Edit Indicator

Cortex XSOAR 6 API

post /indicator/edit

Edit an indicator entity To update indicator custom fields you should lowercase them and remove all spaces. For example: Scan IP -> scanip

CURL
curl -X POST \ -H "Authorization: [[apiKey]]" \ -H "Accept: application/json" \ -H "Content-Type: application/json,application/xml" \ "https://hostname:443/indicator/edit" \ -d '{ "modifiedTime" : "2000-01-23T04:56:07.000+00:00", "deletedFeedFetchTime" : "2000-01-23T04:56:07.000+00:00", "sizeInBytes" : 5, "relatedIncCount" : 7, "primaryTerm" : 6, "investigationIDs" : [ "investigationIDs", "investigationIDs" ], "expirationStatus" : "expirationStatus", "indicator_type" : "indicator_type", "syncHash" : "syncHash", "source" : "source", "manualSetTime" : "2000-01-23T04:56:07.000+00:00", "manualExpirationTime" : "2000-01-23T04:56:07.000+00:00", "calculatedTime" : "2000-01-23T04:56:07.000+00:00", "highlight" : { "key" : [ "highlight", "highlight" ] }, "score" : 1, "manuallyEditedFields" : [ "manuallyEditedFields", "manuallyEditedFields" ], "lastReputationRun" : "2000-01-23T04:56:07.000+00:00", "modified" : "2000-01-23T04:56:07.000+00:00", "moduleToFeedMap" : { "key" : { "modifiedTime" : "2000-01-23T04:56:07.000+00:00", "sourceInstance" : "sourceInstance", "comments" : [ { "created" : "2000-01-23T04:56:07.000+00:00", "id" : "id", "user" : "user", "content" : "content" }, { "created" : "2000-01-23T04:56:07.000+00:00", "id" : "id", "user" : "user", "content" : "content" } ], "classifierId" : "classifierId", "reliability" : "reliability", "mapperId" : "mapperId", "expirationPolicy" : "expirationPolicy", "mapperVersion" : 5, "rawJSON" : { "key" : "{}" }, "type" : "type", "isEnrichment" : true, "relationships" : [ { "entityA" : "entityA", "entityB" : "entityB", "instance" : "instance", "reverseName" : "reverseName", "entityBType" : "entityBType", "reliability" : "reliability", "entityAType" : "entityAType", "entityAFamily" : "entityAFamily", "type" : "type", "entityBFamily" : "entityBFamily", "name" : "name", "startTime" : "2000-01-23T04:56:07.000+00:00", "id" : "id", "fields" : { "key" : "{}" }, "brand" : "brand" }, { "entityA" : "entityA", "entityB" : "entityB", "instance" : "instance", "reverseName" : "reverseName", "entityBType" : "entityBType", "reliability" : "reliability", "entityAType" : "entityAType", "entityAFamily" : "entityAFamily", "type" : "type", "entityBFamily" : "entityBFamily", "name" : "name", "startTime" : "2000-01-23T04:56:07.000+00:00", "id" : "id", "fields" : { "key" : "{}" }, "brand" : "brand" } ], "score" : 2, "bypassExclusionList" : true, "sourceBrand" : "sourceBrand", "expirationInterval" : 5, "fetchTime" : "2000-01-23T04:56:07.000+00:00", "ExpirationSource" : { "instance" : "instance", "expirationInterval" : 6, "expirationPolicy" : "expirationPolicy", "source" : "source", "moduleId" : "moduleId", "brand" : "brand", "user" : "user", "setTime" : "2000-01-23T04:56:07.000+00:00" }, "fields" : { "key" : "{}" }, "moduleId" : "moduleId", "classifierVersion" : 1, "value" : "value", "timestamp" : "2000-01-23T04:56:07.000+00:00" } }, "id" : "id", "setBy" : "setBy", "value" : "value", "aggregatedReliability" : "aggregatedReliability", "timestamp" : "2000-01-23T04:56:07.000+00:00", "manualScore" : true, "numericId" : 1, "sequenceNumber" : 4, "comments" : [ { "numericId" : 1, "sequenceNumber" : 5, "sizeInBytes" : 2, "created" : "2000-01-23T04:56:07.000+00:00", "indexName" : "indexName", "primaryTerm" : 5, "cacheVersn" : 6, "syncHash" : "syncHash", "source" : "source", "type" : "type", "sortValues" : [ "sortValues", "sortValues" ], "version" : 7, "content" : "content", "entryId" : "entryId", "highlight" : { "key" : [ "highlight", "highlight" ] }, "modified" : "2000-01-23T04:56:07.000+00:00", "id" : "id", "category" : "category", "user" : "user" }, { "numericId" : 1, "sequenceNumber" : 5, "sizeInBytes" : 2, "created" : "2000-01-23T04:56:07.000+00:00", "indexName" : "indexName", "primaryTerm" : 5, "cacheVersn" : 6, "syncHash" : "syncHash", "source" : "source", "type" : "type", "sortValues" : [ "sortValues", "sortValues" ], "version" : 7, "content" : "content", "entryId" : "entryId", "highlight" : { "key" : [ "highlight", "highlight" ] }, "modified" : "2000-01-23T04:56:07.000+00:00", "id" : "id", "category" : "category", "user" : "user" } ], "created" : "2000-01-23T04:56:07.000+00:00", "firstSeen" : "2000-01-23T04:56:07.000+00:00", "indexName" : "indexName", "expirationSource" : { "instance" : "instance", "expirationInterval" : 6, "expirationPolicy" : "expirationPolicy", "source" : "source", "moduleId" : "moduleId", "brand" : "brand", "user" : "user", "setTime" : "2000-01-23T04:56:07.000+00:00" }, "insightCache" : { "numericId" : 3, "sequenceNumber" : 7, "sizeInBytes" : 1, "scores" : { "key" : { "score" : 4, "isTypedIndicator" : true, "contentFormat" : "contentFormat", "reliability" : "reliability", "scoreChangeTimestamp" : "2000-01-23T04:56:07.000+00:00", "context" : { "key" : "{}" }, "type" : "type", "content" : "content", "timestamp" : "2000-01-23T04:56:07.000+00:00" } }, "created" : "2000-01-23T04:56:07.000+00:00", "indexName" : "indexName", "primaryTerm" : 2, "cacheVersn" : 9, "syncHash" : "syncHash", "sortValues" : [ "sortValues", "sortValues" ], "version" : 1, "highlight" : { "key" : [ "highlight", "highlight" ] }, "modified" : "2000-01-23T04:56:07.000+00:00", "id" : "id" }, "cacheVersn" : 0, "lastSeenEntryID" : "lastSeenEntryID", "sortValues" : [ "sortValues", "sortValues" ], "version" : 9, "CustomFields" : { "key" : "{}" }, "sourceInstances" : [ "sourceInstances", "sourceInstances" ], "lastSeen" : "2000-01-23T04:56:07.000+00:00", "isPreventable" : true, "firstSeenEntryID" : "firstSeenEntryID", "sourceBrands" : [ "sourceBrands", "sourceBrands" ], "comment" : "comment", "expiration" : "2000-01-23T04:56:07.000+00:00", "account" : "account", "isShared" : true, "isDetectable" : true }' \ -d ' UNDEFINED_EXAMPLE_VALUE aeiou aeiou 123456789 2000-01-23T04:56:07.000Z aeiou 123456789 aeiou aeiou 2000-01-23T04:56:07.000Z aeiou UNDEFINED_EXAMPLE_VALUE aeiou aeiou 2000-01-23T04:56:07.000Z 123456789 123456789 123456789 123456789 aeiou aeiou aeiou aeiou aeiou 123456789 2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z aeiou 123456789 aeiou aeiou aeiou 2000-01-23T04:56:07.000Z aeiou aeiou aeiou 2000-01-23T04:56:07.000Z aeiou UNDEFINED_EXAMPLE_VALUE aeiou aeiou aeiou 123456789 2000-01-23T04:56:07.000Z UNDEFINED_EXAMPLE_VALUE aeiou aeiou 2000-01-23T04:56:07.000Z 123456789 123456789 UNDEFINED_EXAMPLE_VALUE 123456789 123456789 aeiou aeiou 123456789 aeiou true true true 2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z aeiou 2000-01-23T04:56:07.000Z true 2000-01-23T04:56:07.000Z aeiou 2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z UNDEFINED_EXAMPLE_VALUE 123456789 123456789 123456789 123456789 123456789 aeiou 123456789 aeiou aeiou aeiou aeiou aeiou 2000-01-23T04:56:07.000Z aeiou 123456789 '
Authentication: api_key Api Key "Authorization"
Request
Body
optional
CustomFields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For example: Scan IP -> scanip To get the actual key name you can also go to Cortex XSOAR CLI and run /incident_add and look for the key that you would like to update
account
optional
String
aggregatedReliability
optional
String
cacheVersn
optional
Number (Long)
format: int64
calculatedTime
optional
Object
Do not set the fields bellow this line format: date-time
comment
optional
String
comments
optional
Array
cacheVersn
optional
Number (Long)
format: int64
category
optional
String
content
optional
String
created
optional
Object
format: date-time
entryId
optional
String
highlight
optional
Map
id
optional
String
indexName
optional
String
modified
optional
Object
format: date-time
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
source
optional
String
syncHash
optional
String
type
optional
String
user
optional
String
version
optional
Number (Long)
format: int64
created
optional
Object
format: date-time
deletedFeedFetchTime
optional
Object
format: date-time
expiration
optional
Object
format: date-time
expirationSource
optional
brand
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
instance
optional
String
moduleId
optional
String
setTime
optional
Object
format: date-time
source
optional
String
user
optional
String
expirationStatus
optional
String
firstSeen
optional
Object
format: date-time
firstSeenEntryID
optional
String
highlight
optional
Map
id
optional
String
indexName
optional
String
indicator_type
optional
String
insightCache
optional
InsightCache - map insight name to all its metadata, name will be case insensitive
cacheVersn
optional
Number (Long)
format: int64
created
optional
Object
format: date-time
highlight
optional
Map
id
optional
String
indexName
optional
String
modified
optional
Object
format: date-time
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
scores
optional
Map
DBotScore - Contain the score of a specific brand for a specific insight
content
optional
String
contentFormat
optional
String
context
optional
Map of objects
isTypedIndicator
optional
Boolean
reliability
optional
String
score
optional
Number (Long)
format: int64
scoreChangeTimestamp
optional
Object
We need to track when the score changes to know if we need to re-calculate the overall score format: date-time
timestamp
optional
Object
format: date-time
type
optional
String
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
syncHash
optional
String
version
optional
Number (Long)
format: int64
investigationIDs
optional
Array of strings
isDetectable
optional
Boolean
isPreventable
optional
Boolean
isShared
optional
Boolean
lastReputationRun
optional
Object
format: date-time
lastSeen
optional
Object
format: date-time
lastSeenEntryID
optional
String
manualExpirationTime
optional
Object
format: date-time
manualScore
optional
Boolean
manualSetTime
optional
Object
format: date-time
manuallyEditedFields
optional
Array of strings
modified
optional
Object
format: date-time
modifiedTime
optional
Object
format: date-time
moduleToFeedMap
optional
Map
ExpirationSource
optional
brand
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
instance
optional
String
moduleId
optional
String
setTime
optional
Object
format: date-time
source
optional
String
user
optional
String
bypassExclusionList
optional
Boolean
classifierId
optional
String
classifierVersion
optional
Number (Long)
format: int64
comments
optional
Array
content
optional
String
created
optional
Object
format: date-time
id
optional
String
user
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
fetchTime
optional
Object
format: date-time
fields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For example: Scan IP -> scanip To get the actual key name you can also go to Cortex XSOAR CLI and run /incident_add and look for the key that you would like to update
isEnrichment
optional
Boolean
mapperId
optional
String
mapperVersion
optional
Number (Long)
format: int64
modifiedTime
optional
Object
format: date-time
moduleId
optional
String
rawJSON
optional
Map of objects
relationships
optional
Array
brand
optional
String
entityA
optional
String
entityAFamily
optional
String
entityAType
optional
String
entityB
optional
String
entityBFamily
optional
String
entityBType
optional
String
fields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For example: Scan IP -> scanip To get the actual key name you can also go to Cortex XSOAR CLI and run /incident_add and look for the key that you would like to update
id
optional
String
instance
optional
String
name
optional
String
reliability
optional
String
reverseName
optional
String
startTime
optional
Object
format: date-time
type
optional
String
reliability
optional
String
score
optional
Number (Long)
format: int64
sourceBrand
optional
String
sourceInstance
optional
String
timestamp
optional
Object
format: date-time
type
optional
String
value
optional
String
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
relatedIncCount
optional
Number (Long)
format: int64
score
optional
Number (Long)
format: int64
sequenceNumber
optional
Number (Long)
format: int64
setBy
optional
String
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
source
optional
String
sourceBrands
optional
Array of strings
sourceInstances
optional
Array of strings
syncHash
optional
String
timestamp
optional
Object
format: date-time
value
optional
String
version
optional
Number (Long)
format: int64
Responses

IocObject

Body
IocObject - represents an Ioc (or simply an indicator) object
CustomFields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For example: Scan IP -> scanip To get the actual key name you can also go to Cortex XSOAR CLI and run /incident_add and look for the key that you would like to update
account
optional
String
aggregatedReliability
optional
String
cacheVersn
optional
Number (Long)
format: int64
calculatedTime
optional
Object
Do not set the fields bellow this line format: date-time
comment
optional
String
comments
optional
Array
cacheVersn
optional
Number (Long)
format: int64
category
optional
String
content
optional
String
created
optional
Object
format: date-time
entryId
optional
String
highlight
optional
Map
id
optional
String
indexName
optional
String
modified
optional
Object
format: date-time
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
source
optional
String
syncHash
optional
String
type
optional
String
user
optional
String
version
optional
Number (Long)
format: int64
created
optional
Object
format: date-time
deletedFeedFetchTime
optional
Object
format: date-time
expiration
optional
Object
format: date-time
expirationSource
optional
brand
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
instance
optional
String
moduleId
optional
String
setTime
optional
Object
format: date-time
source
optional
String
user
optional
String
expirationStatus
optional
String
firstSeen
optional
Object
format: date-time
firstSeenEntryID
optional
String
highlight
optional
Map
id
optional
String
indexName
optional
String
indicator_type
optional
String
insightCache
optional
InsightCache - map insight name to all its metadata, name will be case insensitive
cacheVersn
optional
Number (Long)
format: int64
created
optional
Object
format: date-time
highlight
optional
Map
id
optional
String
indexName
optional
String
modified
optional
Object
format: date-time
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
scores
optional
Map
DBotScore - Contain the score of a specific brand for a specific insight
content
optional
String
contentFormat
optional
String
context
optional
Map of objects
isTypedIndicator
optional
Boolean
reliability
optional
String
score
optional
Number (Long)
format: int64
scoreChangeTimestamp
optional
Object
We need to track when the score changes to know if we need to re-calculate the overall score format: date-time
timestamp
optional
Object
format: date-time
type
optional
String
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
syncHash
optional
String
version
optional
Number (Long)
format: int64
investigationIDs
optional
Array of strings
isDetectable
optional
Boolean
isPreventable
optional
Boolean
isShared
optional
Boolean
lastReputationRun
optional
Object
format: date-time
lastSeen
optional
Object
format: date-time
lastSeenEntryID
optional
String
manualExpirationTime
optional
Object
format: date-time
manualScore
optional
Boolean
manualSetTime
optional
Object
format: date-time
manuallyEditedFields
optional
Array of strings
modified
optional
Object
format: date-time
modifiedTime
optional
Object
format: date-time
moduleToFeedMap
optional
Map
ExpirationSource
optional
brand
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
instance
optional
String
moduleId
optional
String
setTime
optional
Object
format: date-time
source
optional
String
user
optional
String
bypassExclusionList
optional
Boolean
classifierId
optional
String
classifierVersion
optional
Number (Long)
format: int64
comments
optional
Array
content
optional
String
created
optional
Object
format: date-time
id
optional
String
user
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
fetchTime
optional
Object
format: date-time
fields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For example: Scan IP -> scanip To get the actual key name you can also go to Cortex XSOAR CLI and run /incident_add and look for the key that you would like to update
isEnrichment
optional
Boolean
mapperId
optional
String
mapperVersion
optional
Number (Long)
format: int64
modifiedTime
optional
Object
format: date-time
moduleId
optional
String
rawJSON
optional
Map of objects
relationships
optional
Array
brand
optional
String
entityA
optional
String
entityAFamily
optional
String
entityAType
optional
String
entityB
optional
String
entityBFamily
optional
String
entityBType
optional
String
fields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For example: Scan IP -> scanip To get the actual key name you can also go to Cortex XSOAR CLI and run /incident_add and look for the key that you would like to update
id
optional
String
instance
optional
String
name
optional
String
reliability
optional
String
reverseName
optional
String
startTime
optional
Object
format: date-time
type
optional
String
reliability
optional
String
score
optional
Number (Long)
format: int64
sourceBrand
optional
String
sourceInstance
optional
String
timestamp
optional
Object
format: date-time
type
optional
String
value
optional
String
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
relatedIncCount
optional
Number (Long)
format: int64
score
optional
Number (Long)
format: int64
sequenceNumber
optional
Number (Long)
format: int64
setBy
optional
String
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
source
optional
String
sourceBrands
optional
Array of strings
sourceInstances
optional
Array of strings
syncHash
optional
String
timestamp
optional
Object
format: date-time
value
optional
String
version
optional
Number (Long)
format: int64