `<field name>` can be:
 
-* `title`
 * `state`
 * `tags`
 
@@ -40,8 +39,8 @@ query.
 
 ===== Example request
 
-Retrieves the first five cases with the `phishing` tag, sorted in ascending
-order by their last update time.
+Retrieves the first five cases with the `phishing` tag, in ascending order by 
+last update time.
 
 [source,sh]
 --------------------------------------------------
@@ -56,7 +55,9 @@ GET api/cases?page=1&perPage=5&sortField=updatedAt&sortOrder=asc&filter=case-wor
 
 ==== Response payload
 
-A JSON object listing all cases:
+A JSON object listing all cases.
+
+===== Response example
 
 [source,json]
 --------------------------------------------------

docs/en/siem/cases-api-get-case-comments.asciidoc

@@ -1,7 +1,7 @@
 [[cases-api-get-all-case-comments]]
 === Get all case comments
 
-Returns all comments for the specified case.
+Returns a paginated subset of comments for the specified case.
 
 ==== Request URL
 
@@ -14,11 +14,11 @@ comments.
 
 ===== Example request
 
-Gets all comments for case ID `7125e150-2fb7-11ea-a3be-f96a1b9531f4`:
+Gets all comments for case ID `c2ffcea0-57d0-11ea-95da-cb9f4a010e31`:
 
 [source,sh]
 --------------------------------------------------
-GET api/cases/7125e150-2fb7-11ea-a3be-f96a1b9531f4/comments
+GET api/cases/c2ffcea0-57d0-11ea-95da-cb9f4a010e31/comments
 --------------------------------------------------
 // KIBANA
 
@@ -29,56 +29,38 @@ GET api/cases/7125e150-2fb7-11ea-a3be-f96a1b9531f4/comments
 
 ==== Response payload
 
-A JSON object listing all comments for the specified case:
+A JSON object listing comments for the specified case.
+
+===== Response example
 
 [source,json]
 --------------------------------------------------
 {
   "page": 1,
   "per_page": 20,
   "total": 2,
-  "saved_objects": [
+  "comments": [
     {
-      "type": "case-workflow-comment",
-      "id": "0aa70f70-2fb8-11ea-a3be-f96a1b9531f4",
-      "attributes": {
-        "comment": "Start operation bubblegum immediately! And chew fast!",
-        "created_at": 1578227808536,
-        "created_by": {
-          "full_name": "Classified",
-          "username": "M"
-        }
+      "comment_id": "0a846810-5940-11ea-bad4-61e6383623ca",
+      "version": "WzE1LDFd",
+      "comment": "Start operation bubblegum immediately! And chew fast!",
+      "created_at": "2020-02-27T09:03:37.554Z",
+      "created_by": {
+        "full_name": "Classified",
+        "username": "M"
       },
-      "references": [
-        {
-          "type": "case-workflow",
-          "name": "associated-case-workflow",
-          "id": "7125e150-2fb7-11ea-a3be-f96a1b9531f4"
-        }
-      ],
-      "updated_at": "2020-01-05T12:58:54.109Z",
-      "version": "WzQ0LDFd"
+      "updated_at": "2020-02-27T09:03:37.554Z"
     },
     {
-      "type": "case-workflow-comment",
-      "id": "0b5174b0-2fc2-11ea-a3be-f96a1b9531f4",
-      "attributes": {
-        "comment": "Started chewing.",
-        "created_at": 1578232104629,
-        "created_by": {
-          "full_name": "Ms Moneypenny",
-          "username": "Moneypenny"
-        }
+      "comment_id": "f118e4a0-57e1-11ea-95da-cb9f4a010e31",
+      "version": "WzE3LDFd",
+      "comment": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives. Even worse, he likes baked beans.",
+      "created_at": "2020-02-25T15:17:31.057Z",
+      "created_by": {
+        "full_name": "Ms Moneypenny",
+        "username": "moneypenny"
       },
-      "references": [
-        {
-          "type": "case-workflow",
-          "name": "associated-case-workflow",
-          "id": "7125e150-2fb7-11ea-a3be-f96a1b9531f4"
-        }
-      ],
-      "updated_at": "2020-01-05T13:48:24.827Z",
-      "version": "WzQ2LDFd"
+      "updated_at": "2020-02-27T09:35:21.019Z"
     }
   ]
 }

docs/en/siem/cases-api-get-case.asciidoc

@@ -23,11 +23,11 @@ returned. |No, defaults to `true`.
 
 ===== Example request
 
-Returns case ID `7125e150-2fb7-11ea-a3be-f96a1b9531f4` without comments:
+Returns case ID `c2ffcea0-57d0-11ea-95da-cb9f4a010e31` without comments:
 
 [source,sh]
 --------------------------------------------------
-GET api/cases/7125e150-2fb7-11ea-a3be-f96a1b9531f4?includeComments=false
+GET api/cases/c2ffcea0-57d0-11ea-95da-cb9f4a010e31?includeComments=false
 --------------------------------------------------
 // KIBANA
 
@@ -38,41 +38,29 @@ GET api/cases/7125e150-2fb7-11ea-a3be-f96a1b9531f4?includeComments=false
 
 ==== Response payload
 
-A JSON object listing the case:
+The requested case JSON object.
+
+===== Response example
 
 [source,json]
 --------------------------------------------------
 {
-  "id": "7125e150-2fb7-11ea-a3be-f96a1b9531f4",
-  "type": "case-workflow",
-  "updated_at": "2020-01-05T13:13:58.167Z",
-  "version": "WzQ1LDFd",
-  "attributes": {
-    "created_at": 1578227551012,
-    "created_by": {
-      "full_name": "Ms Moneypenny",
-      "username": "Moneypenny"
-    },
-    "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active!",
-    "title": "Urgent phishing case - signal id #dd4fa2d4bd-804743795894438",
-    "state": "open",
-    "tags": [
-      "phishing",
-      "social engineering",
-      "bubblegum"
-    ],
-    "case_type": "security",
-    "assignees": [
-      {
-        "username": "M",
-        "full_name": "Classified"
-      },
-      {
-        "username": "Q",
-        "full_name": "Quality Gadgets"
-      }
-    ]
+  "case_id": "c2ffcea0-57d0-11ea-95da-cb9f4a010e31",
+  "version": "WzQsMV0=",
+  "comments": [],
+  "created_at": "2020-02-25T13:14:32.264Z",
+  "created_by": {
+    "full_name": "Alan Hunley",
+    "username": "ahunley"
   },
-  "references": []
+  "updated_at": "2020-02-26T15:46:48.716Z",
+  "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active!",
+  "title": "This case will self-destruct in 5 seconds",
+  "state": "open",
+  "tags": [
+    "phishing",
+    "social engineering",
+    "bubblegum"
+  ]
 }
 --------------------------------------------------

docs/en/siem/cases-api-get-comment.asciidoc

@@ -14,12 +14,11 @@ retrieve all comment IDs, call <<cases-api-get-all-case-comments>>.
 
 ===== Example request
 
-Retrieves comment ID `0b5174b0-2fc2-11ea-a3be-f96a1b9531f4`, which is 
-associated with case ID `7125e150-2fb7-11ea-a3be-f96a1b9531f4`:
+Retrieves comment ID `f118e4a0-57e1-11ea-95da-cb9f4a010e31`:
 
 [source,sh]
 --------------------------------------------------
-GET api/cases/comments/0b5174b0-2fc2-11ea-a3be-f96a1b9531f4
+GET api/cases/comments/f118e4a0-57e1-11ea-95da-cb9f4a010e31
 --------------------------------------------------
 // KIBANA
 
@@ -30,27 +29,21 @@ GET api/cases/comments/0b5174b0-2fc2-11ea-a3be-f96a1b9531f4
 
 ==== Response payload
 
+The requested comment JSON object.
+
+===== Example response
+
 [source,json]
 --------------------------------------------------
 {
-  "id": "0b5174b0-2fc2-11ea-a3be-f96a1b9531f4",
-  "type": "case-workflow-comment",
-  "updated_at": "2020-01-05T13:48:24.827Z",
-  "version": "WzQ2LDFd",
-  "attributes": {
-    "comment": "Started chewing.",
-    "created_at": 1578232104629,
-    "created_by": {
-      "full_name": "Ms Moneypenny",
-      "username": "Moneypenny"
-    }
+  "comment_id": "f118e4a0-57e1-11ea-95da-cb9f4a010e31",
+  "version": "WzMsMV0=",
+  "comment": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.",
+  "created_at": "2020-02-25T15:17:31.057Z",
+  "created_by": {
+    "full_name": "Ms Moneypenny",
+    "username": "moneypenny"
   },
-  "references": [
-    {
-      "type": "case-workflow",
-      "name": "associated-case-workflow",
-      "id": "7125e150-2fb7-11ea-a3be-f96a1b9531f4"
-    }
-  ]
+  "updated_at": "2020-02-26T14:59:06.749Z"
 }
 --------------------------------------------------

docs/en/siem/cases-api-update-comment.asciidoc

@@ -5,7 +5,7 @@ Updates an existing comment.
 
 ==== Request URL
 
-`POST /api/cases/comment/<comment ID>`
+`PATCH /api/cases/comment/<comment ID>`
 
 ===== URL parts
 
@@ -25,14 +25,15 @@ A JSON object with updated comment:
 
 ===== Example request
 
-Updates comment ID `0aa70f70-2fb8-11ea-a3be-f96a1b9531f4`, which is associated 
-with case ID `7125e150-2fb7-11ea-a3be-f96a1b9531f4`:
+Updates comment ID `f118e4a0-57e1-11ea-95da-cb9f4a010e3`:
 
 [source,sh]
 --------------------------------------------------
-POST api/cases/comment/0aa70f70-2fb8-11ea-a3be-f96a1b9531f4
+PATCH api/cases/comment/f118e4a0-57e1-11ea-95da-cb9f4a010e3
 {
-  "comment": "Start operation bubblegum immediately! And chew fast!"
+  "comment": "That is nothing - Ethan Hunt answered a targeted social media
+  campaign promoting phishy pension schemes to IMF operatives. Even worse, he
+  likes baked beans."
 }
 --------------------------------------------------
 // KIBANA
@@ -44,15 +45,14 @@ POST api/cases/comment/0aa70f70-2fb8-11ea-a3be-f96a1b9531f4
 
 ==== Response payload
 
+The updated comment and its timestamp.
+
+===== Example response
+
 [source,json]
 --------------------------------------------------
 {
-  "id": "0aa70f70-2fb8-11ea-a3be-f96a1b9531f4",
-  "type": "case-workflow-comment",
-  "updated_at": "2020-01-05T12:58:54.109Z",
-  "version": "WzQ0LDFd",
-  "attributes": {
-    "comment": "Start operation bubblegum immediately! And chew fast!"
-  }
+  "comment": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives. Even worse, he likes baked beans.",
+  "updated_at": "2020-02-27T09:33:39.803Z"
 }
 --------------------------------------------------

docs/en/siem/cases-api-update.asciidoc

@@ -19,7 +19,7 @@ A JSON object containing:
 |==============================================
 |Name |Type |Description |Required
 
-|`case` |Object a|Contains the updated field values, which can be:
+|`case` |Object a|Contains the updated case field values, which can be:
 
 * `title`: The case's title (string).
 * `description`: The case's description (string).