1. Home
    2. Security Operations
    3. Cortex XDR
    4. Cortex XDR™ API Reference
    5. Cortex XDR APIs
    6. Rule Management APIs
    7. Insert Simple Indicators, CSV

    Insert Simple Indicators, CSV

    Insert a threat indicator using a comma separated list.

    Synopsis

    URI
    /public_api/v1/indicators/insert_csv
    HTTP Method
    POST
    Required License
    Cortex XDR Pro per Endpoint

    Description

    Upload IOCs in CSV format that you retrieved from external threat intelligence sources.
    Cortex XDR does not scan historic data, but rather only new incoming data.

    Request Fields

    The body of this request contains a JSON object with a single field:
    request_data
    . This field is required. Its value is as string containing two or more comma-separated lines. The first line must contain the CSV header. All subsequent lines must represent IOC data. Each line must include at a minimum the required CSV fields, which are identified below.
    To help you validate the upload, you can send a separate
    validate
     field to view an array of errors with an unsuccessful call.
    Field
    Description
    request_data
    (
    Required
    ) A dictionary containing the API request fields.
    indicator
    (
    Required
    ) String that identifies the indicator you want to insert into Cortex XDR.
    type
    (
    Required
    ) Keyword identifying the type of indicator. Valid values are:
    • HASH
    • IP
    • PATH
    • DOMAIN_NAME
    • FILENAME
    severity
    (
    Required
    ) Keyword identifying the indicator's severity. Valid values are:
    • informational
    • low
    • medium
    • high
    • critical
    • unknown
    expiration_date
    Integer representing the indicator's expiration timestamp. This is a Unix epoch timestamp value, in milliseconds. If this indicator has no expiration, use
    Never
    . If this value is NULL, the indicator receives the indicator's
    type
     value with the default expiration date. Valid values are:
    • 7 days
    • 30 days
    • 90 days
    • 180 days
    comment
    Comment string.
    reputation
    Keyword representing the indicator's reputation. Valid values are:
    • GOOD
    • BAD
    • SUSPICIOUS
    • UNKNOWN
    reliability
    Character representing the indicator's reliability rating. Valid values are A - F. A is the most reliable, F is the least.
    class
    String representing the indicator class (for example, 'Malware').
    vendor.name
    String representing the name of the vendor who reported this indicator.
    vendor.reputation
    Keyword representing the vendor's reputation. Valid values are:
    • GOOD
    • BAD
    • SUSPICIOUS
    • UNKNOWN
    vendor.reliability
    Character representing the vendor's reliability rating. Valid values are A - F. A is the most reliable, F is the least.
    validate
    —Boolean,
    True
     or
    False
     if whether to r return an array of errors in the case of an unsuccessful update indicator API request.
    Request Example (whitespace added for readability)
    curl -X POST https://api-{fqdn}/public_api/v1/indicators/insert_csv/ \
  -H 'x-xdr-auth-id:{API_KEY_ID}' \
  -H 'authorization:{API_KEY}' \
  -H 'content-type: application/json' \
  -d '{"request_data": "indicator,type,severity,expiration_date,
comment,reputation,reliability,class,vendor.name,vendor.reputation,
vendor.reliability\n
B2c74bf609159f27dd89a829501ec34d6596d8b39a2cce7add73a8207088817a,
HASH,HIGH,1587054895000,This is an example IOC,BAD,D,Malware,IBM,
GOOD,B\n
A2c74bf609159f27dd89a829501ec34d6596d8b39a2cce7add73a8207088817a,
HASH,LOW,1587054895000,This is an example IOC,GOOD,D,Malware,PANW,
BAD,A\n"}'

    Success Response

    Upon success, the HTTP response code is 200.
    Field
    Description
    reply
    -— JSON object containing a query result.
    success
    true
    —Upload successful.
    validation_errors
    Empty array.

    Unsuccessful Response

    Upon on unsuccessful request, the response includes the following fields.
    Field
    Description
    reply
    -— JSON object containing a query result.
    success
    false
    —One or more indicators failed to upload.
    validation_errors
    Array of the following fields:
    • indicator
      —Name of the indicator that failed to upload.
    • error
      —Description of the error that caused the indicator to upload.
    Response Example
    {
   "reply":{
      "success":false,
      "validation_errors":[
         {
            "indicator":"testtest.com",
            "error":"Got type: HASH, Indicator: testtest.com mismatch"
         }
      ]
   }
}

    Error Response

    Upon error, the reply includes an HTTP response code, an error message, and additional information describing the error. The HTTP response code is one of the following:
    Field
    Description
    400
    Bad Request.
    401
    Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
    402
    Unauthorized access. User does not have the required license type to run this API.
    403
    Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
    500
    Internal server error. A unified status for API communication type errors.
    Error Response Format
    {"reply": {"err_code": STATUS_CODE, "err_msg": GENERAL_MESSAGE, "err_extra": EXTRA_DATA}}

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo