Upload IOCs in CSV format that you retrieved from external threat intelligence sources.
Note: Cortex XDR does not scan historic data, but rather only new incoming data.
Required license: Cortex XDR Pro per Endpoint or Cortex XDR Pro per GB
request_dataString
The body of this request contains a JSON object with a single field: request_data
. This field is required. Its value is as string containing two or more comma-separated lines. The first line must contain the CSV header. All subsequent lines must represent IOC data. Each line must include at a minimum the required CSV fields, which are identified below. To help you validate the upload, you can send a separate validate field to view an array of errors with an unsuccessful call.
Field | Description |
---|---|
indicator | (Required) String that identifies the indicator you want to insert into Cortex XDR. |
type | (Required) Keyword identifying the type of indicator. Valid values are: HASH , IP , PATH , DOMAIN_NAME , or FILENAME |
severity | (Required) Keyword identifying the indicator's severity. Valid values are: INFO , LOW , MEDIUM , HIGH , or CRITICAL |
expiration_date | Integer representing the indicator's expiration timestamp. This is a Unix epoch timestamp value, in milliseconds. If this indicator has no expiration, use Never . If this value is NULL, the indicator receives the indicator's type value with the default expiration date. Valid values are: 7 days, 30 days, 90 days, or 180 days |
comment | Comment string. |
reputation | Keyword representing the indicator's reputation. Valid values are: GOOD , BAD , SUSPICIOUS , or UNKNOWN |
reliability | Character representing the indicator's reliability rating. Valid values are A-F. A is the most reliable, F is the least. |
class | String representing the indicator class (for example, "Malware") |
vendor.name | String representing the name of the vendor who reported this indicator. |
vendor.reputation | Keyword representing the vendor's reputation. Valid values are: GOOD , BAD , SUSPICIOUS , or UNKNOWN |
vendor.reliability | Character representing the vendor's reliability rating. Valid values are A-F. A is the most reliable, F is the least. |
validateBoolean
Indicates whether to return an array of errors in the case of an unsuccessful update indicator API request.
{
"request_data": "indicator,type,severity,expiration_date, comment,reputation,reliability,class,vendor.name,vendor.reputation, vendor.reliability\n B2c74bf609159f27dd89a829501ec34d6596d8b39a2cce7add73a8207088817a, HASH,HIGH,1587054895000,This is an example IOC,BAD,D,Malware,IBM, GOOD,B\n A2c74bf609159f27dd89a829501ec34d6596d8b39a2cce7add73a8207088817a, HASH,LOW,1587054895000,This is an example IOC,GOOD,D,Malware,PANW, BAD,A\n"
}
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
'https://api-yourfqdn/public_api/v1/indicators/insert_csv'
-d
''