Insert CEF Alerts

Cortex XDR REST API

post /public_api/v1/alerts/insert_cef_alerts

Upload alerts in CEF format from external alert sources. After you map CEF alert fields to Cortex XDR fields, Cortex XDR displays the alerts in related incidents and views. You can send 600 alerts per minute.

Required license: Cortex XDR Pro per GB

Body parameters
request_dataObject
alertsArray[string]

A list of alerts in CEF format.

REQUEST BODY
{ "request_data": { "alerts": [ "CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|microsoft-ds|Unknown|act=AcceptdeviceDirection=0 rt=1569---000 spt=5---57 dpt=4---5cs2Label=Rule Name cs2=ADPrimery layer_name=FW_Device_blackenedSecuritylayer_uuid=07-----fc7-1a5c-71b8c match_id=1---6parent_rule=0rule_action=Accept rule_uid=8----be5cifname=bond2logid=0 loguid={0x5d8c5388,0x61,0x29321fac,0xc0000022}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=363version=5dst=1.1.1.1 inzone=External outzone=Internal product=VPN-1 & FireWall-1 proto=6service_id=microsoft-ds src=1.1.1.1", "CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|Log|Unknown|act=AcceptdeviceDirection=0 rt=1569477501000 spt=63088 dpt=5985cs2Label=Rule Namelayer_name=FW_Device_blackenedSecuritylayer_uuid=07693f---e96c71b8c match_id=8----9parent_rule=0rule_action=Acceptrule_uid=ae9---70f-ab1c-1ad552c82369conn_direction=Internal ifname=bond1.12logid=0loguid=0x5d8c537d,0xbb,0x29321fac,0xc0000014}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=899version=5dst=1.1.1.1 product=VPN-1 & FireWall-1 proto=6 src=1.1.1.1" ] } }
CURL
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
'https://api-yourfqdn/public_api/v1/alerts/insert_cef_alerts'
-d ''
Responses

Successful response

Body

Bad Request. Got an invalid JSON.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Unauthorized access. User does not have the required license type to run this API.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Internal server error. A unified status for API communication type errors.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }