post
/public_api/v1/indicators/insert_csv
Upload IOCs in CSV format that you retrieved from external threat intelligence sources.
Note: Cortex XDR does not scan historic data, but rather only new incoming data.
Required license: Cortex XDR Pro per Endpoint or Cortex XDR Pro per GB
CURL
curl -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
"https://api-yourfqdn/public_api/v1/indicators/insert_csv" \
-d '{
"request_data" : "request_data",
"validate" : true
}'
Response
{
"reply": {
"success": false,
"validation_errors": [
{
"indicator": "testtest.com",
"error": "Got type: HASH, Indicator: testtest.com mismatch"
}
]
}
}
Request
Body
optional
Example:
{"request_data":"indicator,type,severity,expiration_date, comment,reputation,reliability,class,vendor.name,vendor.reputation, vendor.reliability\n B2c74bf609159f27dd89a829501ec34d6596d8b39a2cce7add73a8207088817a, HASH,HIGH,1587054895000,This is an example IOC,BAD,D,Malware,IBM, GOOD,B\n A2c74bf609159f27dd89a829501ec34d6596d8b39a2cce7add73a8207088817a, HASH,LOW,1587054895000,This is an example IOC,GOOD,D,Malware,PANW, BAD,A\n"}
request_data
required
String
The body of this request contains a JSON object with a single field: `request_data`. This field is required. Its value is as string containing two or more comma-separated lines. The first line must contain the CSV header. All subsequent lines must represent IOC data. Each line must include at a minimum the required CSV fields, which are identified below. To help you validate the upload, you can send a separate validate field to view an array of errors with an unsuccessful call.
| Field | Description |
| ----------- | ----------- |
| indicator | (Required) String that identifies the indicator you want to insert into Cortex XDR. |
| type | (Required) Keyword identifying the type of indicator. Valid values are: `HASH`, `IP`, `PATH`, `DOMAIN_NAME`, or `FILENAME` |
| severity | (Required) Keyword identifying the indicator's severity. Valid values are: `INFO`, `LOW`, `MEDIUM`, `HIGH`, or `CRITICAL` |
| expiration_date | Integer representing the indicator's expiration timestamp. This is a Unix epoch timestamp value, in milliseconds. If this indicator has no expiration, use `Never`. If this value is NULL, the indicator receives the indicator's type value with the default expiration date. Valid values are: 7 days, 30 days, 90 days, or 180 days |
| comment | Comment string. |
| reputation | Keyword representing the indicator's reputation. Valid values are: `GOOD`, `BAD`, `SUSPICIOUS`, or `UNKNOWN` |
| reliability | Character representing the indicator's reliability rating. Valid values are A-F. A is the most reliable, F is the least. |
| class | String representing the indicator class (for example, "Malware") |
| vendor.name | String representing the name of the vendor who reported this indicator. |
| vendor.reputation | Keyword representing the vendor's reputation. Valid values are: `GOOD`, `BAD`, `SUSPICIOUS`, or `UNKNOWN` |
| vendor.reliability | Character representing the vendor's reliability rating. Valid values are A-F. A is the most reliable, F is the least. |
validate
optional
Boolean
Indicates whether to return an array of errors in the case of an unsuccessful update indicator API request.
Responses