post
/public_api/v1/alerts/insert_parsed_alerts
Upload alerts from external alert sources in Cortex XDR format. Cortex XDRdisplays alerts that are parsed successfully in related incidents and views. You can send 600 alerts per minute. Each request can contain a maximum of 60 alerts.
Required license: Cortex XDR Pro per Endpoint or Cortex XDR Pro per GB
Request headers
Authorization
String
required
{api_key}
Example:
authorization_example
x-xdr-auth-id
String
required
{api_key_id}
Example:
xXdrAuthId_example
Accept-Encoding
String
For retrieving a compressed gzipped response
Example:
acceptEncoding_example
Default:
gzip
CLIENT REQUEST
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
-H
'Authorization: authorization_example'
-H
'x-xdr-auth-id: xXdrAuthId_example'
-H
'Accept-Encoding: acceptEncoding_example'
'https://api-yourfqdn/public_api/v1/alerts/insert_parsed_alerts'
-d
''
import http.client
conn = http.client.HTTPSConnection("api-yourfqdn")
payload = "{\"request_data\":{\"alerts\":[{\"product\":\"string\",\"vendor\":\"string\",\"local_ip\":\"string\",\"local_port\":\"string\",\"remote_ip\":\"string\",\"remote_port\":\"string\",\"event_timestamp\":0,\"severity\":\"string\",\"alert_name\":\"string\",\"alert_description\":\"string\",\"action_status\":\"string\",\"local_ip_v6\":\"string\",\"remote_ip_v6\":\"string\"}]}}"
headers = {
'Authorization': "SOME_STRING_VALUE",
'x-xdr-auth-id': "SOME_STRING_VALUE",
'Accept-Encoding': "SOME_STRING_VALUE",
'content-type': "application/json"
}
conn.request("POST", "/public_api/v1/alerts/insert_parsed_alerts", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://api-yourfqdn/public_api/v1/alerts/insert_parsed_alerts")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["Authorization"] = 'SOME_STRING_VALUE'
request["x-xdr-auth-id"] = 'SOME_STRING_VALUE'
request["Accept-Encoding"] = 'SOME_STRING_VALUE'
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"alerts\":[{\"product\":\"string\",\"vendor\":\"string\",\"local_ip\":\"string\",\"local_port\":\"string\",\"remote_ip\":\"string\",\"remote_port\":\"string\",\"event_timestamp\":0,\"severity\":\"string\",\"alert_name\":\"string\",\"alert_description\":\"string\",\"action_status\":\"string\",\"local_ip_v6\":\"string\",\"remote_ip_v6\":\"string\"}]}}"
response = http.request(request)
puts response.read_bodyconst data = JSON.stringify({
"request_data": {
"alerts": [
{
"product": "string",
"vendor": "string",
"local_ip": "string",
"local_port": "string",
"remote_ip": "string",
"remote_port": "string",
"event_timestamp": 0,
"severity": "string",
"alert_name": "string",
"alert_description": "string",
"action_status": "string",
"local_ip_v6": "string",
"remote_ip_v6": "string"
}
]
}
});
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api-yourfqdn/public_api/v1/alerts/insert_parsed_alerts");
xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE");
xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
xhr.setRequestHeader("Accept-Encoding", "SOME_STRING_VALUE");
xhr.setRequestHeader("content-type", "application/json");
xhr.send(data);HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/alerts/insert_parsed_alerts")
.header("Authorization", "SOME_STRING_VALUE")
.header("x-xdr-auth-id", "SOME_STRING_VALUE")
.header("Accept-Encoding", "SOME_STRING_VALUE")
.header("content-type", "application/json")
.body("{\"request_data\":{\"alerts\":[{\"product\":\"string\",\"vendor\":\"string\",\"local_ip\":\"string\",\"local_port\":\"string\",\"remote_ip\":\"string\",\"remote_port\":\"string\",\"event_timestamp\":0,\"severity\":\"string\",\"alert_name\":\"string\",\"alert_description\":\"string\",\"action_status\":\"string\",\"local_ip_v6\":\"string\",\"remote_ip_v6\":\"string\"}]}}")
.asString();import Foundation
let headers = [
"Authorization": "SOME_STRING_VALUE",
"x-xdr-auth-id": "SOME_STRING_VALUE",
"Accept-Encoding": "SOME_STRING_VALUE",
"content-type": "application/json"
]
let parameters = ["request_data": ["alerts": [
[
"product": "string",
"vendor": "string",
"local_ip": "string",
"local_port": "string",
"remote_ip": "string",
"remote_port": "string",
"event_timestamp": 0,
"severity": "string",
"alert_name": "string",
"alert_description": "string",
"action_status": "string",
"local_ip_v6": "string",
"remote_ip_v6": "string"
]
]]] as [String : Any]
let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/alerts/insert_parsed_alerts")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api-yourfqdn/public_api/v1/alerts/insert_parsed_alerts",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{\"request_data\":{\"alerts\":[{\"product\":\"string\",\"vendor\":\"string\",\"local_ip\":\"string\",\"local_port\":\"string\",\"remote_ip\":\"string\",\"remote_port\":\"string\",\"event_timestamp\":0,\"severity\":\"string\",\"alert_name\":\"string\",\"alert_description\":\"string\",\"action_status\":\"string\",\"local_ip_v6\":\"string\",\"remote_ip_v6\":\"string\"}]}}",
CURLOPT_HTTPHEADER => [
"Accept-Encoding: SOME_STRING_VALUE",
"Authorization: SOME_STRING_VALUE",
"content-type: application/json",
"x-xdr-auth-id: SOME_STRING_VALUE"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}CURL *hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/alerts/insert_parsed_alerts");
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "Accept-Encoding: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"alerts\":[{\"product\":\"string\",\"vendor\":\"string\",\"local_ip\":\"string\",\"local_port\":\"string\",\"remote_ip\":\"string\",\"remote_port\":\"string\",\"event_timestamp\":0,\"severity\":\"string\",\"alert_name\":\"string\",\"alert_description\":\"string\",\"action_status\":\"string\",\"local_ip_v6\":\"string\",\"remote_ip_v6\":\"string\"}]}}");
CURLcode ret = curl_easy_perform(hnd);var client = new RestClient("https://api-yourfqdn/public_api/v1/alerts/insert_parsed_alerts");
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "SOME_STRING_VALUE");
request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
request.AddHeader("Accept-Encoding", "SOME_STRING_VALUE");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"alerts\":[{\"product\":\"string\",\"vendor\":\"string\",\"local_ip\":\"string\",\"local_port\":\"string\",\"remote_ip\":\"string\",\"remote_port\":\"string\",\"event_timestamp\":0,\"severity\":\"string\",\"alert_name\":\"string\",\"alert_description\":\"string\",\"action_status\":\"string\",\"local_ip_v6\":\"string\",\"remote_ip_v6\":\"string\"}]}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);Body parameters
application/json
request_dataobject
alertsarray
The external alerts you want to upload to Cortex XDR.
[]
productstring
vendorstring
local_ipstring
local_portstring
remote_ipstring
remote_portstring
event_timestampinteger
severitystring
alert_namestring
alert_descriptionstring
action_statusstring
local_ip_v6string
remote_ip_v6string
REQUEST
{
"request_data": {
"alerts": [
{
"product": "VPN & Firewall-1",
"vendor": "<vendor name>",
"local_ip": "<IP address>",
"local_port": "<port>",
"remote_ip": "<IP address>",
"remote_port": "<port>",
"event_timestamp": 1543270652000,
"severity": "Low",
"alert_name": "Alert Name Example",
"alert_description": "Alert Description",
"action_status": "Reported",
"local_ip_v6": "<IPv6 address>",
"remote_ip_v6": "<IPv6 address>"
}
]
}
}Responses
Successful response
Body
application/json
true=upload successful
RESPONSE
falseBad Request. Got an invalid JSON.
Body
application/json
The query result upon error.
err_codestring
HTTP response code.
err_msgstring
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastring
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
Body
application/json
The query result upon error.
err_codestring
HTTP response code.
err_msgstring
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastring
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Unauthorized access. User does not have the required license type to run this API.
Body
application/json
The query result upon error.
err_codestring
HTTP response code.
err_msgstring
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastring
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
Body
application/json
The query result upon error.
err_codestring
HTTP response code.
err_msgstring
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastring
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Internal server error. A unified status for API communication type errors.
Body
application/json
The query result upon error.
err_codestring
HTTP response code.
err_msgstring
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastring
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}