Insert or update BIOCs

Cortex XSIAM Platform APIs
post /public_api/v1/bioc/insert

Insert new BIOCs or update existing BIOCs.

Note: The BIOC rule_id is tenant specific and can't be used across tenants. Inserting BIOCs with the same rule_id as an existing BIOC on that tenant will overwrite the existing BIOC.

You must have Instance Administrator permissions to run this endpoint.

Request headers
Authorization String required

{api_key}
Example: authorization_example
x-xdr-auth-id String required

{api_key_id}
Example: xXdrAuthId_example
CLIENT REQUEST
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H 'Authorization: authorization_example' -H 'x-xdr-auth-id: xXdrAuthId_example'
'https://api-yourfqdn/public_api/v1/bioc/insert'
-d ''
import http.client conn = http.client.HTTPSConnection("api-yourfqdn") payload = "{\"request_data\":[{\"rule_id\":0,\"name\":\"string\",\"type\":\"OTHER\",\"severity\":\"SEV_010_INFO\",\"comment\":\"string\",\"status\":\"enabled\",\"is_xql\":true,\"indicator\":{\"property1\":null,\"property2\":null},\"mitre_tactic_id_and_name\":[\"string\"],\"mitre_technique_id_and_name\":[\"string\"]}]}" headers = { 'Authorization': "SOME_STRING_VALUE", 'x-xdr-auth-id': "SOME_STRING_VALUE", 'content-type': "application/json" } conn.request("POST", "/public_api/v1/bioc/insert", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8"))
require 'uri' require 'net/http' require 'openssl' url = URI("https://api-yourfqdn/public_api/v1/bioc/insert") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["Authorization"] = 'SOME_STRING_VALUE' request["x-xdr-auth-id"] = 'SOME_STRING_VALUE' request["content-type"] = 'application/json' request.body = "{\"request_data\":[{\"rule_id\":0,\"name\":\"string\",\"type\":\"OTHER\",\"severity\":\"SEV_010_INFO\",\"comment\":\"string\",\"status\":\"enabled\",\"is_xql\":true,\"indicator\":{\"property1\":null,\"property2\":null},\"mitre_tactic_id_and_name\":[\"string\"],\"mitre_technique_id_and_name\":[\"string\"]}]}" response = http.request(request) puts response.read_body
const data = JSON.stringify({ "request_data": [ { "rule_id": 0, "name": "string", "type": "OTHER", "severity": "SEV_010_INFO", "comment": "string", "status": "enabled", "is_xql": true, "indicator": { "property1": null, "property2": null }, "mitre_tactic_id_and_name": [ "string" ], "mitre_technique_id_and_name": [ "string" ] } ] }); const xhr = new XMLHttpRequest(); xhr.withCredentials = true; xhr.addEventListener("readystatechange", function () { if (this.readyState === this.DONE) { console.log(this.responseText); } }); xhr.open("POST", "https://api-yourfqdn/public_api/v1/bioc/insert"); xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE"); xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE"); xhr.setRequestHeader("content-type", "application/json"); xhr.send(data);
HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/bioc/insert") .header("Authorization", "SOME_STRING_VALUE") .header("x-xdr-auth-id", "SOME_STRING_VALUE") .header("content-type", "application/json") .body("{\"request_data\":[{\"rule_id\":0,\"name\":\"string\",\"type\":\"OTHER\",\"severity\":\"SEV_010_INFO\",\"comment\":\"string\",\"status\":\"enabled\",\"is_xql\":true,\"indicator\":{\"property1\":null,\"property2\":null},\"mitre_tactic_id_and_name\":[\"string\"],\"mitre_technique_id_and_name\":[\"string\"]}]}") .asString();
import Foundation let headers = [ "Authorization": "SOME_STRING_VALUE", "x-xdr-auth-id": "SOME_STRING_VALUE", "content-type": "application/json" ] let parameters = ["request_data": [ [ "rule_id": 0, "name": "string", "type": "OTHER", "severity": "SEV_010_INFO", "comment": "string", "status": "enabled", "is_xql": true, "indicator": [ "property1": , "property2": ], "mitre_tactic_id_and_name": ["string"], "mitre_technique_id_and_name": ["string"] ] ]] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/bioc/insert")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume()
<?php $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://api-yourfqdn/public_api/v1/bioc/insert", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "{\"request_data\":[{\"rule_id\":0,\"name\":\"string\",\"type\":\"OTHER\",\"severity\":\"SEV_010_INFO\",\"comment\":\"string\",\"status\":\"enabled\",\"is_xql\":true,\"indicator\":{\"property1\":null,\"property2\":null},\"mitre_tactic_id_and_name\":[\"string\"],\"mitre_technique_id_and_name\":[\"string\"]}]}", CURLOPT_HTTPHEADER => [ "Authorization: SOME_STRING_VALUE", "content-type: application/json", "x-xdr-auth-id: SOME_STRING_VALUE" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; }
CURL *hnd = curl_easy_init(); curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST"); curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/bioc/insert"); struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "content-type: application/json"); curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":[{\"rule_id\":0,\"name\":\"string\",\"type\":\"OTHER\",\"severity\":\"SEV_010_INFO\",\"comment\":\"string\",\"status\":\"enabled\",\"is_xql\":true,\"indicator\":{\"property1\":null,\"property2\":null},\"mitre_tactic_id_and_name\":[\"string\"],\"mitre_technique_id_and_name\":[\"string\"]}]}"); CURLcode ret = curl_easy_perform(hnd);
var client = new RestClient("https://api-yourfqdn/public_api/v1/bioc/insert"); var request = new RestRequest(Method.POST); request.AddHeader("Authorization", "SOME_STRING_VALUE"); request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE"); request.AddHeader("content-type", "application/json"); request.AddParameter("application/json", "{\"request_data\":[{\"rule_id\":0,\"name\":\"string\",\"type\":\"OTHER\",\"severity\":\"SEV_010_INFO\",\"comment\":\"string\",\"status\":\"enabled\",\"is_xql\":true,\"indicator\":{\"property1\":null,\"property2\":null},\"mitre_tactic_id_and_name\":[\"string\"],\"mitre_technique_id_and_name\":[\"string\"]}]}", ParameterType.RequestBody); IRestResponse response = client.Execute(request);
Body parameters
application/json
request_dataarrayrequired
[
rule_idinteger
namestring

BIOC name.

typeobject (Enum)

BIOC type.

Allowed values:"OTHER""PERSISTENCE""EVASION""TAMPERING""FILE_TYPE_OBFUSCATION""PRIVILEGE_ESCALATION""CREDENTIAL_ACCESS""LATERAL_MOVEMENT""EXECUTION""COLLECTION""EXFILTRATION""INFILTRATION""DROPPER""FILE_PRIVILEGE_MANIPULATION""RECONNAISSANCE""DISCOVERY"
severityobject (Enum)

BIOC severity.

Allowed values:"SEV_010_INFO""SEV_020_LOW""SEV_030_MEDIUM""SEV_040_HIGH"
commentstring
statusobject (Enum)

BIOC status.

Allowed values:"enabled""disabled"
is_xqlboolean
indicatorobject
Additional propertiesobject
mitre_tactic_id_and_namearray[string]
mitre_technique_id_and_namearray[string]
]
REQUEST
{ "request_data": [ { "name": "TestBIOC", "type": "EXECUTION", "severity": "SEV_020_LOW", "comment": "", "status": "ENABLED", "is_xql": false, "indicator": { "runOnCGO": true, "investigationType": "FILE_EVENT", "investigation": { "FILE_EVENT": { "filter": { "AND": [ { "OR": [ { "SEARCH_FIELD": "event_sub_type", "SEARCH_TYPE": "EQ", "SEARCH_VALUE": "1", "isExtended": false }, { "SEARCH_FIELD": "event_sub_type", "SEARCH_TYPE": "EQ", "SEARCH_VALUE": "2", "isExtended": false }, { "SEARCH_FIELD": "event_sub_type", "SEARCH_TYPE": "EQ", "SEARCH_VALUE": "3", "isExtended": false }, { "SEARCH_FIELD": "event_sub_type", "SEARCH_TYPE": "EQ", "SEARCH_VALUE": "5", "isExtended": false }, { "SEARCH_FIELD": "event_sub_type", "SEARCH_TYPE": "EQ", "SEARCH_VALUE": "6", "isExtended": false } ] }, { "SEARCH_FIELD": "action_file_name", "SEARCH_TYPE": "EQ", "SEARCH_VALUE": "aaaaaa", "EXTRA_FIELDS": [], "isExtended": false } ] } } } }, "mitre_tactic_id_and_name": [ "" ], "mitre_technique_id_and_name": [ "" ] } ] }
Responses

OK

Body
application/json
added_objectsarray

List of BIOC objects added.

[
idinteger
statusstring
]
updated_objectsarray

List of BIOC objects updated.

[
idinteger
statusstring
]
errorsarray[string]

A list of errors.

RESPONSE
{ "added_objects": [ { "id": 34, "status": "Created a new BIOC rule with the ID: 34 successfully" } ], "updated_objects": [], "errors": [] }

Bad Request. Got invalid JSON.

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }

Unauthorized access. User does not have the required license type to run this API.

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }

Internal server error. A unified status for API communication type errors.

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }