Upload IOCs as JSON objects that you retrieved from external threat intelligence sources.
Note: Cortex XDR does not scan historic data, but rather only new incoming data.
Required License: Cortex XDR Pro per Endpoint or Cortex XDR Pro per GB
curl -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
"https://api-yourfqdn/public_api/v1/indicators/insert_jsons" \
-d '{
"request_data" : [ {
"indicator" : "indicator",
"severity" : "INFO",
"reliability" : "A",
"reputation" : "GOOD",
"comment" : "comment",
"type" : "HASH",
"expiration_date" : 0,
"vendors" : [ {
"reliability" : "reliability",
"vendor_name" : "vendor_name",
"reputation" : "reputation"
}, {
"reliability" : "reliability",
"vendor_name" : "vendor_name",
"reputation" : "reputation"
} ],
"class" : "class"
}, {
"indicator" : "indicator",
"severity" : "INFO",
"reliability" : "A",
"reputation" : "GOOD",
"comment" : "comment",
"type" : "HASH",
"expiration_date" : 0,
"vendors" : [ {
"reliability" : "reliability",
"vendor_name" : "vendor_name",
"reputation" : "reputation"
}, {
"reliability" : "reliability",
"vendor_name" : "vendor_name",
"reputation" : "reputation"
} ],
"class" : "class"
} ],
"validate" : true
}'
{
"reply": {
"success": true,
"validation_errors": [
{
"indicator": "testtest.com",
"error": "Got type: HASH, Indicator: testtest.com mismatch"
}
]
}
}
The body of this request contains a JSON object with a single field: request_data
. This field is required. Its value is an array of JSON objects, each element of which represents IOC data. Each object must include at a minimum the required fields, which are identified below.
Note: Cortex XDR recommends you send the validate field in your request call to view the API validation errors. Without sending the validate field, the API may return a reply of “true” without any information of why the IOC failed to upload.
{"request_data":[{"indicator":"","type":"HASH","comment":"test","reputation":"GOOD","reliability":"D","severity":"high","vendors":[{"vendor_name":"V1","reliability":"A","reputation":"GOOD"},{"vendor_name":"V2","reliability":"A","reputation":"SUSPICIOUS"}],"class":"Malware"}],"validate":true}
Integer representing the indicator's expiration timestamp. Thisis a Unix epoch timestamp value, in milliseconds. If this indicator has no expiration, use Never
. If this value is NULL
, the indicator
receives the indicator's type value with the default expirationdate. Valid values are:
- 7 days
- 30 days
- 90 days
- 180 days