post
/public_api/v1/entries/get
Get the War Room entries for a specific case or alert. You can filter by timestamp, ID, and tags. You can also choose which type of entries you want to retrieve (notes, chat, attachments...). The response depends on what type of entry you choose to retrieve.
Required license: Cortex XSIAM Premium or Cortex XSIAM Enterprise or Cortex XSIAM NG SIEM or Cortex XSIAM Enterprise Plus.
Request headers
Authorization
String
required
{api_key}
{api_key}
Example:
authorization_example
x-xdr-auth-id
String
required
{api_key_id}
{api_key_id}
Example:
xXdrAuthId_example
CLIENT REQUEST
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
-H
'Authorization: authorization_example'
-H
'x-xdr-auth-id: xXdrAuthId_example'
'https://api-yourfqdn/public_api/v1/entries/get'
-d
''
import http.client
conn = http.client.HTTPSConnection("api-yourfqdn")
payload = "{\"id\":\"string\",\"filter\":{\"firstID\":\"string\",\"lastID\":\"string\",\"pagesize\":0,\"fromTime\":\"string\",\"categories\":[\"tags\"],\"tags\":[\"string\"]}}"
headers = {
'Authorization': "SOME_STRING_VALUE",
'x-xdr-auth-id': "SOME_STRING_VALUE",
'content-type': "application/json"
}
conn.request("POST", "/public_api/v1/entries/get", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://api-yourfqdn/public_api/v1/entries/get")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["Authorization"] = 'SOME_STRING_VALUE'
request["x-xdr-auth-id"] = 'SOME_STRING_VALUE'
request["content-type"] = 'application/json'
request.body = "{\"id\":\"string\",\"filter\":{\"firstID\":\"string\",\"lastID\":\"string\",\"pagesize\":0,\"fromTime\":\"string\",\"categories\":[\"tags\"],\"tags\":[\"string\"]}}"
response = http.request(request)
puts response.read_bodyconst data = JSON.stringify({
"id": "string",
"filter": {
"firstID": "string",
"lastID": "string",
"pagesize": 0,
"fromTime": "string",
"categories": [
"tags"
],
"tags": [
"string"
]
}
});
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api-yourfqdn/public_api/v1/entries/get");
xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE");
xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
xhr.setRequestHeader("content-type", "application/json");
xhr.send(data);HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/entries/get")
.header("Authorization", "SOME_STRING_VALUE")
.header("x-xdr-auth-id", "SOME_STRING_VALUE")
.header("content-type", "application/json")
.body("{\"id\":\"string\",\"filter\":{\"firstID\":\"string\",\"lastID\":\"string\",\"pagesize\":0,\"fromTime\":\"string\",\"categories\":[\"tags\"],\"tags\":[\"string\"]}}")
.asString();import Foundation
let headers = [
"Authorization": "SOME_STRING_VALUE",
"x-xdr-auth-id": "SOME_STRING_VALUE",
"content-type": "application/json"
]
let parameters = [
"id": "string",
"filter": [
"firstID": "string",
"lastID": "string",
"pagesize": 0,
"fromTime": "string",
"categories": ["tags"],
"tags": ["string"]
]
] as [String : Any]
let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/entries/get")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api-yourfqdn/public_api/v1/entries/get",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{\"id\":\"string\",\"filter\":{\"firstID\":\"string\",\"lastID\":\"string\",\"pagesize\":0,\"fromTime\":\"string\",\"categories\":[\"tags\"],\"tags\":[\"string\"]}}",
CURLOPT_HTTPHEADER => [
"Authorization: SOME_STRING_VALUE",
"content-type: application/json",
"x-xdr-auth-id: SOME_STRING_VALUE"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}CURL *hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/entries/get");
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"id\":\"string\",\"filter\":{\"firstID\":\"string\",\"lastID\":\"string\",\"pagesize\":0,\"fromTime\":\"string\",\"categories\":[\"tags\"],\"tags\":[\"string\"]}}");
CURLcode ret = curl_easy_perform(hnd);var client = new RestClient("https://api-yourfqdn/public_api/v1/entries/get");
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "SOME_STRING_VALUE");
request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"id\":\"string\",\"filter\":{\"firstID\":\"string\",\"lastID\":\"string\",\"pagesize\":0,\"fromTime\":\"string\",\"categories\":[\"tags\"],\"tags\":[\"string\"]}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);Body parameters
application/json
idstringThe unique identifier of the case or alert for which the War Room entry is created.
- Case IDs must be prefixed with
INCIDENT- (for example, INCIDENT-3).
- Alert IDs should be provided without any prefix (for example,
3).
The unique identifier of the case or alert for which the War Room entry is created.
- Case IDs must be prefixed with
INCIDENT-(for example,INCIDENT-3). - Alert IDs should be provided without any prefix (for example,
3).
filterobject
firstIDstringReturn results starting from the investigation ID in firstID until the last investigation ID.
Return results starting from the investigation ID in firstID until the last investigation ID.
lastIDstringReturn results starting from the first investigation ID until the investigation ID in lastID.
Return results starting from the first investigation ID until the investigation ID in lastID.
pagesizeintegerFilter the results by the number of entries you want returned. "pagesize": 0 returns all the results.
Filter the results by the number of entries you want returned. "pagesize": 0 returns all the results.
fromTimestringRFC3339 timestamp. Filter results from the time the entry is created until the latest entry.
RFC3339 timestamp. Filter results from the time the entry is created until the latest entry.
categoriesarray[string]The categories you want to filter and the results you want to receive:
tags: Tags added to the investigation.chats: Communication between team members in the form of chat messages.notes: Any entries marked as notes.attachments: Any files uploaded to the War Room in a playbook, script, or by the analyst.incidentInfo: The case history.commandAndResults: Command and return the result of the command.playbookTaskResult: Return the task result.playbookTaskStartAndDone: Task and return the task result.playbookErrors: When there are no playbook errors, the response returned is 0.
The categories you want to filter and the results you want to receive:
tags: Tags added to the investigation.chats: Communication between team members in the form of chat messages.notes: Any entries marked as notes.attachments: Any files uploaded to the War Room in a playbook, script, or by the analyst.incidentInfo: The case history.commandAndResults: Command and return the result of the command.playbookTaskResult: Return the task result.playbookTaskStartAndDone: Task and return the task result.playbookErrors: When there are no playbook errors, the response returned is0.
tagsarray[string]If using the filter category of tags, include the tags you want to filter by.
If using the filter category of tags, include the tags you want to filter by.
REQUEST
{
"id": "example",
"filter": {
"firstID": "example",
"lastID": "example",
"pagesize": 0,
"fromTime": "example",
"categories": [
"tags"
],
"tags": [
"example"
]
}
}Responses
OK
Body
application/json
totalinteger
dataarray
[idstring
modifiedstring
createdstring
userstring
parentContentstring
contentsstring
formatstring
investigationIdstring
categorystring
isTodoboolean
tagsarray[string]
]
idstring
modifiedstring
createdstring
userstring
parentContentstring
contentsstring
formatstring
investigationIdstring
categorystring
isTodoboolean
tagsarray[string]
RESPONSE
{
"total": 2,
"data": [
{
"id": "f1db36f0-d00f-4470-818f-c6911d392f76@INCIDENT-1",
"modified": "2025-01-02T10:17:57.738577545Z",
"created": "2025-01-01T13:15:48.302901Z",
"user": "",
"parentContent": "!markAsNote entryIDs=\"1\"",
"contents": "done",
"format": "text",
"investigationId": "INCIDENT-1",
"category": "artifact",
"isTodo": false,
"tags": [
"john100"
]
},
{
"id": "0d6a01a4-58b5-4121-8db7-c371e38284db@INCIDENT-1",
"modified": "2025-01-02T10:22:26.6396269Z",
"created": "2025-01-02T09:11:51.747644Z",
"user": "",
"contents": "'aaaaaa'",
"format": "text",
"investigationId": "INCIDENT-1",
"category": "artifact",
"isTodo": false,
"tags": [
"john200"
]
}
]
}{
"total": 2,
"data": [
{
"id": "39101423-126c-4438-80d0-6c19dcd20f2e@INCIDENT-1",
"modified": "2024-12-31T10:08:54.656397851Z",
"created": "2024-12-31T10:08:54.656257Z",
"user": "",
"contents": "testing",
"format": "markdown",
"investigationId": "INCIDENT-1",
"category": "chat",
"isTodo": false
},
{
"id": "dbef4f98-a115-46c1-8e7c-b8e17ff98683@INCIDENT-1",
"modified": "2025-01-02T09:52:06.239744361Z",
"created": "2025-01-02T09:52:06.239717Z",
"user": "",
"contents": "testing 2",
"format": "markdown",
"investigationId": "INCIDENT-1",
"category": "chat",
"isTodo": false
}
]
}{
"total": 2,
"data": [
{
"id": "8040c9b3-cbd7-4ac5-8178-46fb4f9e85cb@INCIDENT-2",
"modified": "2025-01-01T14:38:52.945021634Z",
"created": "2025-01-01T14:38:52.945006Z",
"user": "user@company.com",
"contents": "very important notes",
"format": "markdown",
"investigationId": "INCIDENT-2",
"category": "chat",
"note": true,
"isTodo": false
},
{
"id": "bb011b05-b9a4-45b1-8355-38d1673ea520@INCIDENT-2",
"modified": "2025-01-01T14:39:08.577516148Z",
"created": "2025-01-01T14:39:08.5775Z",
"user": "user@company.com",
"contents": "even more important notes",
"format": "markdown",
"investigationId": "INCIDENT-2",
"category": "chat",
"note": true,
"isTodo": false
}
]
}{
"total": 0,
"data": [
{
"id": "string",
"modified": "string",
"created": "string",
"user": "string",
"parentContent": "string",
"contents": "string",
"format": "string",
"investigationId": "string",
"category": "string",
"isTodo": true,
"tags": [
"string"
]
}
]
}Bad Request
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Unauthorized
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Payment Required
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Forbidden
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Internal Server Error
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}