Insert Parsed Alerts

Upload alerts from external alert sources.

Synopsis

URI
/public_api/v1/alerts/insert_parsed_alerts/
HTTP Method
POST
Required License
Cortex XDR Pro-Endpoint or Cortex XDR Pro per TB

Description

Upload alerts from external alert sources in Cortex XDR format. Cortex XDR displays alerts that are parsed successfully in related incidents and views.
You can send 600 alerts per minute. Each request can contain a maximum of 60 alerts.

Request Fields

The body of this request contains a JSON object with the following fields:
Field
Description
request_data
(
Required
) A dictionary containing the API request fields.
alerts
List of alerts in Cortex XDR format, each containing the following keywords:
  • product
    —String value that defines the product.
  • vendor
    —String value that defines the product.
  • local_ip
    —String value for the source IP address.
  • local_port
    —Integer value for the source port.
  • remote_ip
    —String value of the destination IP address.
  • remote_port
    —Integer value for the destination port.
  • event_timestamp
    —Integer value representing the epoch of the time the alert occurred in milliseconds.
  • severity
    —(
    Optional
    ) String value of alert severity: Informational, Low, Medium, High, or Unknown
  • alert_name
    —String defining the alert name.
  • alert_description
    —(
    Optional
    ) String defining the alert description.
  • action_status
    —(
    Optional
    ) String defining the alert action status. Valid values are
    Reported
    or
    Blocked
    .
Request Example
curl -X POST https://api-{fqdn}/public_api/v1/alerts/insert_parsed_alerts/ \ -H "x-xdr-auth-id:{API_KEY_ID}" \ -H "Authorization:{API_KEY}" \ -H "Content-Type:application/json" \ -d '{ "request_data": { "alerts": [ { "product": "VPN & Firewall-1", "vendor": "<vendor name>", "local_ip": "<IP address>", "local_port": <port>, "remote_ip": "<IP address>", "remote_port": <port>, "event_timestamp": 1543270652000, "severity": "Low", "alert_name": "Alert Name Example", "alert_description": "Alert Description", "action_status": "Reported" } ] } }'

Success Response

Upon success, the HTTP response code is 200.
Field
Description
reply
JSON object containing a query result.
  • true
    —Upload successful.

Error Response

Upon error, the reply includes an HTTP response code, an error message, and additional information describing the error. The HTTP response code is one of the following:
Field
Description
400
Bad Request. Got an invalid JSON.
401
Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
402
Unauthorized access. User does not have the required license type to run this API.
403
Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
500
Internal server error. A unified status for API communication type errors.
Error Response Format
{"reply": {"err_code": STATUS_CODE, "err_msg": GENERAL_MESSAGE, "err_extra": EXTRA_DATA}}

Recommended For You