After tonnes of searching, researching and reaching out to people, who have tried accessing the AI generated content for case overview and recommendations, I found the answer hidden away in the Swagger doc itself:

/api/external/v1/case-overview/ResolveOverviewWidget

payload:
{
"caseId": 123,
"alertIdentifier": null,
"widgetDefinitionIdentifier": "a1b2-c3d4-e5f6...",
"forceRefresh": true,
"isFirstRequest": false
}

A request from swagger yields something like this:

{ "state": 2, "summaryPrediction": { "caseSummary": "An account failed to log on four times from the IP address 10.90.1.102.", "caseSummaryId": 2365, "caseAssistantType": 0, "executedPrompts": [ "*Cyber Case* is an aggregated list of `Cyber Alerts`, which are in turn one or more security events that are interesting from security perspective.\nBelow is a `Cyber Case` represented as a list of Cyber Alert's descriptions and a list of Common Entities that relate those alerts to one another.\nYour task is to write a paragraph that ties all alerts together, based on the common entities. Similar alerts MUST be aggregated.\n\nCyber Alert Descriptions:[\n \"An account failed to log on four times from the IP address 10.90.1.102.\"\n]\n\nSummary:" ] }, "reasonsPrediction": { "reasons": [ "The account failed to log on four times from the IP address 10.90.1.102", "The IP address 10.90.1.102 is not a known good IP address", "The account is not a known good account" ], "score": 3, "caseSummaryId": 2366, "caseAssistantType": 1, "executedPrompts": [ "You are an analyst who reviews a cyber case in the system. Your role is to determine the level of maliciousness of the case, explain what evidence you have and what actions need to be taken to resolve and remediate it.\nYour task is to generate the case score, explained reasons for this score and what should be the next steps for the provided cyber case details:\n```Case Details:\nCase Name: High number of failed login attempts from an IP - Strides Pharma\nThe Case summary: An account failed to log on four times from the IP address 10.90.1.102.\n\n```\n\nAnswer the following questions in a JSON format, in the JSON include the following keys in the JSON are: score, reasons, next_steps\nThe answer MUST ONLY contain information contained in the Case Details\n1. How likely is this case to be malicious in a score from 1 to 10?\n 1. The answer will be the value to the key:score\n2. Explain up to five detailed security reasons why the security analyst should investigate this case. Try to include the refered entities identifiers in your reasons and the reasons MUST not repeat the case summary.\n 1. PAY ATTENTION: COMBINE SIMILAR REASONS, IF THERE ARE SAME REASONS FOR DIFFERENT ENTITIES COMBINE THEM INTO ONE REASON.\n 2. The reasons MUST ONLY depend on the provided data and MUST NOT assume the entity or activity is malicious or suspicious unless explicitly stated.\n 3. The answer will be the value to the key:reasons\n3. List up to five security recommended actions I should take and explain why they are important.\n 1. Each action MUST start with action verb on the entities identifiers, IF THE SAME ACTION EXIST FOR DIFFERENT ENTITIES WRITE THEM IN ONE SENTENCE.\n 2. The actions MUST NOT include the 'Block' verb.\n 3. The answer will be the value to the key:next_steps\n\nJSON:" ] }, "nextStepsPrediction": { "nextSteps": [ "Investigate the account that failed to log on four times from the IP address 10.90.1.102", "Investigate the IP address 10.90.1.102", "Investigate the account" ], "caseSummaryId": 2367, "caseAssistantType": 2, "executedPrompts": [ "You are an analyst who reviews a cyber case in the system. Your role is to determine the level of maliciousness of the case, explain what evidence you have and what actions need to be taken to resolve and remediate it.\nYour task is to generate the case score, explained reasons for this score and what should be the next steps for the provided cyber case details:\n```Case Details:\nCase Name: High number of failed login attempts from an IP - Strides Pharma\nThe Case summary: An account failed to log on four times from the IP address 10.90.1.102.\n\n```\n\nAnswer the following questions in a JSON format, in the JSON include the following keys in the JSON are: score, reasons, next_steps\nThe answer MUST ONLY contain information contained in the Case Details\n1. How likely is this case to be malicious in a score from 1 to 10?\n 1. The answer will be the value to the key:score\n2. Explain up to five detailed security reasons why the security analyst should investigate this case. Try to include the refered entities identifiers in your reasons and the reasons MUST not repeat the case summary.\n 1. PAY ATTENTION: COMBINE SIMILAR REASONS, IF THERE ARE SAME REASONS FOR DIFFERENT ENTITIES COMBINE THEM INTO ONE REASON.\n 2. The reasons MUST ONLY depend on the provided data and MUST NOT assume the entity or activity is malicious or suspicious unless explicitly stated.\n 3. The answer will be the value to the key:reasons\n3. List up to five security recommended actions I should take and explain why they are important.\n 1. Each action MUST start with action verb on the entities identifiers, IF THE SAME ACTION EXIST FOR DIFFERENT ENTITIES WRITE THEM IN ONE SENTENCE.\n 2. The actions MUST NOT include the 'Block' verb.\n 3. The answer will be the value to the key:next_steps\n\nJSON:" ] }, "alertsCount": 1, "eventsCount": 4, "entitiesCount": 0, "environment": null, "type": 16, "modificationTimeUnixTimeInMs": 1717583502594, "title": "AI Investigation", "order": 1, "gridColumns": 2, "description": "This widget uses AI to provide a threat summary and suggestions for your next steps.", "identifier": "e0af5c10-c634-4051-8a26-6d570cce9344", "jsonData": "{\"State\":2,\"SummaryPrediction\":{\"CaseSummary\":\"An account failed to log on four times from the IP address 10.90.1.102.\",\"CaseSummaryId\":2365,\"CaseAssistantType\":0,\"ExecutedPrompts\":[\"*Cyber Case* is an aggregated list of `Cyber Alerts`, which are in turn one or more security events that are interesting from security perspective.\\nBelow is a `Cyber Case` represented as a list of Cyber Alert's descriptions and a list of Common Entities that relate those alerts to one another.\\nYour task is to write a paragraph that ties all alerts together, based on the common entities. Similar alerts MUST be aggregated.\\n\\nCyber Alert Descriptions:[\\n \\\"An account failed to log on four times from the IP address 10.90.1.102.\\\"\\n]\\n\\nSummary:\"]},\"ReasonsPrediction\":{\"Reasons\":[\"The account failed to log on four times from the IP address 10.90.1.102\",\"The IP address 10.90.1.102 is not a known good IP address\",\"The account is not a known good account\"],\"Score\":3.0,\"CaseSummaryId\":2366,\"CaseAssistantType\":1,\"ExecutedPrompts\":[\"You are an analyst who reviews a cyber case in the system. Your role is to determine the level of maliciousness of the case, explain what evidence you have and what actions need to be taken to resolve and remediate it.\\nYour task is to generate the case score, explained reasons for this score and what should be the next steps for the provided cyber case details:\\n```Case Details:\\nCase Name: High number of failed login attempts from an IP - Strides Pharma\\nThe Case summary: An account failed to log on four times from the IP address 10.90.1.102.\\n\\n```\\n\\nAnswer the following questions in a JSON format, in the JSON include the following keys in the JSON are: score, reasons, next_steps\\nThe answer MUST ONLY contain information contained in the Case Details\\n1. How likely is this case to be malicious in a score from 1 to 10?\\n 1. The answer will be the value to the key:score\\n2. Explain up to five detailed security reasons why the security analyst should investigate this case. Try to include the refered entities identifiers in your reasons and the reasons MUST not repeat the case summary.\\n 1. PAY ATTENTION: COMBINE SIMILAR REASONS, IF THERE ARE SAME REASONS FOR DIFFERENT ENTITIES COMBINE THEM INTO ONE REASON.\\n 2. The reasons MUST ONLY depend on the provided data and MUST NOT assume the entity or activity is malicious or suspicious unless explicitly stated.\\n 3. The answer will be the value to the key:reasons\\n3. List up to five security recommended actions I should take and explain why they are important.\\n 1. Each action MUST start with action verb on the entities identifiers, IF THE SAME ACTION EXIST FOR DIFFERENT ENTITIES WRITE THEM IN ONE SENTENCE.\\n 2. The actions MUST NOT include the 'Block' verb.\\n 3. The answer will be the value to the key:next_steps\\n\\nJSON:\"]},\"NextStepsPrediction\":{\"NextSteps\":[\"Investigate the account that failed to log on four times from the IP address 10.90.1.102\",\"Investigate the IP address 10.90.1.102\",\"Investigate the account\"],\"CaseSummaryId\":2367,\"CaseAssistantType\":2,\"ExecutedPrompts\":[\"You are an analyst who reviews a cyber case in the system. Your role is to determine the level of maliciousness of the case, explain what evidence you have and what actions need to be taken to resolve and remediate it.\\nYour task is to generate the case score, explained reasons for this score and what should be the next steps for the provided cyber case details:\\n```Case Details:\\nCase Name: High number of failed login attempts from an IP - Strides Pharma\\nThe Case summary: An account failed to log on four times from the IP address 10.90.1.102.\\n\\n```\\n\\nAnswer the following questions in a JSON format, in the JSON include the following keys in the JSON are: score, reasons, next_steps\\nThe answer MUST ONLY contain information contained in the Case Details\\n1. How likely is this case to be malicious in a score from 1 to 10?\\n 1. The answer will be the value to the key:score\\n2. Explain up to five detailed security reasons why the security analyst should investigate this case. Try to include the refered entities identifiers in your reasons and the reasons MUST not repeat the case summary.\\n 1. PAY ATTENTION: COMBINE SIMILAR REASONS, IF THERE ARE SAME REASONS FOR DIFFERENT ENTITIES COMBINE THEM INTO ONE REASON.\\n 2. The reasons MUST ONLY depend on the provided data and MUST NOT assume the entity or activity is malicious or suspicious unless explicitly stated.\\n 3. The answer will be the value to the key:reasons\\n3. List up to five security recommended actions I should take and explain why they are important.\\n 1. Each action MUST start with action verb on the entities identifiers, IF THE SAME ACTION EXIST FOR DIFFERENT ENTITIES WRITE THEM IN ONE SENTENCE.\\n 2. The actions MUST NOT include the 'Block' verb.\\n 3. The answer will be the value to the key:next_steps\\n\\nJSON:\"]},\"AlertsCount\":1,\"EventsCount\":4,\"EntitiesCount\":0,\"Environment\":null,\"Type\":16,\"ModificationTimeUnixTimeInMs\":1717583502594,\"Title\":\"AI Investigation\",\"Order\":1,\"GridColumns\":2,\"Description\":\"This widget uses AI to provide a threat summary and suggestions for your next steps.\",\"Identifier\":\"e0af5c10-c634-4051-8a26-6d570cce9344\",\"JsonData\":null,\"ErrorJsonData\":null,\"ResultStatus\":0}", "errorJsonData": null, "resultStatus": 0 }

To identify your widgetDefinitionIdentifier, inspect your SOAR tab, head to "Network" and try to find 

"/api/external/v1/case-overview/ResolveOverviewWidget". 

There will be tonnes. But only one of those will have a "Response" similar to the output I've attached above.

Thats it!! Wish I knew this sooner. 

If this is documented somewhere can someone please link it here?