Insert Simple Indicators, JSON

Cortex XDR REST API
post /public_api/v1/indicators/insert_jsons

Upload IOCs as JSON objects that you retrieved from external threat intelligence sources.

Note: Cortex XDR does not scan historic data, but rather only new incoming data.

Required License: Cortex XDR Pro per Endpoint or Cortex XDR Pro per GB

CURL
curl -X POST \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ "https://api-yourfqdn/public_api/v1/indicators/insert_jsons" \ -d '{ "request_data" : [ { "indicator" : "indicator", "severity" : "INFO", "reliability" : "A", "reputation" : "GOOD", "comment" : "comment", "type" : "HASH", "expiration_date" : 0, "vendors" : [ { "reliability" : "reliability", "vendor_name" : "vendor_name", "reputation" : "reputation" }, { "reliability" : "reliability", "vendor_name" : "vendor_name", "reputation" : "reputation" } ], "class" : "class" }, { "indicator" : "indicator", "severity" : "INFO", "reliability" : "A", "reputation" : "GOOD", "comment" : "comment", "type" : "HASH", "expiration_date" : 0, "vendors" : [ { "reliability" : "reliability", "vendor_name" : "vendor_name", "reputation" : "reputation" }, { "reliability" : "reliability", "vendor_name" : "vendor_name", "reputation" : "reputation" } ], "class" : "class" } ], "validate" : true }'
Response
{ "reply": { "success": true, "validation_errors": [ { "indicator": "testtest.com", "error": "Got type: HASH, Indicator: testtest.com mismatch" } ] } }
Request
Body
optional

The body of this request contains a JSON object with a single field: request_data. This field is required. Its value is an array of JSON objects, each element of which represents IOC data. Each object must include at a minimum the required fields, which are identified below.

Note: Cortex XDR recommends you send the validate field in your request call to view the API validation errors. Without sending the validate field, the API may return a reply of “true” without any information of why the IOC failed to upload.

Example: {"request_data":[{"indicator":"","type":"HASH","comment":"test","reputation":"GOOD","reliability":"D","severity":"high","vendors":[{"vendor_name":"V1","reliability":"A","reputation":"GOOD"},{"vendor_name":"V2","reliability":"A","reputation":"SUSPICIOUS"}],"class":"Malware"}],"validate":true}
request_data
required
Array
indicator
required
String
String that identifies the indicator you want to insert into Cortex XDR.
type
required
String (Enum)
Identifies the type of indicator.
Allowed values:
HASH
IP
DOMAIN_NAME
FILENAME
severity
required
String (Enum)
The indicator's severity.
Allowed values:
INFO
LOW
MEDIUM
HIGH
CRITICAL
unknown
expiration_date
optional
Integer

Integer representing the indicator's expiration timestamp. Thisis a Unix epoch timestamp value, in milliseconds. If this indicator has no expiration, use Never. If this value is NULL, the indicator receives the indicator's type value with the default expirationdate. Valid values are:

  • 7 days
  • 30 days
  • 90 days
  • 180 days
comment
optional
String
A descriptive comment.
reputation
optional
String (Enum)
Keyword representing the indicator's reputation.
Allowed values:
GOOD
BAD
SUSPICIOUS
UNKNOWN
NO_REPUTATION
reliability
optional
String (Enum)
Character representing the indicator's reliability rating. Valid values are A - F. A is the most reliable, F is the least.
Allowed values:
A
B
C
D
E
F
G
vendors
optional
Array
A list of vendors including vendor name, reliability, and reputation.
vendor_name
optional
String
Vendor name.
reliability
optional
String
Vendor reliability.
reputation
optional
String
Vendor reputation.
class
optional
String
validate
optional
Boolean
Whether to return an array of errors in the case of an unsuccessful update indicator API request.
Responses

OK

Body
reply
optional
JSON object containing a query result.
success
optional
Boolean
Indicates if any of the IOCs were upload successfully.
validation_errors
optional
Array
Array of the IOCs that did not upload.
indicator
optional
String
Name of the indicator that failed to upload.
error
optional
String
Description of the error that caused the indicator to fail upload.

Bad Request. Got an invalid JSON.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Unauthorized access. User does not have the required license type to run this API.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Internal server error. A unified status for API communication type errors.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.