Add War Room entries

Cortex XSIAM Platform APIs
post /public_api/v1/entries/insert

Add an entry to the cases or alert War Room, including data. Note: This endpoint only adds entries to existing War Rooms; it does not create them. Ensure that the War Room already exists before making this request.

Required license: Cortex XSIAM Premium or Cortex XSIAM Enterprise or Cortex XSIAM NG SIEM or Cortex XSIAM Enterprise Plus.

Request headers
Authorization String required

{api_key}
Example: authorization_example
x-xdr-auth-id String required

{api_key_id}
Example: xXdrAuthId_example
CLIENT REQUEST
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H 'Authorization: authorization_example' -H 'x-xdr-auth-id: xXdrAuthId_example'
'https://api-yourfqdn/public_api/v1/entries/insert'
-d ''
import http.client conn = http.client.HTTPSConnection("api-yourfqdn") payload = "{\"id\":\"string\",\"data\":\"string\"}" headers = { 'Authorization': "SOME_STRING_VALUE", 'x-xdr-auth-id': "SOME_STRING_VALUE", 'content-type': "application/json" } conn.request("POST", "/public_api/v1/entries/insert", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8"))
require 'uri' require 'net/http' require 'openssl' url = URI("https://api-yourfqdn/public_api/v1/entries/insert") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["Authorization"] = 'SOME_STRING_VALUE' request["x-xdr-auth-id"] = 'SOME_STRING_VALUE' request["content-type"] = 'application/json' request.body = "{\"id\":\"string\",\"data\":\"string\"}" response = http.request(request) puts response.read_body
const data = JSON.stringify({ "id": "string", "data": "string" }); const xhr = new XMLHttpRequest(); xhr.withCredentials = true; xhr.addEventListener("readystatechange", function () { if (this.readyState === this.DONE) { console.log(this.responseText); } }); xhr.open("POST", "https://api-yourfqdn/public_api/v1/entries/insert"); xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE"); xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE"); xhr.setRequestHeader("content-type", "application/json"); xhr.send(data);
HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/entries/insert") .header("Authorization", "SOME_STRING_VALUE") .header("x-xdr-auth-id", "SOME_STRING_VALUE") .header("content-type", "application/json") .body("{\"id\":\"string\",\"data\":\"string\"}") .asString();
import Foundation let headers = [ "Authorization": "SOME_STRING_VALUE", "x-xdr-auth-id": "SOME_STRING_VALUE", "content-type": "application/json" ] let parameters = [ "id": "string", "data": "string" ] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/entries/insert")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume()
<?php $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://api-yourfqdn/public_api/v1/entries/insert", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "{\"id\":\"string\",\"data\":\"string\"}", CURLOPT_HTTPHEADER => [ "Authorization: SOME_STRING_VALUE", "content-type: application/json", "x-xdr-auth-id: SOME_STRING_VALUE" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; }
CURL *hnd = curl_easy_init(); curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST"); curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/entries/insert"); struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "content-type: application/json"); curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"id\":\"string\",\"data\":\"string\"}"); CURLcode ret = curl_easy_perform(hnd);
var client = new RestClient("https://api-yourfqdn/public_api/v1/entries/insert"); var request = new RestRequest(Method.POST); request.AddHeader("Authorization", "SOME_STRING_VALUE"); request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE"); request.AddHeader("content-type", "application/json"); request.AddParameter("application/json", "{\"id\":\"string\",\"data\":\"string\"}", ParameterType.RequestBody); IRestResponse response = client.Execute(request);
Body parameters
application/json
idstring

The unique identifier of the case/issue or alert for which the War Room entry is created.

  • Case or issue IDs must be prefixed with INCIDENT- (for example, INCIDENT-3).
  • Alert IDs should be provided without any prefix (for example, 3).
datastring

The data you want to add or the command you want to run in the War Room.

REQUEST
{ "id": "1", "data": "!Print value=1000" }
{ "id": "CASE-1", "data": "!Print value=1" }
Responses

OK

Body
application/json
idstring
versioninteger
cacheVersninteger
modifiedstring
sizeInBytesinteger
typeinteger
createdstring
incidentCreationTimestring
investigationCreationTimestring
retryTimestring
userstring
errorSourcestring
contentsstring
formatstring
investigationIdstring
filestring
fileIDstring
parentIdstring
pinnedboolean
fileMetadataobject
parentContentobject
parentEntryTruncatedboolean
systemstring
reputationsobject
categorystring
noteboolean
isTodoboolean
tagsstring
tagsRawstring
startDatestring
timesinteger
recurrentboolean
endingDatestring
timezoneOffsetinteger
cronViewboolean
scheduledboolean
scheduledEntryGuidstring
entryTaskobject
taskIdstring
playbookIdstring
reputationSizeinteger
contentsSizeinteger
brandstring
InstanceIDstring
IndicatorTimelineinteger
Relationshipsstring
mirroredboolean
RESPONSE
{ "id": "b30fadee-53e3-4859-8c79-fa328ba7b4fd@1", "version": 1, "cacheVersn": 0, "modified": "2025-01-29T13:48:41.591466357Z", "sizeInBytes": 0, "type": 1, "created": "2025-01-29T13:48:41.591444333Z", "incidentCreationTime": "2025-01-29T13:48:41.591444333Z", "investigationCreationTime": "2024-12-25T14:43:07.697Z", "retryTime": "0001-01-01T00:00:00Z", "user": "", "errorSource": "", "contents": "!Print value=1", "format": "text", "investigationId": "1", "file": "", "fileID": "", "parentId": "", "pinned": false, "fileMetadata": null, "parentContent": null, "parentEntryTruncated": false, "system": "", "reputations": null, "category": "chat", "note": false, "isTodo": false, "tags": null, "tagsRaw": null, "startDate": "0001-01-01T00:00:00Z", "times": 0, "recurrent": false, "endingDate": "0001-01-01T00:00:00Z", "timezoneOffset": 0, "cronView": false, "scheduled": false, "scheduledEntryGuid": "", "entryTask": null, "taskId": "", "playbookId": "", "reputationSize": 0, "contentsSize": 14, "brand": "none", "InstanceID": "", "IndicatorTimeline": null, "Relationships": null, "mirrored": false }

Bad Request

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }

Unauthorized

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }

Payment Required

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }

Forbidden

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }

Internal Server Error

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }