1. Home
    2. Cortex
    3. Cortex XDR
    4. Cortex XDR™ API Reference
    5. Cortex XDR APIs
    6. Incident Management APIs
    7. Insert CEF Alerts

    Insert CEF Alerts

    Upload alerts in CEF Format.

    Synopsis

    URI
    /public_api/v1/alerts/insert_cef_alerts/
    HTTP Method
    POST
    Required License
    Cortex XDR Pro per TB

    Description

    Upload alerts in CEF format from external alert sources. After you map CEF alert fields to Cortex XDR fields, Cortex XDR displays the alerts in related incidents and views.
    You can send 600 alerts per minute.

    Request Fields

    The body of this request contains a JSON object with the following fields:
    Field
    Description
    request_data
    (
    Required
    ) A dictionary containing the API request fields.
    alerts
    (
    Required
    ) Comma-separated list of alerts in CEF format.
    Request Example
    curl -X POST https://api-{fqdn}/public_api/v1/alerts/insert_cef_alerts/ \
-H "x-xdr-auth-id:{API_KEY_ID}" \
-H "Authorization:{API_KEY}" \
-H "Content-Type:application/json" \
-d '{
       "request_data": {
            "alerts": [
            "CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|microsoft-ds|Unknown|
            act=AcceptdeviceDirection=0 rt=1569---000 spt=5---57 dpt=4---5
            cs2Label=Rule Name cs2=ADPrimery layer_name=FW_Device_blackened
            Securitylayer_uuid=07-----fc7-1a5c-71b8c match_id=1---6
            parent_rule=0rule_action=Accept rule_uid=8----be5c
            ifname=bond2logid=0 loguid={0x5d8c5388,0x61,0x29321fac,0xc0000022}
            origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=363
            version=5dst=1.1.1.1 inzone=External outzone=Internal product=VPN-1 & FireWall-1
            proto=6service_id=microsoft-ds src=1.1.1.1",
            "CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|Log|Unknown|
            act=AcceptdeviceDirection=0 rt=1569477501000 spt=63088 dpt=5985
            cs2Label=Rule Namelayer_name=FW_Device_blackened
            Securitylayer_uuid=07693f---e96c71b8c match_id=8----9
            parent_rule=0rule_action=Accept
            rule_uid=ae9---70f-ab1c-1ad552c82369conn_direction=Internal ifname=bond1.12
            logid=0loguid={0x5d8c537d,0xbb,0x29321fac,0xc0000014}
            origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=899
            version=5dst=1.1.1.1 product=VPN-1 & FireWall-1 proto=6 src=1.1.1.1"
            ]
        }
    }'

    Success Response

    Upon success, the HTTP response code is 200.
    Field
    Description
    reply
    JSON object containing a query result.
    • true
      —Upload successful.

    Error Response

    Upon error, the reply includes an HTTP response code, an error message, and additional information describing the error. The HTTP response code is one of the following:
    Field
    Description
    400
    Bad Request. Got an invalid JSON.
    401
    Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
    402
    Unauthorized access. User does not have the required license type to run this API.
    403
    Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
    500
    Internal server error. A unified status for API communication type errors.
    Error Response Format
    {"reply": {"err_code": STATUS_CODE, "err_msg": GENERAL_MESSAGE, "err_extra": EXTRA_DATA}}

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo