post
/public_api/v1/xql/lookups/add_data
Add or update data in a lookup dataset.
When updating data, any field not specified in the data field, but specified on at least one of the rows, will be set to None.
The /public_api/xql/lookups/add_data/ endpoint does not support concurrent edits. Sending concurrent calls to this endpoint can cause data to be unintentionally overwritten or deleted. To allow sufficient time for each API call to complete its operation before initiating another one, assume that 1000 entries can be added per API every 10 seconds.
**Note: **
- The maximum size of a lookup dataset is 50 MB. Attempting to exceed this limit will fail.
- Requests time out after three minutes.
Required license: Cortex XSIAM Premium or Cortex XSIAM Enterprise or Cortex XSIAM NG SIEM
Request headers
Authorization
String
required
{api_key}
{api_key}
Example:
authorization_example
x-xdr-auth-id
String
required
{api_key_id}
{api_key_id}
Example:
xXdrAuthId_example
CLIENT REQUEST
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
-H
'Authorization: authorization_example'
-H
'x-xdr-auth-id: xXdrAuthId_example'
'https://api-yourfqdn/public_api/v1/xql/lookups/add_data'
-d
''
import http.client
conn = http.client.HTTPSConnection("api-yourfqdn")
payload = "{\"request_data\":{\"dataset_name\":\"string\",\"key_fields\":[\"string\"],\"data\":{\"property1\":\"string\",\"property2\":\"string\"}}}"
headers = {
'Authorization': "SOME_STRING_VALUE",
'x-xdr-auth-id': "SOME_STRING_VALUE",
'content-type': "application/json"
}
conn.request("POST", "/public_api/v1/xql/lookups/add_data", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://api-yourfqdn/public_api/v1/xql/lookups/add_data")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["Authorization"] = 'SOME_STRING_VALUE'
request["x-xdr-auth-id"] = 'SOME_STRING_VALUE'
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"dataset_name\":\"string\",\"key_fields\":[\"string\"],\"data\":{\"property1\":\"string\",\"property2\":\"string\"}}}"
response = http.request(request)
puts response.read_bodyconst data = JSON.stringify({
"request_data": {
"dataset_name": "string",
"key_fields": [
"string"
],
"data": {
"property1": "string",
"property2": "string"
}
}
});
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api-yourfqdn/public_api/v1/xql/lookups/add_data");
xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE");
xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
xhr.setRequestHeader("content-type", "application/json");
xhr.send(data);HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/xql/lookups/add_data")
.header("Authorization", "SOME_STRING_VALUE")
.header("x-xdr-auth-id", "SOME_STRING_VALUE")
.header("content-type", "application/json")
.body("{\"request_data\":{\"dataset_name\":\"string\",\"key_fields\":[\"string\"],\"data\":{\"property1\":\"string\",\"property2\":\"string\"}}}")
.asString();import Foundation
let headers = [
"Authorization": "SOME_STRING_VALUE",
"x-xdr-auth-id": "SOME_STRING_VALUE",
"content-type": "application/json"
]
let parameters = ["request_data": [
"dataset_name": "string",
"key_fields": ["string"],
"data": [
"property1": "string",
"property2": "string"
]
]] as [String : Any]
let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/xql/lookups/add_data")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api-yourfqdn/public_api/v1/xql/lookups/add_data",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{\"request_data\":{\"dataset_name\":\"string\",\"key_fields\":[\"string\"],\"data\":{\"property1\":\"string\",\"property2\":\"string\"}}}",
CURLOPT_HTTPHEADER => [
"Authorization: SOME_STRING_VALUE",
"content-type: application/json",
"x-xdr-auth-id: SOME_STRING_VALUE"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}CURL *hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/xql/lookups/add_data");
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"dataset_name\":\"string\",\"key_fields\":[\"string\"],\"data\":{\"property1\":\"string\",\"property2\":\"string\"}}}");
CURLcode ret = curl_easy_perform(hnd);var client = new RestClient("https://api-yourfqdn/public_api/v1/xql/lookups/add_data");
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "SOME_STRING_VALUE");
request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"dataset_name\":\"string\",\"key_fields\":[\"string\"],\"data\":{\"property1\":\"string\",\"property2\":\"string\"}}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);Body parameters
application/json
request_dataobject
dataset_namestringrequiredUnique dataset name
Unique dataset name
key_fieldsarray[string]The fields used to identify existing records. If there is not an exact match to the key_fields specified, a new row is created.
When you specify key_fields, these fields are mandatory in data entries. When key_fields are not specified, existing data entries are not updated, and new entries are added with the specified data.
The fields used to identify existing records. If there is not an exact match to the key_fields specified, a new row is created.
When you specify key_fields, these fields are mandatory in data entries. When key_fields are not specified, existing data entries are not updated, and new entries are added with the specified data.
dataobjectrequiredKey-value pairs of data entries.
Key-value pairs of data entries.
Additional propertiesstring
REQUEST
{
"request_data": {
"dataset_name": "users",
"key_fields": [
"uid",
"username"
],
"data": [
{
"uid": "123abc",
"username": "john",
"zipcode": 58672,
"salary": 5.1,
"is_admin": false,
"birthday": "31-05-1982T10:22:45Z"
},
{
"uid": "124abc",
"username": "jane",
"zipcode": 58642,
"salary": 5000000,
"is_admin": true,
"birthday": "31-03-1982T10:22:45Z"
}
]
}
}Responses
OK
Body
application/json
addedinteger
updatedinteger
skippedinteger
RESPONSE
{
"added": 0,
"updated": 0,
"skipped": 0
}