> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truu.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Submit a verdict for a case

> Feed back a verdict from an external workflow or SOC analyst.

Supply a single **outcome** describing what happened to the case. An optional **comment**
and list of supporting **event_ids** (threat event UUIDs, up to 200) may be included.

**outcome** must be one of: `SAFE`, `TRUE_POSITIVE`, `FALSE_POSITIVE`, `DUPLICATE`, `ESCALATED`.




## OpenAPI

````yaml https://eris.devops.truu.ai/api/v1/external/docs post /cases/{case_id}/verdict
openapi: 3.0.3
info:
  title: TOTAL Public API
  version: 2.3.10
  description: >
    The TOTAL API gives you programmatic access to your organization's

    security data. Use it to query cases and threat events, and to feed

    verdicts back into the platform.


    ## Authentication


    All routes in this specification are served under `/api/v1/external` and

    require a domain-scoped API key via the `X-API-Key` header. Generate and

    manage keys from the API Keys page in Settings.


    The admin console (Atlas) uses separate JWT-authenticated routes under

    `/api/v1/eris/...` (for example `GET /api/v1/eris/integrations`); those are

    not part of this public API surface.


    ## Pagination

    List routes use cursor pagination: `page_size` (default 50, max 200) and

    optional `next_cursor` (pass the `case_id` or `event_id` UUID from the last

    item of the previous page). Responses include `next_cursor` when more

    results are available.


    ## Rate Limits

    Read endpoints in this API are limited to 1,000 requests/minute.

    Write endpoints in this API are limited to 200 requests/minute.


    ## Availability

    Some routes may return `423 Locked` when the requested data is not yet

    available for your domain.


    ---


    ## Appendix A — Azure Log Analytics: source_event_ids → KQL lookup


    Threat events include a `source_event_ids` array. Each value is the

    `_ItemId` of the originating row in your Azure Log Analytics workspace

    — the per-row GUID stamped by Log Analytics at ingest. It is row-unique

    on every supported table, so the same lookup pattern works regardless

    of source:

        <SourceTable> | where _ItemId == "<id>"

    Run the lookup against your Log Analytics workspace (the same workspace

    that backs Azure Log Analytics / Defender XDR Advanced Hunting). Use the

    `source` field on the event to pick the table.


    | Source table | KQL field | Example KQL |

    |---|---|---|

    | SigninLogs | _ItemId | `SigninLogs | where _ItemId == "<id>"` |

    | AuditLogs | _ItemId | `AuditLogs | where _ItemId == "<id>"` |

    | AADUserRiskEvents | _ItemId | `AADUserRiskEvents | where _ItemId ==
    "<id>"` |

    | CloudAppEvents | _ItemId | `CloudAppEvents | where _ItemId == "<id>"` |

    | OfficeActivity | _ItemId | `OfficeActivity | where _ItemId == "<id>"` |

    | EmailEvents | _ItemId | `EmailEvents | where _ItemId == "<id>"` |

    | EmailPostDeliveryEvents | _ItemId | `EmailPostDeliveryEvents | where
    _ItemId == "<id>"` |

    | EmailUrlInfo | _ItemId | `EmailUrlInfo | where _ItemId == "<id>"` |

    | EmailAttachmentInfo | _ItemId | `EmailAttachmentInfo | where _ItemId ==
    "<id>"` |

    | UrlClickEvents | _ItemId | `UrlClickEvents | where _ItemId == "<id>"` |

    | SecurityEvent | _ItemId | `SecurityEvent | where _ItemId == "<id>"` |

    | IdentityLogonEvents | _ItemId | `IdentityLogonEvents | where _ItemId ==
    "<id>"` |

    | IdentityQueryEvents | _ItemId | `IdentityQueryEvents | where _ItemId ==
    "<id>"` |

    | IdentityDirectoryEvents | _ItemId | `IdentityDirectoryEvents | where
    _ItemId == "<id>"` |

    | BehaviorAnalytics | _ItemId | `BehaviorAnalytics | where _ItemId ==
    "<id>"` |

    | Anomalies | _ItemId | `Anomalies | where _ItemId == "<id>"` |

    | AzureActivity | _ItemId | `AzureActivity | where _ItemId == "<id>"` |

    | MicrosoftPurviewInformationProtection | _ItemId |
    `MicrosoftPurviewInformationProtection | where _ItemId == "<id>"` |

    | CommonSecurityLog | _ItemId | `CommonSecurityLog | where _ItemId ==
    "<id>"` |

    | Syslog | _ItemId | `Syslog | where _ItemId == "<id>"` |

    | AADProvisioningLogs | _ItemId | `AADProvisioningLogs | where _ItemId ==
    "<id>"` |
servers:
  - url: https://eris.devops.truu.ai/api/v1/external
    description: TOTAL Public API
security:
  - ApiKeyAuth: []
tags:
  - name: Cases
    description: Threat investigation cases and verdicts
  - name: Users
    description: Provisioned users and monitoring
  - name: Personas
    description: Persona overviews
  - name: Threats
    description: Raw threat events
paths:
  /cases/{case_id}/verdict:
    post:
      tags:
        - Cases
      summary: Submit a verdict for a case
      description: >
        Feed back a verdict from an external workflow or SOC analyst.


        Supply a single **outcome** describing what happened to the case. An
        optional **comment**

        and list of supporting **event_ids** (threat event UUIDs, up to 200) may
        be included.


        **outcome** must be one of: `SAFE`, `TRUE_POSITIVE`, `FALSE_POSITIVE`,
        `DUPLICATE`, `ESCALATED`.
      operationId: submitCaseVerdict
      parameters:
        - name: case_id
          in: path
          required: true
          schema:
            type: string
            format: uuid
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CaseVerdictRequest'
      responses:
        '200':
          description: Verdict accepted and applied
          headers:
            X-Request-Id:
              schema:
                type: string
              description: Correlation identifier for this request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CaseVerdictResponse'
        '400':
          description: Invalid request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
        '401':
          description: Invalid or missing API key
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
        '403':
          description: Insufficient scope — cases:write required
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
        '404':
          description: Case not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
        '409':
          description: Verdict already submitted for this case
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
        '422':
          description: Request body validation failed
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
        '423':
          description: Resource not ready yet for this domain
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ResourceNotReady'
        '429':
          description: Rate limit exceeded
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
components:
  schemas:
    CaseVerdictRequest:
      type: object
      required:
        - outcome
      properties:
        outcome:
          $ref: '#/components/schemas/VerdictOutcome'
        comment:
          type: string
          maxLength: 2000
        event_ids:
          type: array
          maxItems: 200
          description: Optional event IDs supporting this verdict
          items:
            type: string
            format: uuid
    CaseVerdictResponse:
      type: object
      required:
        - success
        - case_id
        - outcome
        - resolved
        - processed_at
      properties:
        success:
          type: boolean
        case_id:
          type: string
          format: uuid
        outcome:
          $ref: '#/components/schemas/VerdictOutcome'
        resolved:
          type: boolean
        processed_at:
          type: string
          format: date-time
    Error:
      type: object
      properties:
        error:
          type: string
    ResourceNotReady:
      type: object
      properties:
        error:
          type: string
          description: Always `resource_not_ready`
        resource:
          type: string
          description: One of `cases`, `threats`, `personas`
        message:
          type: string
          description: Human-readable readiness status message
        details:
          type: string
          description: Resource-specific not-ready detail
        days_until_ready:
          type: number
          format: float
          description: Days remaining until the resource is available
        external_api_enabled_at_utc:
          type: string
          format: date-time
        now_utc:
          type: string
          format: date-time
    VerdictOutcome:
      type: string
      description: >
        What happened to the case. One label, no ambiguity:

        - `SAFE` — Benign, no threat (enforcement Mark Safe; not triage swipe)

        - `TRUE_POSITIVE` — Confirmed threat, actioned

        - `FALSE_POSITIVE` — Incorrectly classified (same enforcement Mark Safe
        as SAFE)

        - `DUPLICATE` — Already handled under another case

        - `ESCALATED` — Passed to investigation or SOC tier
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: X-API-Key
      description: |
        Domain-scoped API key. Generate and manage keys from the API Keys
        page in Settings.

        Accepted in two forms:
        - `X-API-Key: <key>` header (preferred)
        - `Authorization: Bearer <key>` header (also accepted)

````