Insert Simple Indicators, CSV

Insert a threat indicator using a comma separated list.

Synopsis

URI
/public_api/v1/indicators/insert_csv
HTTP Method
POST
Required License
Cortex XDR Pro per Endpoint

Description

Upload IOCs in CSV format that you retrieved from external threat intelligence sources.

Request Fields

The body of this request contains a JSON object with a single field:
request_data
. This field is required. Its value is as string containing two or more comma-separated lines. The first line must contain the CSV header. All subsequent lines must represent IOC data. Each line must include at a minimum the required CSV fields, which are identified below.
Field
Description
indicator
(
Required
) String that identifies the indicator you want to insert into Cortex XDR.
type
(
Required
) Keyword identifying the type of indicator. Valid values are:
  • HASH
  • IP
  • PATH
  • DOMAIN_NAME
  • FILENAME
severity
(
Required
) Keyword identifying the indicator's severity. Valid values are:
  • INFO
  • LOW
  • MEDIUM
  • HIGH
expiration_date
Integer representing the indicator's expiration timestamp. This is a Unix epoch timestamp value, in milliseconds. If this indicator has no expiration, use
-1
. If this value is NULL, the indicator receives the indicator's
type
default expiration date.
comment
Comment string.
reputation
Keyword representing the indicator's reputation. Valid values are:
  • GOOD
  • BAD
  • SUSPICIOUS
  • UNKNOWN
reliability
Character representing the indicator's reliability rating. Valid values are A - F. A is the most reliable, F is the least.
class
String representing the indicator class (for example, 'Malware').
vendor.name
String representing the name of the vendor who reported this indicator.
vendor.reputation
Keyword representing the vendor's reputation. Valid values are:
  • GOOD
  • BAD
  • SUSPICIOUS
  • UNKNOWN
vendor.reliability
Character representing the vendor's reliability rating. Valid values are A - F. A is the most reliable, F is the least.
Request Example (whitespace added for readability)
curl -X POST https://api-{fqdn}/public_api/v1/indicators/insert_csv/ \ -H 'x-xdr-auth-id:{API_KEY_ID}' \ -H 'authorization:{API_KEY}' \ -H 'content-type: application/json' \ -d '{"request_data": "indicator,type,severity,expiration_date, comment,reputation,reliability,class,vendor.name,vendor.reputation, vendor.reliability\n B2c74bf609159f27dd89a829501ec34d6596d8b39a2cce7add73a8207088817a, HASH,HIGH,1587054895000,This is an example IOC,BAD,D,Malware,IBM, GOOD,B\n A2c74bf609159f27dd89a829501ec34d6596d8b39a2cce7add73a8207088817a, HASH,LOW,1587054895000,This is an example IOC,GOOD,D,Malware,PANW, BAD,A\n"}'

Success Response

Upon success, the HTTP response code is 200.
Field
Description
reply
JSON object containing a query result.
  • true
    —Upload successful.

Error Response

Upon error, the reply includes an HTTP response code, an error message, and additional information describing the error. The HTTP response code is one of the following:
Field
Description
400
Bad Request.
401
Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
402
Unauthorized access. User does not have the required license type to run this API.
403
Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
500
Internal server error. A unified status for API communication type errors.
Error Response Format
{"reply": {"err_code": STATUS_CODE, "err_msg": GENERAL_MESSAGE, "err_extra": EXTRA_DATA}}

Recommended For You