Risk Notes

Risk Notes allow you to provide additional information about Risks.

List Risk Notes

Find Risk Notes matching the provided filters.

🔒 Requires Risk Management: Get Risk Note permission.

Securitybearer
Request
path Parameters
riskRegisterId
required
number

The Risk Register ID

Example: 1
required
number or string

An integer Risk ID or string risk identifier (e.g., "RISK-001")

query Parameters
cursor
string

This parameter is used to paginate through results. No value is needed for the first request. If there are additional results, the response will contain a pagination.cursor value that can be used in the subsequent request to retrieve the next page of results

size
number [ 1 .. 500 ]
Default: 50

Number of results to return

sort
string (SortTypeLimitedEnum)

Which field to sort by

Enum: "createdAt" "updatedAt" "name"
sortDir
string (SortDirectionEnum)

The direction to sort the data

Enum: "ASC" "DESC"
includeTotalCount
boolean
Default: false

Include total count of all matching records in response. Only honored on first page (when cursor is null).

Example: includeTotalCount=false
expand[]
Array of strings (RiskNotesExpandEnum)

List of subcollections and sub-objects to expand

Items Value: "owner"
Responses
200
400

Malformed data and/or validation errors

401

Invalid Authorization

403

You are not allowed to perform this action

404

Not Found

412

You must accept the Drata terms and conditions to use the API

500

Internal server error

get/risk-registers/{riskRegisterId}/risks/{riskId}/notes
Request samples 
Response samples 
application/json
{
  • "data": [
    • {
      • "id": 123,
      • "comment": "string",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z",
      • "owner": {
        • "id": 1,
        • "email": "[email protected]",
        • "firstName": "Sally",
        • "lastName": "Smith",
        • "createdAt": "2025-07-01T16:45:55.246Z",
        • "updatedAt": "2025-07-01T16:45:55.246Z"
        }
      }
    ],
  • "pagination": {
    • "cursor": "string",
    • "totalCount": 0
    }
}
Create Risk Note
Create a new Note for a specific Risk.


🔒 Requires Risk Management: Create Risk Note permission.


Securitybearer 
Request 
path Parameters
riskRegisterId
required
number
The Risk Register ID.


 
 Example:  1
required
number or string
An integer Risk ID or string risk identifier (e.g., "RISK-001")


 
Request Body schema: application/json
required
comment
required
string  <= 768 characters 
The comment content for the note


 
Responses 
201
Created


400
Malformed data and/or validation errors


401
Invalid Authorization


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


post/risk-registers/{riskRegisterId}/risks/{riskId}/notes
Request samples 
application/json
{
  • "comment": "This is a note about the risk assessment findings."
}
Response samples 
application/json
{
  • "id": 123,
  • "comment": "string",
  • "createdAt": "2025-07-01T16:45:55.246Z",
  • "updatedAt": "2025-07-01T16:45:55.246Z",
  • "owner": {
    • "id": 1,
    • "email": "[email protected]",
    • "firstName": "Sally",
    • "lastName": "Smith",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z"
    }
}
Get Risk Note
Get a Note associated with a given Risk.


🔒 Requires Risk Management: Get Risk Note permission.


Securitybearer 
Request 
path Parameters
riskRegisterId
required
number
The Risk Register ID.


 
 Example:  1
required
number or string
An integer Risk ID or string risk identifier (e.g., "RISK-001")


 
noteId
required
number
 
query Parameters
expand[]
Array of strings (RiskNotesExpandEnum) 
List of subcollections and sub-objects to expand


Items Value: "owner"  
Responses 
200
400
Malformed data and/or validation errors


401
Invalid Authorization


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


get/risk-registers/{riskRegisterId}/risks/{riskId}/notes/{noteId}
Request samples 
Response samples 
application/json
{
  • "id": 123,
  • "comment": "string",
  • "createdAt": "2025-07-01T16:45:55.246Z",
  • "updatedAt": "2025-07-01T16:45:55.246Z",
  • "owner": {
    • "id": 1,
    • "email": "[email protected]",
    • "firstName": "Sally",
    • "lastName": "Smith",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z"
    }
}
Update Risk Note
Update a specific Risk Note using the provided Note ID.


🔒 Requires Risk Management: Update Risk Note permission.


Securitybearer 
Request 
path Parameters
riskRegisterId
required
number
The Risk Register ID


 
 Example:  1
required
number or string
An integer Risk ID or string risk identifier (e.g., "RISK-001")


 
noteId
required
number
The Note ID


 
 Example:  123
Request Body schema: application/json
required
comment
required
string  <= 768 characters 
The comment content for the note


 
Responses 
200
Successful


400
Malformed data and/or validation errors


401
Invalid Authorization


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


put/risk-registers/{riskRegisterId}/risks/{riskId}/notes/{noteId}
Request samples 
application/json
{
  • "comment": "This is a note about the risk assessment findings."
}
Response samples 
application/json
{
  • "id": 123,
  • "comment": "string",
  • "createdAt": "2025-07-01T16:45:55.246Z",
  • "updatedAt": "2025-07-01T16:45:55.246Z",
  • "owner": {
    • "id": 1,
    • "email": "[email protected]",
    • "firstName": "Sally",
    • "lastName": "Smith",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z"
    }
}
Delete Risk Note
Delete a specific Risk Note using the provided Note ID.


🔒 Requires Risk Management: Delete Risk Note permission.


Securitybearer 
Request 
path Parameters
riskRegisterId
required
number
The Risk Register ID


 
 Example:  1
required
number or string
An integer Risk ID or string risk identifier (e.g., "RISK-001")


 
noteId
required
number
The Note ID


 
 Example:  123
Responses 
200
204
No Content


400
Malformed data and/or validation errors


401
Invalid Authorization


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


delete/risk-registers/{riskRegisterId}/risks/{riskId}/notes/{noteId}
Request samples 
Response samples 
application/json
{
  • "name": "string",
  • "statusCode": 0,
  • "message": "string",
  • "code": 0,
  • "debugInfo": {
    • "name": "string",
    • "message": "string",
    • "stack": "string"
    }
}