Save evidence

Cortex XSOAR 6 API

post /evidence

Save an evidence entity To update evidence custom fields you should lowercase them and remove all spaces. For example: Scan IP -> scanip

CURL
curl -X POST \ -H "Authorization: [[apiKey]]" \ -H "Accept: application/json" \ -H "Content-Type: application/json,application/xml" \ "https://hostname:443/evidence" \ -d '{ "dbotCreatedBy" : "dbotCreatedBy", "sizeInBytes" : 2, "primaryTerm" : 5, "roles" : [ "roles", "roles" ], "description" : "description", "syncHash" : "syncHash", "entryId" : "entryId", "highlight" : { "key" : [ "highlight", "highlight" ] }, "markedDate" : "2000-01-23T04:56:07.000+00:00", "modified" : "2000-01-23T04:56:07.000+00:00", "xsoarReadOnlyRoles" : [ "xsoarReadOnlyRoles", "xsoarReadOnlyRoles" ], "id" : "id", "markedBy" : "markedBy", "allReadWrite" : true, "numericId" : 1, "sequenceNumber" : 5, "previousAllRead" : true, "previousRoles" : [ "previousRoles", "previousRoles" ], "occurred" : "2000-01-23T04:56:07.000+00:00", "created" : "2000-01-23T04:56:07.000+00:00", "indexName" : "indexName", "xsoarHasReadOnlyRole" : true, "xsoarPreviousReadOnlyRoles" : [ "xsoarPreviousReadOnlyRoles", "xsoarPreviousReadOnlyRoles" ], "cacheVersn" : 6, "sortValues" : [ "sortValues", "sortValues" ], "version" : 7, "tags" : [ "tags", "tags" ], "ShardID" : 0, "previousAllReadWrite" : true, "tagsRaw" : [ "tagsRaw", "tagsRaw" ], "allRead" : true, "hasRole" : true, "incidentId" : "incidentId", "taskId" : "taskId", "fetched" : "2000-01-23T04:56:07.000+00:00" }' \ -d ' 123456789 true true 123456789 2000-01-23T04:56:07.000Z aeiou aeiou aeiou 2000-01-23T04:56:07.000Z true UNDEFINED_EXAMPLE_VALUE aeiou aeiou aeiou aeiou 2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z 123456789 2000-01-23T04:56:07.000Z true true aeiou 123456789 aeiou 123456789 123456789 aeiou aeiou aeiou aeiou aeiou 123456789 true aeiou aeiou '
Authentication: api_key Api Key "Authorization"
Request
Body
optional
ShardID
optional
Number (Long)
format: int64
allRead
optional
Boolean
allReadWrite
optional
Boolean
cacheVersn
optional
Number (Long)
format: int64
created
optional
Object
format: date-time
dbotCreatedBy
optional
String
Who has created this event - relevant only for manual incidents
description
optional
String
The description for the resolve
entryId
optional
String
The entry ID
fetched
optional
Object
when the evidence entry was fetched format: date-time
hasRole
optional
Boolean
Internal field to make queries on role faster
highlight
optional
Map
id
optional
String
incidentId
optional
String
The incident ID
indexName
optional
String
markedBy
optional
String
the user that marked this evidence
markedDate
optional
Object
when this evidence was marked format: date-time
modified
optional
Object
format: date-time
numericId
optional
Number (Long)
format: int64
occurred
optional
Object
When this evidence has occurred format: date-time
previousAllRead
optional
Boolean
previousAllReadWrite
optional
Boolean
previousRoles
optional
Array of strings
Do not change this field manually
primaryTerm
optional
Number (Long)
format: int64
roles
optional
Array of strings
The role assigned to this investigation
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
syncHash
optional
String
tags
optional
Array of strings
Tags
tagsRaw
optional
Array of strings
TagsRaw
taskId
optional
String
when the evidence entry was fetched
version
optional
Number (Long)
format: int64
xsoarHasReadOnlyRole
optional
Boolean
xsoarPreviousReadOnlyRoles
optional
Array of strings
xsoarReadOnlyRoles
optional
Array of strings
Responses

The new / updated Evidence

Body
ShardID
optional
Number (Long)
format: int64
allRead
optional
Boolean
allReadWrite
optional
Boolean
cacheVersn
optional
Number (Long)
format: int64
created
optional
Object
format: date-time
dbotCreatedBy
optional
String
Who has created this event - relevant only for manual incidents
description
optional
String
The description for the resolve
entryId
optional
String
The entry ID
fetched
optional
Object
when the evidence entry was fetched format: date-time
hasRole
optional
Boolean
Internal field to make queries on role faster
highlight
optional
Map
id
optional
String
incidentId
optional
String
The incident ID
indexName
optional
String
markedBy
optional
String
the user that marked this evidence
markedDate
optional
Object
when this evidence was marked format: date-time
modified
optional
Object
format: date-time
numericId
optional
Number (Long)
format: int64
occurred
optional
Object
When this evidence has occurred format: date-time
previousAllRead
optional
Boolean
previousAllReadWrite
optional
Boolean
previousRoles
optional
Array of strings
Do not change this field manually
primaryTerm
optional
Number (Long)
format: int64
roles
optional
Array of strings
The role assigned to this investigation
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
syncHash
optional
String
tags
optional
Array of strings
Tags
tagsRaw
optional
Array of strings
TagsRaw
taskId
optional
String
when the evidence entry was fetched
version
optional
Number (Long)
format: int64
xsoarHasReadOnlyRole
optional
Boolean
xsoarPreviousReadOnlyRoles
optional
Array of strings
xsoarReadOnlyRoles
optional
Array of strings