post
/public_api/v1/alerts/insert_cef_alerts
Upload alerts in CEF format from external alert sources. After you map CEF alert fields to Cortex XDR fields, Cortex XDR displays the alerts in related incidents and views. You can send 600 alerts per minute.
Required license: Cortex XDR Pro per GB
Request headers
Authorization
String
required
{api_key}
{api_key}
Example:
authorization_example
x-xdr-auth-id
String
required
{api_key_id}
{api_key_id}
Example:
xXdrAuthId_example
Accept-Encoding
String
For retrieving a compressed gzipped response
For retrieving a compressed gzipped response
Example:
acceptEncoding_example
Default:
gzip
CLIENT REQUEST
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
-H
'Authorization: authorization_example'
-H
'x-xdr-auth-id: xXdrAuthId_example'
-H
'Accept-Encoding: acceptEncoding_example'
'https://api-yourfqdn/public_api/v1/alerts/insert_cef_alerts'
-d
''
import http.client
conn = http.client.HTTPSConnection("api-yourfqdn")
payload = "{\"request_data\":{\"alerts\":[\"CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|microsoft-ds|Unknown|act=AcceptdeviceDirection=0 rt=1569---000 spt=5---57 dpt=4---5cs2Label=Rule Name cs2=ADPrimerylayer_name=FW_Device_blackenedSecuritylayer_uuid=07-----fc7-1a5c-71b8c match_id=1---6parent_rule=0rule_action=Accept rule_uid=8----be5cifname=bond2logid=0loguid={0x5d8c5388,0x61,0x29321fac,0xc0000022}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=363version=5dst=1.1.1.1 inzone=External outzone=Internal product=VPN-1 & FireWall-1proto=6service_id=microsoft-ds src=1.1.1.1\",\"CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|Log|Unknown|act=AcceptdeviceDirection=0 rt=1569477501000 spt=63088 dpt=5985cs2Label=RuleNamelayer_name=FW_Device_blackenedSecuritylayer_uuid=07693f---e96c71b8c match_id=8----9parent_rule=0rule_action=Acceptrule_uid=ae9---70f-ab1c-1ad552c82369conn_direction=Internal ifname=bond1.12logid=0loguid={0x5d8c537d,0xbb,0x29321fac,0xc0000014}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=899version=5dst=1.1.1.1 product=VPN-1 & FireWall-1 proto=6 src=1.1.1.1\"]}}"
headers = {
'Authorization': "SOME_STRING_VALUE",
'x-xdr-auth-id': "SOME_STRING_VALUE",
'Accept-Encoding': "SOME_STRING_VALUE",
'content-type': "application/json"
}
conn.request("POST", "/public_api/v1/alerts/insert_cef_alerts", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://api-yourfqdn/public_api/v1/alerts/insert_cef_alerts")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["Authorization"] = 'SOME_STRING_VALUE'
request["x-xdr-auth-id"] = 'SOME_STRING_VALUE'
request["Accept-Encoding"] = 'SOME_STRING_VALUE'
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"alerts\":[\"CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|microsoft-ds|Unknown|act=AcceptdeviceDirection=0 rt=1569---000 spt=5---57 dpt=4---5cs2Label=Rule Name cs2=ADPrimerylayer_name=FW_Device_blackenedSecuritylayer_uuid=07-----fc7-1a5c-71b8c match_id=1---6parent_rule=0rule_action=Accept rule_uid=8----be5cifname=bond2logid=0loguid={0x5d8c5388,0x61,0x29321fac,0xc0000022}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=363version=5dst=1.1.1.1 inzone=External outzone=Internal product=VPN-1 & FireWall-1proto=6service_id=microsoft-ds src=1.1.1.1\",\"CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|Log|Unknown|act=AcceptdeviceDirection=0 rt=1569477501000 spt=63088 dpt=5985cs2Label=RuleNamelayer_name=FW_Device_blackenedSecuritylayer_uuid=07693f---e96c71b8c match_id=8----9parent_rule=0rule_action=Acceptrule_uid=ae9---70f-ab1c-1ad552c82369conn_direction=Internal ifname=bond1.12logid=0loguid={0x5d8c537d,0xbb,0x29321fac,0xc0000014}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=899version=5dst=1.1.1.1 product=VPN-1 & FireWall-1 proto=6 src=1.1.1.1\"]}}"
response = http.request(request)
puts response.read_bodyconst data = JSON.stringify({
"request_data": {
"alerts": [
"CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|microsoft-ds|Unknown|act=AcceptdeviceDirection=0 rt=1569---000 spt=5---57 dpt=4---5cs2Label=Rule Name cs2=ADPrimerylayer_name=FW_Device_blackenedSecuritylayer_uuid=07-----fc7-1a5c-71b8c match_id=1---6parent_rule=0rule_action=Accept rule_uid=8----be5cifname=bond2logid=0loguid={0x5d8c5388,0x61,0x29321fac,0xc0000022}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=363version=5dst=1.1.1.1 inzone=External outzone=Internal product=VPN-1 & FireWall-1proto=6service_id=microsoft-ds src=1.1.1.1",
"CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|Log|Unknown|act=AcceptdeviceDirection=0 rt=1569477501000 spt=63088 dpt=5985cs2Label=RuleNamelayer_name=FW_Device_blackenedSecuritylayer_uuid=07693f---e96c71b8c match_id=8----9parent_rule=0rule_action=Acceptrule_uid=ae9---70f-ab1c-1ad552c82369conn_direction=Internal ifname=bond1.12logid=0loguid={0x5d8c537d,0xbb,0x29321fac,0xc0000014}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=899version=5dst=1.1.1.1 product=VPN-1 & FireWall-1 proto=6 src=1.1.1.1"
]
}
});
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api-yourfqdn/public_api/v1/alerts/insert_cef_alerts");
xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE");
xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
xhr.setRequestHeader("Accept-Encoding", "SOME_STRING_VALUE");
xhr.setRequestHeader("content-type", "application/json");
xhr.send(data);HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/alerts/insert_cef_alerts")
.header("Authorization", "SOME_STRING_VALUE")
.header("x-xdr-auth-id", "SOME_STRING_VALUE")
.header("Accept-Encoding", "SOME_STRING_VALUE")
.header("content-type", "application/json")
.body("{\"request_data\":{\"alerts\":[\"CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|microsoft-ds|Unknown|act=AcceptdeviceDirection=0 rt=1569---000 spt=5---57 dpt=4---5cs2Label=Rule Name cs2=ADPrimerylayer_name=FW_Device_blackenedSecuritylayer_uuid=07-----fc7-1a5c-71b8c match_id=1---6parent_rule=0rule_action=Accept rule_uid=8----be5cifname=bond2logid=0loguid={0x5d8c5388,0x61,0x29321fac,0xc0000022}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=363version=5dst=1.1.1.1 inzone=External outzone=Internal product=VPN-1 & FireWall-1proto=6service_id=microsoft-ds src=1.1.1.1\",\"CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|Log|Unknown|act=AcceptdeviceDirection=0 rt=1569477501000 spt=63088 dpt=5985cs2Label=RuleNamelayer_name=FW_Device_blackenedSecuritylayer_uuid=07693f---e96c71b8c match_id=8----9parent_rule=0rule_action=Acceptrule_uid=ae9---70f-ab1c-1ad552c82369conn_direction=Internal ifname=bond1.12logid=0loguid={0x5d8c537d,0xbb,0x29321fac,0xc0000014}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=899version=5dst=1.1.1.1 product=VPN-1 & FireWall-1 proto=6 src=1.1.1.1\"]}}")
.asString();import Foundation
let headers = [
"Authorization": "SOME_STRING_VALUE",
"x-xdr-auth-id": "SOME_STRING_VALUE",
"Accept-Encoding": "SOME_STRING_VALUE",
"content-type": "application/json"
]
let parameters = ["request_data": ["alerts": ["CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|microsoft-ds|Unknown|act=AcceptdeviceDirection=0 rt=1569---000 spt=5---57 dpt=4---5cs2Label=Rule Name cs2=ADPrimerylayer_name=FW_Device_blackenedSecuritylayer_uuid=07-----fc7-1a5c-71b8c match_id=1---6parent_rule=0rule_action=Accept rule_uid=8----be5cifname=bond2logid=0loguid={0x5d8c5388,0x61,0x29321fac,0xc0000022}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=363version=5dst=1.1.1.1 inzone=External outzone=Internal product=VPN-1 & FireWall-1proto=6service_id=microsoft-ds src=1.1.1.1", "CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|Log|Unknown|act=AcceptdeviceDirection=0 rt=1569477501000 spt=63088 dpt=5985cs2Label=RuleNamelayer_name=FW_Device_blackenedSecuritylayer_uuid=07693f---e96c71b8c match_id=8----9parent_rule=0rule_action=Acceptrule_uid=ae9---70f-ab1c-1ad552c82369conn_direction=Internal ifname=bond1.12logid=0loguid={0x5d8c537d,0xbb,0x29321fac,0xc0000014}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=899version=5dst=1.1.1.1 product=VPN-1 & FireWall-1 proto=6 src=1.1.1.1"]]] as [String : Any]
let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/alerts/insert_cef_alerts")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api-yourfqdn/public_api/v1/alerts/insert_cef_alerts",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{\"request_data\":{\"alerts\":[\"CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|microsoft-ds|Unknown|act=AcceptdeviceDirection=0 rt=1569---000 spt=5---57 dpt=4---5cs2Label=Rule Name cs2=ADPrimerylayer_name=FW_Device_blackenedSecuritylayer_uuid=07-----fc7-1a5c-71b8c match_id=1---6parent_rule=0rule_action=Accept rule_uid=8----be5cifname=bond2logid=0loguid={0x5d8c5388,0x61,0x29321fac,0xc0000022}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=363version=5dst=1.1.1.1 inzone=External outzone=Internal product=VPN-1 & FireWall-1proto=6service_id=microsoft-ds src=1.1.1.1\",\"CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|Log|Unknown|act=AcceptdeviceDirection=0 rt=1569477501000 spt=63088 dpt=5985cs2Label=RuleNamelayer_name=FW_Device_blackenedSecuritylayer_uuid=07693f---e96c71b8c match_id=8----9parent_rule=0rule_action=Acceptrule_uid=ae9---70f-ab1c-1ad552c82369conn_direction=Internal ifname=bond1.12logid=0loguid={0x5d8c537d,0xbb,0x29321fac,0xc0000014}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=899version=5dst=1.1.1.1 product=VPN-1 & FireWall-1 proto=6 src=1.1.1.1\"]}}",
CURLOPT_HTTPHEADER => [
"Accept-Encoding: SOME_STRING_VALUE",
"Authorization: SOME_STRING_VALUE",
"content-type: application/json",
"x-xdr-auth-id: SOME_STRING_VALUE"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}CURL *hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/alerts/insert_cef_alerts");
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "Accept-Encoding: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"alerts\":[\"CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|microsoft-ds|Unknown|act=AcceptdeviceDirection=0 rt=1569---000 spt=5---57 dpt=4---5cs2Label=Rule Name cs2=ADPrimerylayer_name=FW_Device_blackenedSecuritylayer_uuid=07-----fc7-1a5c-71b8c match_id=1---6parent_rule=0rule_action=Accept rule_uid=8----be5cifname=bond2logid=0loguid={0x5d8c5388,0x61,0x29321fac,0xc0000022}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=363version=5dst=1.1.1.1 inzone=External outzone=Internal product=VPN-1 & FireWall-1proto=6service_id=microsoft-ds src=1.1.1.1\",\"CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|Log|Unknown|act=AcceptdeviceDirection=0 rt=1569477501000 spt=63088 dpt=5985cs2Label=RuleNamelayer_name=FW_Device_blackenedSecuritylayer_uuid=07693f---e96c71b8c match_id=8----9parent_rule=0rule_action=Acceptrule_uid=ae9---70f-ab1c-1ad552c82369conn_direction=Internal ifname=bond1.12logid=0loguid={0x5d8c537d,0xbb,0x29321fac,0xc0000014}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=899version=5dst=1.1.1.1 product=VPN-1 & FireWall-1 proto=6 src=1.1.1.1\"]}}");
CURLcode ret = curl_easy_perform(hnd);var client = new RestClient("https://api-yourfqdn/public_api/v1/alerts/insert_cef_alerts");
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "SOME_STRING_VALUE");
request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
request.AddHeader("Accept-Encoding", "SOME_STRING_VALUE");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"alerts\":[\"CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|microsoft-ds|Unknown|act=AcceptdeviceDirection=0 rt=1569---000 spt=5---57 dpt=4---5cs2Label=Rule Name cs2=ADPrimerylayer_name=FW_Device_blackenedSecuritylayer_uuid=07-----fc7-1a5c-71b8c match_id=1---6parent_rule=0rule_action=Accept rule_uid=8----be5cifname=bond2logid=0loguid={0x5d8c5388,0x61,0x29321fac,0xc0000022}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=363version=5dst=1.1.1.1 inzone=External outzone=Internal product=VPN-1 & FireWall-1proto=6service_id=microsoft-ds src=1.1.1.1\",\"CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|Log|Unknown|act=AcceptdeviceDirection=0 rt=1569477501000 spt=63088 dpt=5985cs2Label=RuleNamelayer_name=FW_Device_blackenedSecuritylayer_uuid=07693f---e96c71b8c match_id=8----9parent_rule=0rule_action=Acceptrule_uid=ae9---70f-ab1c-1ad552c82369conn_direction=Internal ifname=bond1.12logid=0loguid={0x5d8c537d,0xbb,0x29321fac,0xc0000014}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=899version=5dst=1.1.1.1 product=VPN-1 & FireWall-1 proto=6 src=1.1.1.1\"]}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);Body parameters
application/json
request_dataobject
alertsarray[string]A list of alerts in CEF format.
A list of alerts in CEF format.
REQUEST
{
"request_data": {
"alerts": [
"CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|microsoft-ds|Unknown|act=AcceptdeviceDirection=0 rt=1569---000 spt=5---57 dpt=4---5cs2Label=Rule Name cs2=ADPrimery layer_name=FW_Device_blackenedSecuritylayer_uuid=07-----fc7-1a5c-71b8c match_id=1---6parent_rule=0rule_action=Accept rule_uid=8----be5cifname=bond2logid=0 loguid={0x5d8c5388,0x61,0x29321fac,0xc0000022}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=363version=5dst=1.1.1.1 inzone=External outzone=Internal product=VPN-1 & FireWall-1 proto=6service_id=microsoft-ds src=1.1.1.1",
"CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|Log|Unknown|act=AcceptdeviceDirection=0 rt=1569477501000 spt=63088 dpt=5985cs2Label=Rule Namelayer_name=FW_Device_blackenedSecuritylayer_uuid=07693f---e96c71b8c match_id=8----9parent_rule=0rule_action=Acceptrule_uid=ae9---70f-ab1c-1ad552c82369conn_direction=Internal ifname=bond1.12logid=0loguid=0x5d8c537d,0xbb,0x29321fac,0xc0000014}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=899version=5dst=1.1.1.1 product=VPN-1 & FireWall-1 proto=6 src=1.1.1.1"
]
}
}Responses
Successful response
Body
application/json
true=upload successful
booleantrue=upload successful
true=upload successful
RESPONSE
falseBad Request. Got an invalid JSON.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Unauthorized access. User does not have the required license type to run this API.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Internal server error. A unified status for API communication type errors.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}