Mark entry as note

Cortex XSOAR 6 API

post /entry/note

API to mark entry as note, can be used also to remove the note Body example: {"id":1\@1234","version":"-1","investigationId":"1234","data":"true/false"}

CURL
curl -X POST \ -H "Authorization: [[apiKey]]" \ -H "Accept: application/json" \ -H "Content-Type: application/json,application/xml" \ "https://hostname:443/entry/note" \ -d '{ "args" : { "key" : { "keyValue" : [ { "key" : "key" }, { "key" : "key" } ], "complex" : { "transformers" : [ { "args" : { "key" : { "isContext" : true } }, "operator" : "operator" }, { "args" : { "key" : { "isContext" : true } }, "operator" : "operator" } ], "root" : "root", "accessor" : "accessor", "filters" : [ null, null ] }, "simple" : "simple" } }, "sequenceNumber" : 6, "investigationId" : "investigationId", "data" : "data", "primaryTerm" : 0, "markdown" : true, "id" : "id", "version" : 1 }' \ -d ' UNDEFINED_EXAMPLE_VALUE aeiou aeiou aeiou true 123456789 123456789 123456789 '
Authentication: api_key Api Key "Authorization"
Request
Body
optional
args
optional
Map
data
optional
String
id
optional
String
investigationId
optional
String
markdown
optional
Boolean
primaryTerm
optional
Number (Long)
format: int64
sequenceNumber
optional
Number (Long)
format: int64
version
optional
Number (Long)
format: int64
Responses

Entry

Body
Entry holds a single entry in an investigation. Entries entered within a short amount of time by the same user are combined
IndicatorTimeline
optional
Array
Category
optional
String
Message
optional
String
Source
optional
String
Time
optional
Object
format: date-time
User
optional
String
Value
optional
Array of strings
InstanceID
optional
String
Relationships
optional
Array
brand
optional
String
entityA
optional
String
entityAFamily
optional
String
entityAType
optional
String
entityB
optional
String
entityBFamily
optional
String
entityBType
optional
String
fields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For example: Scan IP -> scanip To get the actual key name you can also go to Cortex XSOAR CLI and run /incident_add and look for the key that you would like to update
id
optional
String
instance
optional
String
name
optional
String
reliability
optional
String
reverseName
optional
String
startTime
optional
Object
format: date-time
type
optional
String
ShardID
optional
Number (Long)
format: int64
allRead
optional
Boolean
allReadWrite
optional
Boolean
apiExecutionMetrics
optional
Array
APIExecutionMetric is used by an entry to indicate the api details of an execution
apiCallsCount
optional
Number (Long)
format: int64
type
optional
String
brand
optional
String
cacheVersn
optional
Number (Long)
format: int64
category
optional
String
contents
optional
Object
The contents of the entry that is actually indexed - should not be used
contentsSize
optional
Number (Long)
ContentsSize the total size of the contents format: int64
created
optional
Object
format: date-time
cron
optional
String
cronView
optional
Boolean
dbotCreatedBy
optional
String
Who has created this event - relevant only for manual incidents
deleted
optional
Boolean
deletedBy
optional
String
deletedFromFS
optional
Boolean
endingDate
optional
Object
format: date-time
endingType
optional
String
EndingType holds the type of schedule Ending
entryTask
optional
EntryTask holds information regarding the related task
playbookName
optional
String
quiet
optional
Boolean
taskId
optional
String
taskName
optional
String
taskStatus
optional
String
errorSource
optional
String
Source of the error
file
optional
String
Filename of associated content
fileID
optional
String
FileID is the file name when saved in the server
fileMetadata
optional
info
optional
String
isMediaFile
optional
Boolean
md5
optional
String
sha1
optional
String
sha256
optional
String
sha512
optional
String
size
optional
Number (Long)
format: int64
ssdeep
optional
String
type
optional
String
format
optional
String
Holds information on how content is formatted
hasRole
optional
Boolean
Internal field to make queries on role faster
highlight
optional
Map
history
optional
Array
Edit history
contentDate
optional
Object
format: date-time
contents
optional
String
contentsFormat
optional
String
user
optional
String
humanCron
optional
atTimeHour
optional
String
atTimeMinute
optional
String
days
optional
Array of strings
schedulingType
optional
String
the following fields are deprecated. do not use them.
timePeriod
optional
Number (Long)
format: int64
timePeriodType
optional
String
id
optional
String
incidentCreationTime
optional
Object
store the entry based on IncidentCreationTime format: date-time
indexName
optional
String
instance
optional
String
investigationId
optional
String
The id of the investigation it belongs to
isTodo
optional
Boolean
IsTodo
mirrored
optional
Boolean
Only used for outbound mirroring to mark that it is already mirrored to remote system
modified
optional
Object
format: date-time
note
optional
Boolean
Note
numericId
optional
Number (Long)
format: int64
parentContent
optional
Object
ParentEntry content - for reference
parentEntryTruncated
optional
Boolean
ParentEntryTruncated - indicates weather entry content was truncated
parentId
optional
String
ParentId is the ID of the parent entry
pinned
optional
Boolean
Mark entry as pinned = evidence
playbookId
optional
String
PlaybookID - if the entry is assigned as note to a playbook task, it will hold the playbook
polling
optional
Boolean
Only used for polling entries
pollingArgs
optional
Map of objects
ModuleArgs represents module args
pollingCommand
optional
String
pollingItemsRemaining
optional
Number (Long)
format: int64
previousAllRead
optional
Boolean
previousAllReadWrite
optional
Boolean
previousRoles
optional
Array of strings
Do not change this field manually
primaryTerm
optional
Number (Long)
format: int64
readOnly
optional
Boolean
ReadOnly
recurrent
optional
Boolean
reputationSize
optional
Number (Long)
ReputationSize the total size of the reputation format: int64
reputations
optional
Array
EntryReputations the reputations calculated by regex match
EntryReputation holds the entry reputations and the highlights
highlights
optional
Map
reputationsData
optional
Array
ReputationData holds the reputation data (reputation, regex, highlights result)
rawTerm
optional
String
reputation
optional
Number (Long)
format: int64
reputationId
optional
String
term
optional
String
retryTime
optional
Object
When retry took place format: date-time
roles
optional
Array of strings
The role assigned to this investigation
scheduled
optional
Boolean
is it scheduled
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
startDate
optional
Object
format: date-time
syncHash
optional
String
system
optional
String
The name of the system associated with this entry
tags
optional
Array of strings
Tags
tagsRaw
optional
Array of strings
TagsRaw
taskId
optional
String
TaskID - used if the entry is assigned as note to a playbook task
times
optional
Number (Long)
format: int64
timesRan
optional
Number (Long)
format: int64
timezone
optional
String
timezoneOffset
optional
Number (Long)
format: int64
type
optional
Number (Double)
EntryType specifies the type of the entry format: double
user
optional
String
The user who created the entry
version
optional
Number (Long)
format: int64
xsoarHasReadOnlyRole
optional
Boolean
xsoarPreviousReadOnlyRoles
optional
Array of strings
xsoarReadOnlyRoles
optional
Array of strings