Insert CEF Alerts

Upload alerts in CEF Format.

Synopsis

URI
/public_api/v1/alerts/insert_cef_alerts/
HTTP Method
POST
Required License
Cortex XDR Pro per TB

Description

Upload alerts in CEF format from external alert sources. After you map CEF alert fields to Cortex XDR fields, Cortex XDR displays the alerts in related incidents and views.
You can send 600 alerts per minute.

Request Fields

The body of this request contains a JSON object with the following fields:
Field
Description
request_data
(
Required
) A dictionary containing the API request fields.
alerts
(
Required
) Comma-separated list of alerts in CEF format.
Request Example
curl -X POST https://api-{fqdn}/public_api/v1/alerts/insert_cef_alerts/ \ -H "x-xdr-auth-id:{API_KEY_ID}" \ -H "Authorization:{API_KEY}" \ -H "Content-Type:application/json" \ -d '{ "request_data": { "alerts": [ "CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|microsoft-ds|Unknown| act=AcceptdeviceDirection=0 rt=1569---000 spt=5---57 dpt=4---5 cs2Label=Rule Name cs2=ADPrimery layer_name=FW_Device_blackened Securitylayer_uuid=07-----fc7-1a5c-71b8c match_id=1---6 parent_rule=0rule_action=Accept rule_uid=8----be5c ifname=bond2logid=0 loguid={0x5d8c5388,0x61,0x29321fac,0xc0000022} origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=363 version=5dst=1.1.1.1 inzone=External outzone=Internal product=VPN-1 & FireWall-1 proto=6service_id=microsoft-ds src=1.1.1.1", "CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|Log|Unknown| act=AcceptdeviceDirection=0 rt=1569477501000 spt=63088 dpt=5985 cs2Label=Rule Namelayer_name=FW_Device_blackened Securitylayer_uuid=07693f---e96c71b8c match_id=8----9 parent_rule=0rule_action=Accept rule_uid=ae9---70f-ab1c-1ad552c82369conn_direction=Internal ifname=bond1.12 logid=0loguid={0x5d8c537d,0xbb,0x29321fac,0xc0000014} origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=899 version=5dst=1.1.1.1 product=VPN-1 & FireWall-1 proto=6 src=1.1.1.1" ] } }'

Success Response

Upon success, the HTTP response code is 200.
Field
Description
reply
JSON object containing a query result.
  • true
    —Upload successful.

Error Response

Upon error, the reply includes an HTTP response code, an error message, and additional information describing the error. The HTTP response code is one of the following:
Field
Description
400
Bad Request. Got an invalid JSON.
401
Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
402
Unauthorized access. User does not have the required license type to run this API.
403
Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
500
Internal server error. A unified status for API communication type errors.
Error Response Format
{"reply": {"err_code": STATUS_CODE, "err_msg": GENERAL_MESSAGE, "err_extra": EXTRA_DATA}}

Recommended For You