Delete Indicators (IOCs)

Cortex XSIAM Platform APIs
post /public_api/v1/indicators/delete

Delete IOCs selected by filter.

You must have Instance Administrator permissions to run this endpoint.

Request headers
Authorization String required

{api_key}
Example: authorization_example
x-xdr-auth-id String required

{api_key_id}
Example: xXdrAuthId_example
CLIENT REQUEST
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H 'Authorization: authorization_example' -H 'x-xdr-auth-id: xXdrAuthId_example'
'https://api-yourfqdn/public_api/v1/indicators/delete'
-d ''
import http.client conn = http.client.HTTPSConnection("api-yourfqdn") payload = "{\"request_data\":{\"filters\":[{\"field\":\"indicator\",\"operator\":\"EQ\",\"value\":0}]}}" headers = { 'Authorization': "SOME_STRING_VALUE", 'x-xdr-auth-id': "SOME_STRING_VALUE", 'content-type': "application/json" } conn.request("POST", "/public_api/v1/indicators/delete", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8"))
require 'uri' require 'net/http' require 'openssl' url = URI("https://api-yourfqdn/public_api/v1/indicators/delete") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["Authorization"] = 'SOME_STRING_VALUE' request["x-xdr-auth-id"] = 'SOME_STRING_VALUE' request["content-type"] = 'application/json' request.body = "{\"request_data\":{\"filters\":[{\"field\":\"indicator\",\"operator\":\"EQ\",\"value\":0}]}}" response = http.request(request) puts response.read_body
const data = JSON.stringify({ "request_data": { "filters": [ { "field": "indicator", "operator": "EQ", "value": 0 } ] } }); const xhr = new XMLHttpRequest(); xhr.withCredentials = true; xhr.addEventListener("readystatechange", function () { if (this.readyState === this.DONE) { console.log(this.responseText); } }); xhr.open("POST", "https://api-yourfqdn/public_api/v1/indicators/delete"); xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE"); xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE"); xhr.setRequestHeader("content-type", "application/json"); xhr.send(data);
HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/indicators/delete") .header("Authorization", "SOME_STRING_VALUE") .header("x-xdr-auth-id", "SOME_STRING_VALUE") .header("content-type", "application/json") .body("{\"request_data\":{\"filters\":[{\"field\":\"indicator\",\"operator\":\"EQ\",\"value\":0}]}}") .asString();
import Foundation let headers = [ "Authorization": "SOME_STRING_VALUE", "x-xdr-auth-id": "SOME_STRING_VALUE", "content-type": "application/json" ] let parameters = ["request_data": ["filters": [ [ "field": "indicator", "operator": "EQ", "value": 0 ] ]]] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/indicators/delete")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume()
<?php $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://api-yourfqdn/public_api/v1/indicators/delete", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "{\"request_data\":{\"filters\":[{\"field\":\"indicator\",\"operator\":\"EQ\",\"value\":0}]}}", CURLOPT_HTTPHEADER => [ "Authorization: SOME_STRING_VALUE", "content-type: application/json", "x-xdr-auth-id: SOME_STRING_VALUE" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; }
CURL *hnd = curl_easy_init(); curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST"); curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/indicators/delete"); struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "content-type: application/json"); curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"filters\":[{\"field\":\"indicator\",\"operator\":\"EQ\",\"value\":0}]}}"); CURLcode ret = curl_easy_perform(hnd);
var client = new RestClient("https://api-yourfqdn/public_api/v1/indicators/delete"); var request = new RestRequest(Method.POST); request.AddHeader("Authorization", "SOME_STRING_VALUE"); request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE"); request.AddHeader("content-type", "application/json"); request.AddParameter("application/json", "{\"request_data\":{\"filters\":[{\"field\":\"indicator\",\"operator\":\"EQ\",\"value\":0}]}}", ParameterType.RequestBody); IRestResponse response = client.Execute(request);
Body parameters
application/json
request_dataobjectrequired
filtersarray

An array of filter fields.

[
fieldobject (Enum)

Identifies the IOC field the filter is matching. Filters are based on the following keywords:

  • indicator: Indicator.
  • type: Indicator type.
  • severity: Indicator severity.
  • expiration_date: Expiration date in epoch milliseconds.
  • default_expiration_enabled: Whether the default expiration is enabled.
  • comment: Comment.
  • reputation: Reputation level.
  • reliability: Reliability level.
Allowed values:"indicator""type""severity""expiration_date""default_expiration_enabled""comment""reputation""reliability"
operatorstring (Enum)

Identifies the comparison operator you want to use for this filter. Valid keywords are: gte / lte

  • expiration_date: Integer in timestamp epoch milliseconds EQ / NEQ
  • indicator: String
  • type: String
  • severity: String
  • default_expiration_enabled: Boolean
  • comment: String
  • reputation: String
  • reliability: String
Allowed values:"EQ""NEQ""IN""GTE""LTE"
valueobject

Value that this filter must match. The contents of this field will differ depending on the IOC field that you specified for this filter:

  • indicator, comment: String.
  • type: String, can be one of the following: hash, ip, path, domain_name, filename, mixed.
  • severity: String, can be one of the following: SEV_010_INFO, SEV_020_LOW, SEV_030_MEDIUM, SEV_040_HIGH
  • expiration_date: Integer representing the number of milliseconds after the Unix epoch, UTC timezone.
  • default_expiration_enabled: Boolean value: true or false.
  • comment: String.
  • reputation: String, can be one of the following: good, bad, suspicious, unknown, no_reputation.
  • reliability: String, can be one of the following: A, B, C, D, E, F, G.
integer

Value that this filter must match. The contents of this field will differ depending on the IOC field that you specified for this filter:

  • indicator, comment: String.
  • type: String, can be one of the following: hash, ip, path, domain_name, filename, mixed.
  • severity: String, can be one of the following: SEV_010_INFO, SEV_020_LOW, SEV_030_MEDIUM, SEV_040_HIGH
  • expiration_date: Integer representing the number of milliseconds after the Unix epoch, UTC timezone.
  • default_expiration_enabled: Boolean value: true or false.
  • comment: String.
  • reputation: String, can be one of the following: good, bad, suspicious, unknown, no_reputation.
  • reliability: String, can be one of the following: A, B, C, D, E, F, G.
boolean

Value that this filter must match. The contents of this field will differ depending on the IOC field that you specified for this filter:

  • indicator, comment: String.
  • type: String, can be one of the following: hash, ip, path, domain_name, filename, mixed.
  • severity: String, can be one of the following: SEV_010_INFO, SEV_020_LOW, SEV_030_MEDIUM, SEV_040_HIGH
  • expiration_date: Integer representing the number of milliseconds after the Unix epoch, UTC timezone.
  • default_expiration_enabled: Boolean value: true or false.
  • comment: String.
  • reputation: String, can be one of the following: good, bad, suspicious, unknown, no_reputation.
  • reliability: String, can be one of the following: A, B, C, D, E, F, G.
string

Value that this filter must match. The contents of this field will differ depending on the IOC field that you specified for this filter:

  • indicator, comment: String.
  • type: String, can be one of the following: hash, ip, path, domain_name, filename, mixed.
  • severity: String, can be one of the following: SEV_010_INFO, SEV_020_LOW, SEV_030_MEDIUM, SEV_040_HIGH
  • expiration_date: Integer representing the number of milliseconds after the Unix epoch, UTC timezone.
  • default_expiration_enabled: Boolean value: true or false.
  • comment: String.
  • reputation: String, can be one of the following: good, bad, suspicious, unknown, no_reputation.
  • reliability: String, can be one of the following: A, B, C, D, E, F, G.
[
]
]
REQUEST
{ "request_data": { "extended_view": false, "filters": [ { "field": "indicator", "operator": "EQ", "value": 57 } ] } }
Responses

OK

Body
application/json
objects_countinteger
objectsarray[integer]
RESPONSE
{ "objects_count": 1, "objects": [ 57 ] }

Bad Request. Got invalid JSON.

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }

Unauthorized access. User does not have the required license type to run this API.

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }

Internal server error. A unified status for API communication type errors.

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }