Insert Simple Indicators, CSV

Cortex XDR REST API

post /public_api/v1/indicators/insert_csv

Upload IOCs in CSV format that you retrieved from external threat intelligence sources.

Note: Cortex XDR does not scan historic data, but rather only new incoming data.

Required license: Cortex XDR Pro per Endpoint or Cortex XDR Pro per GB

Body parameters
request_dataString

The body of this request contains a JSON object with a single field: request_data. This field is required. Its value is as string containing two or more comma-separated lines. The first line must contain the CSV header. All subsequent lines must represent IOC data. Each line must include at a minimum the required CSV fields, which are identified below. To help you validate the upload, you can send a separate validate field to view an array of errors with an unsuccessful call.

Field Description
indicator (Required) String that identifies the indicator you want to insert into Cortex XDR.
type (Required) Keyword identifying the type of indicator. Valid values are: HASH, IP, PATH, DOMAIN_NAME, or FILENAME
severity (Required) Keyword identifying the indicator's severity. Valid values are: INFO, LOW, MEDIUM, HIGH, or CRITICAL
expiration_date Integer representing the indicator's expiration timestamp. This is a Unix epoch timestamp value, in milliseconds. If this indicator has no expiration, use Never. If this value is NULL, the indicator receives the indicator's type value with the default expiration date. Valid values are: 7 days, 30 days, 90 days, or 180 days
comment Comment string.
reputation Keyword representing the indicator's reputation. Valid values are: GOOD, BAD, SUSPICIOUS, or UNKNOWN
reliability Character representing the indicator's reliability rating. Valid values are A-F. A is the most reliable, F is the least.
class String representing the indicator class (for example, "Malware")
vendor.name String representing the name of the vendor who reported this indicator.
vendor.reputation Keyword representing the vendor's reputation. Valid values are: GOOD, BAD, SUSPICIOUS, or UNKNOWN
vendor.reliability Character representing the vendor's reliability rating. Valid values are A-F. A is the most reliable, F is the least.
validateBoolean

Indicates whether to return an array of errors in the case of an unsuccessful update indicator API request.

REQUEST BODY
{ "request_data": "indicator,type,severity,expiration_date, comment,reputation,reliability,class,vendor.name,vendor.reputation, vendor.reliability\n B2c74bf609159f27dd89a829501ec34d6596d8b39a2cce7add73a8207088817a, HASH,HIGH,1587054895000,This is an example IOC,BAD,D,Malware,IBM, GOOD,B\n A2c74bf609159f27dd89a829501ec34d6596d8b39a2cce7add73a8207088817a, HASH,LOW,1587054895000,This is an example IOC,GOOD,D,Malware,PANW, BAD,A\n" }
CURL
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
'https://api-yourfqdn/public_api/v1/indicators/insert_csv'
-d ''
Responses

SUCCESS

Body
replyObject
successBoolean

true=upload successful

validation_errorsArray

Array of the following fields: - indicator: Name of the indicator that failed to upload. - error: Description of the error that caused the indicator to upload.

indicatorString
errorString
RESPONSE
{ "reply": { "success": false, "validation_errors": [ { "indicator": "testtest.com", "error": "Got type: HASH, Indicator: testtest.com mismatch" } ] } }

Bad Request. Got an invalid JSON.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Unauthorized access. User does not have the required license type to run this API.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Internal server error. A unified status for API communication type errors.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }