Get comments for MTH/MDR reports

Cortex XSIAM Platform APIs
post /public_api/v1/mth/child/get_comments

Retrieves comments for a specific report or for all comments within a specified time range.

Validation Rules:

  • The request requires either the xsoar_source_id parameter or the combination of start_time and end_time parameters.
  • At least one search criteria must be provided.

Note

  • Users with Instance Administrator privileges only can access this API.
Authentication: Authorization Api Key "Authorization"
Authentication: x-xdr-auth-id Api Key "x-xdr-auth-id"
Request headers
Authorization String required

{api_key}
Example: YOUR_API_KEY_HERE
x-xdr-auth-id String required

{api_key_id}
Example: 241
CLIENT REQUEST
curl -X 'POST'
-H "Authorization: [[apiKey]]" \
-H "x-xdr-auth-id: [[apiKey]]" \
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H 'Authorization: YOUR_API_KEY_HERE' -H 'x-xdr-auth-id: 241'
'https://api-yourfqdn/public_api/v1/mth/child/get_comments'
-d '{ "start_time" : 0, "xsoar_source_id" : "xsoar_source_id", "end_time" : 6 }'
import http.client conn = http.client.HTTPSConnection("api-yourfqdn") payload = "{\"xsoar_source_id\":\"string\",\"start_time\":0,\"end_time\":0}" headers = { 'Authorization': "REPLACE_KEY_VALUE", 'x-xdr-auth-id': "241", 'content-type': "application/json" } conn.request("POST", "/public_api/v1/mth/child/get_comments", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8"))
require 'uri' require 'net/http' require 'openssl' url = URI("https://api-yourfqdn/public_api/v1/mth/child/get_comments") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["Authorization"] = 'REPLACE_KEY_VALUE' request["x-xdr-auth-id"] = '241' request["content-type"] = 'application/json' request.body = "{\"xsoar_source_id\":\"string\",\"start_time\":0,\"end_time\":0}" response = http.request(request) puts response.read_body
const data = JSON.stringify({ "xsoar_source_id": "string", "start_time": 0, "end_time": 0 }); const xhr = new XMLHttpRequest(); xhr.withCredentials = true; xhr.addEventListener("readystatechange", function () { if (this.readyState === this.DONE) { console.log(this.responseText); } }); xhr.open("POST", "https://api-yourfqdn/public_api/v1/mth/child/get_comments"); xhr.setRequestHeader("Authorization", "REPLACE_KEY_VALUE"); xhr.setRequestHeader("x-xdr-auth-id", "241"); xhr.setRequestHeader("content-type", "application/json"); xhr.send(data);
HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/mth/child/get_comments") .header("Authorization", "REPLACE_KEY_VALUE") .header("x-xdr-auth-id", "241") .header("content-type", "application/json") .body("{\"xsoar_source_id\":\"string\",\"start_time\":0,\"end_time\":0}") .asString();
import Foundation let headers = [ "Authorization": "REPLACE_KEY_VALUE", "x-xdr-auth-id": "241", "content-type": "application/json" ] let parameters = [ "xsoar_source_id": "string", "start_time": 0, "end_time": 0 ] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/mth/child/get_comments")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume()
<?php $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://api-yourfqdn/public_api/v1/mth/child/get_comments", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "{\"xsoar_source_id\":\"string\",\"start_time\":0,\"end_time\":0}", CURLOPT_HTTPHEADER => [ "Authorization: REPLACE_KEY_VALUE", "content-type: application/json", "x-xdr-auth-id: 241" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; }
CURL *hnd = curl_easy_init(); curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST"); curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/mth/child/get_comments"); struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "Authorization: REPLACE_KEY_VALUE"); headers = curl_slist_append(headers, "x-xdr-auth-id: 241"); headers = curl_slist_append(headers, "content-type: application/json"); curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"xsoar_source_id\":\"string\",\"start_time\":0,\"end_time\":0}"); CURLcode ret = curl_easy_perform(hnd);
var client = new RestClient("https://api-yourfqdn/public_api/v1/mth/child/get_comments"); var request = new RestRequest(Method.POST); request.AddHeader("Authorization", "REPLACE_KEY_VALUE"); request.AddHeader("x-xdr-auth-id", "241"); request.AddHeader("content-type", "application/json"); request.AddParameter("application/json", "{\"xsoar_source_id\":\"string\",\"start_time\":0,\"end_time\":0}", ParameterType.RequestBody); IRestResponse response = client.Execute(request);
Body parameters
required
application/json

Include either xsoar_source_id or the combination of start_time and end_time in the request.

xsoar_source_idstring

The unique identifier of the report

start_timeintegerint64

Start timestamp in milliseconds (epoch)

end_timeintegerint64

End timestamp in milliseconds (epoch)

REQUEST
{ "xsoar_source_id": "777772" }
{ "start_time": 1764512583000, "end_time": 1764517583000 }
Responses

Successful Response

Body
application/json
replyobject
Additional propertiesobject
statusboolean
dataarray
[
comment_idinteger

Unique identifier of the comment

comment_created_bystring

Email or identifier of the comment author

comment_author_typeinteger

Type of the comment author

comment_insert_timeintegerint64

Creation timestamp in milliseconds (epoch)

comment_update_timeintegerint64

Last update timestamp in milliseconds (epoch)

comment_textstring

Text content of the comment

comment_attachmentsarray[string]

Array of attachment URLs

xsoar_source_idstring

Source ID of the associated report

comment_usernamestring

Display name of the comment author

]
RESPONSE
{ "reply": { "9998546484426": { "status": true, "data": [ { "comment_id": 7, "comment_created_by": "stam_updated_user", "comment_author_type": 0, "comment_insert_time": 1763468552000, "comment_update_time": 1763468849000, "comment_text": "Update comment stam2025-11-18 14:27:28.123680", "comment_attachments": [], "xsoar_source_id": "777771", "comment_username": "Managed Threat Hunting" }, { "comment_id": 8, "comment_created_by": "stam_user", "comment_author_type": 0, "comment_insert_time": 1763468560000, "comment_update_time": null, "comment_text": "stam comment_2025-11-18 14:22:39.114626", "comment_attachments": [], "xsoar_source_id": "777771", "comment_username": "Managed Threat Hunting" }, { "comment_id": 21, "comment_created_by": "random_user", "comment_author_type": 0, "comment_insert_time": 1763468843000, "comment_update_time": null, "comment_text": "stam comment_2025-11-18 14:27:22.608768", "comment_attachments": [], "xsoar_source_id": "777771", "comment_username": "analyst@company.com" }, { "comment_id": 34, "comment_created_by": "iavron iavron", "comment_author_type": 1, "comment_insert_time": 1764235743000, "comment_update_time": null, "comment_text": "Attachment test", "comment_attachments": [ "https://test-<tentant-id>-papi.storage.example.com/comment/Screenshot%202025-11-27%20at%2010.34.50.png-1764235743000?Expires=1765122615&GoogleAccessId=api-pod%40test-<tenant-id>.iam.exmaple.com&Signature=ku3dHGq8exMve3Hs25iKjDG64ZKqrNPfkCc4G8Njk2hv9aWKnhFqBDC5viMxcZRVMR8EtI7%2BZ7fciRrC7Dsq6n3j0o1TFOsT0VvHgHhb0g1mfm%2B%2FdLYXEe50y2BjmAI2OQiSFFUSuZ5vZomY8QYFpf8i5GMQL5eP%2BJuo4%2Fo7IRfd%2F93vt6FyNuUxkWydAy%2B2tWRCSWHrxC9Drz8BL6tnJubx2n%2BrlEO1YewNMvm6PQ4xDy88GaQvJ4TNmTa44S8HEtOT%2B4ra95yBT3nxvg7Wz5d4El0fUx%2F7nTD3Cfl4FmUPQr5ujTSMDnpN0tN3l9o8HZAOh4abjURdY9UHK6898w%3D%3D" ], "xsoar_source_id": "484485", "comment_username": "iavron@example.com" } ] } } }

Bad Request - Invalid parameters or missing required fields

Body
application/json
replyobject
err_codestring

Error code

err_msgstring

Error message

err_extrastring

Extra information about the error

RESPONSE
{ "reply": { "err_code": "example", "err_msg": "example", "err_extra": "example" } }

Unauthorized - Invalid or missing API key

Body
application/json
replyobject
err_codestring

Error code

err_msgstring

Error message

err_extrastring

Extra information about the error

RESPONSE
{ "reply": { "err_code": "example", "err_msg": "example", "err_extra": "example" } }

Forbidden - Tenant not authorized for this endpoint

Body
application/json
replyobject
err_codestring

Error code

err_msgstring

Error message

err_extrastring

Extra information about the error

RESPONSE
{ "reply": { "err_code": "example", "err_msg": "example", "err_extra": "example" } }

Internal Server Error

Body
application/json
replyobject
err_codestring

Error code

err_msgstring

Error message

err_extrastring

Extra information about the error

RESPONSE
{ "reply": { "err_code": "example", "err_msg": "example", "err_extra": "example" } }