post
/public_api/v1/alerts/insert_cef_alerts
Upload alerts in CEF format from external alert sources. After you map CEF alert fields to Cortex XDR fields, Cortex XDR displays the alerts in related incidents and views. You can send 600 alerts per minute.
Required license: Cortex XDR Pro per GB
CURL
curl -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
"https://api-yourfqdn/public_api/v1/alerts/insert_cef_alerts" \
-d '{
"request_data" : {
"alerts" : [ "CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|microsoft-ds|Unknown|act=AcceptdeviceDirection=0 rt=1569---000 spt=5---57 dpt=4---5cs2Label=Rule Name cs2=ADPrimerylayer_name=FW_Device_blackenedSecuritylayer_uuid=07-----fc7-1a5c-71b8c match_id=1---6parent_rule=0rule_action=Accept rule_uid=8----be5cifname=bond2logid=0loguid={0x5d8c5388,0x61,0x29321fac,0xc0000022}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=363version=5dst=1.1.1.1 inzone=External outzone=Internal product=VPN-1 & FireWall-1proto=6service_id=microsoft-ds src=1.1.1.1", "CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|Log|Unknown|act=AcceptdeviceDirection=0 rt=1569477501000 spt=63088 dpt=5985cs2Label=RuleNamelayer_name=FW_Device_blackenedSecuritylayer_uuid=07693f---e96c71b8c match_id=8----9parent_rule=0rule_action=Acceptrule_uid=ae9---70f-ab1c-1ad552c82369conn_direction=Internal ifname=bond1.12logid=0loguid={0x5d8c537d,0xbb,0x29321fac,0xc0000014}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=899version=5dst=1.1.1.1 product=VPN-1 & FireWall-1 proto=6 src=1.1.1.1" ]
}
}'
Request
Body
optional
Example:
{"request_data":{"alerts":["CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|microsoft-ds|Unknown|act=AcceptdeviceDirection=0 rt=1569---000 spt=5---57 dpt=4---5cs2Label=Rule Name cs2=ADPrimery layer_name=FW_Device_blackenedSecuritylayer_uuid=07-----fc7-1a5c-71b8c match_id=1---6parent_rule=0rule_action=Accept rule_uid=8----be5cifname=bond2logid=0 loguid={0x5d8c5388,0x61,0x29321fac,0xc0000022}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=363version=5dst=1.1.1.1 inzone=External outzone=Internal product=VPN-1 & FireWall-1 proto=6service_id=microsoft-ds src=1.1.1.1","CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|Log|Unknown|act=AcceptdeviceDirection=0 rt=1569477501000 spt=63088 dpt=5985cs2Label=Rule Namelayer_name=FW_Device_blackenedSecuritylayer_uuid=07693f---e96c71b8c match_id=8----9parent_rule=0rule_action=Acceptrule_uid=ae9---70f-ab1c-1ad552c82369conn_direction=Internal ifname=bond1.12logid=0loguid=0x5d8c537d,0xbb,0x29321fac,0xc0000014}origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=899version=5dst=1.1.1.1 product=VPN-1 & FireWall-1 proto=6 src=1.1.1.1"]}}
request_data
optional
alerts
optional
Array
of strings
A list of alerts in CEF format.
Responses
Successful response
Body
Bad Request. Got an invalid JSON.
Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example:
{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.
Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example:
{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.
Unauthorized access. User does not have the required license type to run this API.
Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example:
{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.
Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example:
{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.
Internal server error. A unified status for API communication type errors.
Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example:
{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.