Endpoint Options

Some API endpoints have options that define how objects should be merged and how digital data should be updated.

Options for the Endpoint

curl -X POST \
  https://<API_ENDPOINT>/v1/entities/create \
  -H 'Content-Type: application/json' \
  -H 'u21-key: <YOUR_API_KEY>' \
  -d '{
    "options": {
      "resolve_geoip": true,
      "upsert_on_conflict": true,
      "merge_custom_data": true,
      "list_merge_strategy": "union"
    }
  }'

curl -X POST \
  https://<API_ENDPOINT>/v1/alerts/create \
  -H 'Content-Type: application/json' \
  -H 'u21-key: <YOUR_API_KEY>' \
  -d '{
    "options": {
      "merge_custom_data": true,
      "list_merge_strategy": "union"
    }
  }'

The following fields are options for the endpoint:

Field	Type	Description
`resolve_geoip`	Boolean	Whether or not to resolve the geographic location from the provided IP address (in the digital data section). Defaults to `true` if at least one value of an `ip_address` is provided in `digital_data.ip_addresses`. If `resolve_geoip` is set to `true` but no values are provided in `digital_data.ip_addresses`, an exception will be thrown. If `resolve_geo_ip` is set to `true` but the IP address provided is invalid or cannot be resolved, no exception will be thrown.
`merge_custom_data`	Boolean	Only relevant for updates/upserts, ignored otherwise. Default is `false`.
`list_merge_strategy`	String	Only relevant for updates/upserts, ignored otherwise. Possible values are `union`, `replace`, `difference`. Default is `union`.
`upsert_on_conflict`	Boolean	If you wish for the API to perform strict validation and not perform an upsert on conflict, specifying `options.upsert_on_conflict: false` will result in the API responding with a 409 error code indicating that this instrument cannot be overwritten.
`include_associations`	Boolean	If `true`, the response will include associated rule, case and SAR IDs (see endpoint for details).
`include_actions`	Boolean	If `true`, the response will include `actions` in the response which is a list of all actions taken on the alert/case including disposition changes, status changes, reassignments and the authors email.
`include_checklist`	Boolean	If `true`, the response will include `checklists` in the response which is a list of all checklist items an agent must complete for the alert/case investigation.