Insert CEF Alerts
Upload alerts in CEF Format.
Synopsis
URI | /public_api/v1/alerts/insert_cef_alerts/ |
HTTP Method | POST |
Required License | Cortex XDR Pro per TB |
Description
Upload alerts in CEF format
from external alert sources. After you map CEF alert fields to Cortex
XDR fields, Cortex XDR displays the alerts in related incidents
and views.
You can send 600 alerts per minute.
Request Fields
The body of this request
contains a JSON object with the following fields:
Field | Description |
---|---|
request_data | ( Required ) A dictionary containing
the API request fields. |
alerts | ( Required ) Comma-separated list
of alerts in CEF format. |
Request Example
curl -X POST https://api-{fqdn}/public_api/v1/alerts/insert_cef_alerts/ \ -H "x-xdr-auth-id:{API_KEY_ID}" \ -H "Authorization:{API_KEY}" \ -H "Content-Type:application/json" \ -d '{ "request_data": { "alerts": [ "CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|microsoft-ds|Unknown| act=AcceptdeviceDirection=0 rt=1569---000 spt=5---57 dpt=4---5 cs2Label=Rule Name cs2=ADPrimery layer_name=FW_Device_blackened Securitylayer_uuid=07-----fc7-1a5c-71b8c match_id=1---6 parent_rule=0rule_action=Accept rule_uid=8----be5c ifname=bond2logid=0 loguid={0x5d8c5388,0x61,0x29321fac,0xc0000022} origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=363 version=5dst=1.1.1.1 inzone=External outzone=Internal product=VPN-1 & FireWall-1 proto=6service_id=microsoft-ds src=1.1.1.1", "CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|Log|Unknown| act=AcceptdeviceDirection=0 rt=1569477501000 spt=63088 dpt=5985 cs2Label=Rule Namelayer_name=FW_Device_blackened Securitylayer_uuid=07693f---e96c71b8c match_id=8----9 parent_rule=0rule_action=Accept rule_uid=ae9---70f-ab1c-1ad552c82369conn_direction=Internal ifname=bond1.12 logid=0loguid={0x5d8c537d,0xbb,0x29321fac,0xc0000014} origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=899 version=5dst=1.1.1.1 product=VPN-1 & FireWall-1 proto=6 src=1.1.1.1" ] } }'
Success Response
Upon success,
the HTTP response code is 200.
Field | Description |
---|---|
reply | JSON object containing a query result.
|
Error Response
Upon error,
the reply includes an HTTP response code, an error message, and
additional information describing the error. The HTTP response code
is one of the following:
Field | Description |
---|---|
400 | Bad Request. Got an invalid JSON. |
401 | Unauthorized access. An issue occurred during authentication.
This can indicate an incorrect key, id, or other invalid authentication
parameters. |
402 | Unauthorized access. User does not have the
required license type to run this API. |
403 | Forbidden access. The provided API Key does
not have the required RBAC permissions to run this API. |
500 | Internal server error. A unified status for
API communication type errors. |
Error Response Format
{"reply": {"err_code": STATUS_CODE, "err_msg": GENERAL_MESSAGE, "err_extra": EXTRA_DATA}}
Recommended For You
Recommended Videos
Recommended videos not found.