Skip to main content
GET
/
cases
List hydrated cases with threat events
curl --request GET \
  --url https://eris.devops.truu.ai/api/v1/external/cases \
  --header 'X-API-Key: <api-key>'
{
  "next_cursor": "<string>",
  "data": [
    {
      "case_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
      "tuid": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
      "user_email": "<string>",
      "user_name": "<string>",
      "threat_type": "<string>",
      "threat_brief": "<string>",
      "created_at": "2023-11-07T05:31:56Z",
      "updated_at": "2023-11-07T05:31:56Z",
      "closed_at": "2023-11-07T05:31:56Z",
      "events": [
        {
          "event_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
          "kind": "<string>",
          "tuid": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
          "category": [
            "<string>"
          ],
          "subcategory": [
            "<string>"
          ],
          "title": "<string>",
          "summary": "<string>",
          "source": "<string>",
          "source_table": "<string>",
          "source_event_ids": [
            "<string>"
          ],
          "user_name": "<string>",
          "user_email": "<string>",
          "created_at": "2023-11-07T05:31:56Z"
        }
      ]
    }
  ]
}

Authorizations

X-API-Key
string
header
required

Domain-scoped API key. Generate and manage keys from the API Keys page in Settings.

Accepted in two forms:

  • X-API-Key: <key> header (preferred)
  • Authorization: Bearer <key> header (also accepted)

Query Parameters

email
string

Filter by user email or UPN.

tuid
string<uuid>

Filter by TOTAL user identifier. If combined with email, both must refer to the same user.

case_id
string<uuid>
state
string

Lifecycle state of a case:

  • discover — Vetted by the AI judge, ready for triage
  • pending_investigation — Swiped; investigation pending
  • investigating — Investigation underway
  • enforced — An enforcement action has been taken
  • closed — Case closed
threat_type
string

Case classification from the AI judge (Predict / inference pipeline). Known values: threat, insider_threat, identity_vulnerability. Older or demo rows may still carry legacy strings until backfilled.

created_after
string<date-time>

Return cases whose created_at is greater than or equal to this timestamp.

created_before
string<date-time>

Return cases whose created_at is less than or equal to this timestamp.

page_size
integer
default:50
Required range: x <= 200
next_cursor
string<uuid>

Case id from the last item of the previous page.

Response

Cursor-paginated list of hydrated cases with full threat events

next_cursor
string | null
data
object[]