Insert Simple Indicators, CSV

post /public_api/v1/indicators/insert_csv

Upload IOCs in CSV format that you retrieved from external threat intelligence sources.

Note: Cortex XDR does not scan historic data, but rather only new incoming data.

Required license: Cortex XDR Pro per Endpoint or Cortex XDR Pro per GB

CURL

  curl -X POST \

-H "Accept: application/json" \
 -H "Content-Type: application/json" \
"https://api-yourfqdn/public_api/v1/indicators/insert_csv" \
 -d '{
  "request_data" : "request_data",
  "validate" : true
}'
  

Response

                {
    "reply": {
        "success": false,
        "validation_errors": [
            {
                "indicator": "testtest.com",
                "error": "Got type: HASH, Indicator: testtest.com mismatch"
            }
        ]
    }
}
              

Request

Body

optional

Example:

{"request_data":"indicator,type,severity,expiration_date, comment,reputation,reliability,class,vendor.name,vendor.reputation, vendor.reliability\n B2c74bf609159f27dd89a829501ec34d6596d8b39a2cce7add73a8207088817a, HASH,HIGH,1587054895000,This is an example IOC,BAD,D,Malware,IBM, GOOD,B\n A2c74bf609159f27dd89a829501ec34d6596d8b39a2cce7add73a8207088817a, HASH,LOW,1587054895000,This is an example IOC,GOOD,D,Malware,PANW, BAD,A\n"}

request_data

required

String

The body of this request contains a JSON object with a single field: `request_data`. This field is required. Its value is as string containing two or more comma-separated lines. The first line must contain the CSV header. All subsequent lines must represent IOC data. Each line must include at a minimum the required CSV fields, which are identified below. To help you validate the upload, you can send a separate validate field to view an array of errors with an unsuccessful call. | Field | Description | | ----------- | ----------- | | indicator | (Required) String that identifies the indicator you want to insert into Cortex XDR. | | type | (Required) Keyword identifying the type of indicator. Valid values are: `HASH`, `IP`, `PATH`, `DOMAIN_NAME`, or `FILENAME` | | severity | (Required) Keyword identifying the indicator's severity. Valid values are: `INFO`, `LOW`, `MEDIUM`, `HIGH`, or `CRITICAL` | | expiration_date | Integer representing the indicator's expiration timestamp. This is a Unix epoch timestamp value, in milliseconds. If this indicator has no expiration, use `Never`. If this value is NULL, the indicator receives the indicator's type value with the default expiration date. Valid values are: 7 days, 30 days, 90 days, or 180 days | | comment | Comment string. | | reputation | Keyword representing the indicator's reputation. Valid values are: `GOOD`, `BAD`, `SUSPICIOUS`, or `UNKNOWN` | | reliability | Character representing the indicator's reliability rating. Valid values are A-F. A is the most reliable, F is the least. | | class | String representing the indicator class (for example, "Malware") | | vendor.name | String representing the name of the vendor who reported this indicator. | | vendor.reputation | Keyword representing the vendor's reputation. Valid values are: `GOOD`, `BAD`, `SUSPICIOUS`, or `UNKNOWN` | | vendor.reliability | Character representing the vendor's reliability rating. Valid values are A-F. A is the most reliable, F is the least. |

validate

optional

Boolean

Indicates whether to return an array of errors in the case of an unsuccessful update indicator API request.

Responses

SUCCESS

Body

optional

success

optional

Boolean

true=upload successful

validation_errors

optional

Array

Array of the following fields:

indicator: Name of the indicator that failed to upload.
error: Description of the error that caused the indicator to upload.

indicator

optional

String

error

optional

String

Bad Request. Got an invalid JSON.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Unauthorized access. User does not have the required license type to run this API.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Internal server error. A unified status for API communication type errors.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.