Insert Simple Indicators, CSV

Insert a threat indicator using a comma separated list.

Synopsis

URI
/public_api/v1/indicators/insert_csv
HTTP Method
POST
Required License
Cortex XDR Pro per Endpoint

Description

Upload IOCs in CSV format that you retrieved from external threat intelligence sources.

Request Fields

The body of this request contains a JSON object with a single field:
request_data
. This field is required. Its value is as string containing two or more comma-separated lines. The first line must contain the CSV header. All subsequent lines must represent IOC data. Each line must include at a minimum the required CSV fields, which are identified below.
To help you validate the upload, you can send a separate
validate
field to view an array of errors with an unsuccessful call.
Field
Description
request_data
(
Required
) A dictionary containing the API request fields.
indicator
(
Required
) String that identifies the indicator you want to insert into Cortex XDR.
type
(
Required
) Keyword identifying the type of indicator. Valid values are:
  • HASH
  • IP
  • PATH
  • DOMAIN_NAME
  • FILENAME
severity
(
Required
) Keyword identifying the indicator's severity. Valid values are:
  • INFO
  • LOW
  • MEDIUM
  • HIGH
expiration_date
Integer representing the indicator's expiration timestamp. This is a Unix epoch timestamp value, in milliseconds. If this indicator has no expiration, use
Never
. If this value is NULL, the indicator receives the indicator's
type
value with the default expiration date. Valid values are:
  • 7 days
  • 30 days
  • 90 days
  • 180 days
comment
Comment string.
reputation
Keyword representing the indicator's reputation. Valid values are:
  • GOOD
  • BAD
  • SUSPICIOUS
  • UNKNOWN
reliability
Character representing the indicator's reliability rating. Valid values are A - F. A is the most reliable, F is the least.
class
String representing the indicator class (for example, 'Malware').
vendor.name
String representing the name of the vendor who reported this indicator.
vendor.reputation
Keyword representing the vendor's reputation. Valid values are:
  • GOOD
  • BAD
  • SUSPICIOUS
  • UNKNOWN
vendor.reliability
Character representing the vendor's reliability rating. Valid values are A - F. A is the most reliable, F is the least.
validate
—Boolean,
True
or
False
if whether to r return an array of errors in the case of an unsuccessful update indicator API request.
Request Example (whitespace added for readability)
curl -X POST https://api-{fqdn}/public_api/v1/indicators/insert_csv/ \ -H 'x-xdr-auth-id:{API_KEY_ID}' \ -H 'authorization:{API_KEY}' \ -H 'content-type: application/json' \ -d '{"request_data": "indicator,type,severity,expiration_date, comment,reputation,reliability,class,vendor.name,vendor.reputation, vendor.reliability\n B2c74bf609159f27dd89a829501ec34d6596d8b39a2cce7add73a8207088817a, HASH,HIGH,1587054895000,This is an example IOC,BAD,D,Malware,IBM, GOOD,B\n A2c74bf609159f27dd89a829501ec34d6596d8b39a2cce7add73a8207088817a, HASH,LOW,1587054895000,This is an example IOC,GOOD,D,Malware,PANW, BAD,A\n"}'

Success Response

Upon success, the HTTP response code is 200.
Field
Description
reply
-— JSON object containing a query result.
success
true
—Upload successful.
validation_errors
Empty array.

Unsuccessful Response

Upon on unsuccessful request, the response includes the following fields.
Field
Description
reply
-— JSON object containing a query result.
success
false
—One or more indicators failed to upload.
validation_errors
Array of the following fields:
  • indicator
    —Name of the indicator that failed to upload.
  • error
    —Description of the error that caused the indicator to upload.
Response Example
{ "reply":{ "success":false, "validation_errors":[ { "indicator":"testtest.com", "error":"Got type: HASH, Indicator: testtest.com mismatch" } ] } }

Error Response

Upon error, the reply includes an HTTP response code, an error message, and additional information describing the error. The HTTP response code is one of the following:
Field
Description
400
Bad Request.
401
Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
402
Unauthorized access. User does not have the required license type to run this API.
403
Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
500
Internal server error. A unified status for API communication type errors.
Error Response Format
{"reply": {"err_code": STATUS_CODE, "err_msg": GENERAL_MESSAGE, "err_extra": EXTRA_DATA}}

Recommended For You