docs-cortex.paloaltonetworks.com
Open in
urlscan Pro
15.236.71.19
Public Scan
URL:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR-6-API/Batch-export-indicators-to-STIX
Submission: On June 27 via api from US — Scanned from FR
Submission: On June 27 via api from US — Scanned from FR
Form analysis 1 forms found in the DOM
<form class="searchbox-form">
<div class="searchbox-input-wrapper-wrapper">
<div class="searchbox-input-wrapper">
<div class="ft-label"><label for="gwt-uid-2" class="ft-label-hidden">Search content</label><input type="search" class="searchbox-input" name="query" placeholder="Keywords" autocapitalize="off" autocomplete="off" autocorrect="off"
spellcheck="false" id="gwt-uid-2"></div>
</div>
<div class="searchbox-button-wrapper"><button type="submit" class="ft-btn ft-btn-no-bg ft-btn-no-border ft-btn-square searchbox-button" title="Search" aria-label="Search"><i class="ft-icon ft-icon-no-icon" aria-hidden="true"></i><span
class="ft-btn-inner-text">Search</span></button></div>
</div>
</form>Text Content
Loading application...
* Cortex XSIAM
* Cortex XDR
* Cortex XSOAR
* Cortex Xpanse
* Cortex Developer Docs
* Pan.Dev
* PANW TechDocs
* Customer Support Portal
* KnowledgeBase
* LIVEcommunity
* Contact us
Your web browser must have JavaScript enabled in order for this application to
display correctly.
Skip to main content
Search in all documents
Sign In
Menu
Menu
Search Results
Go to Search page
Cortex XSOAR 6 API > Default > Batch export indicators to STIX
Rate this document
Rate this document
Share URL
Share URL
Print
Print
More
More
Cortex XSOAR 6 API
Close
Rate this documentShare URLPrint
Table of contents
Table of contents
1 attachment
1 attachment
Collapse sidebar
Collapse sidebar
Applied filters
Search in document
Return to table of contents
Search content
Search
Load more results
Expand table of contents
Expand table of contents
* Preface
* Default
* revokeUserAPIKey
* Create or update automation
* Copy automation
* Delete existing automation
* Import an automation
* Search Automation (aka scripts)
* Import a classifier
* Upload Pack
* Import a dashboard
* Create new entry in existing investigation
* Download file
* Create new entry in existing investigation
* Export Artifact
* Create new formatted entry in existing investigation
* Mark entry as note
* Set entry tags
* Save evidence
* delete evidence
* Search evidence
* Check if Cortex XSOAR server is available
* Get health containers
* Create single incident
* Batch create incidents
* Batch export incidents to csv
* Batch close incidents
* Batch delete incidents
* Get incident as CSV
* Create incident from JSON
* incidentFileUpload
* Set tags field
* Get all incident fields associated with incident type
* Import an incident field
* Search incidents by filter
* Create new Incident Type
* Import an incident type
* Create Indicator
* Edit Indicator
* Whitelists or deletes Indicator
* Batch export indicators to STIX
* Batch export indicators to csv
* Batch whitelist or delete indicators
* Get indicators as CSV
* Create feed indicators from JSON
* Search indicators
* Get indicators as STIX V2
* Delete indicators timeline
* Create indicators
* Create whitelisted
* Add ad-hoc task
* Assign task
* [Deprecated] Complete a task
* Complete task simple (no file)
* Delete ad-hoc task
* Set task due date
* Edit ad-hoc task
* Task add comment
* Un complete a task
* Search investigations by filter
* Sign out all open users sessions
* Sign out all my open sessions
* Sign out all my other open sessions
* Sign out all sessions of the provided username
* Import and override playbook
* Get latest report by ID
* Execute report
* Get all reports
* Upload a report to Cortex XSOAR
* Get report by ID
* Get Audits
* Get Docker Images
* Create Image
* Upload an integration
* Reset ROI widget
* [Deprecated] Get Dashboard Statistics
* [Deprecated] Get Widget Statistics
* getUnit42IndicatorHandler
* samplesSearchHandler
* sessionsSearchHandler
* Complete a task
* Complete a task
* Get Dashboard Statistics
* Get Widget Statistics
* getAllWidgets
* Add or update a widget
* Import a widget
* Get widget by ID
* Remove existing widget
* Get workers status
* Trust Center
* Privacy
* Terms of Use
* Legal
* Palo Alto Networks
* Palo Alto Networks Cortex HELP CENTER
© 2024 Palo Alto Networks, Inc. All rights reserved.
CREATE NEW INCIDENT TYPE
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Rate this content
Rate this content
post /incidenttype
API to create new Incident Type
CURL
curl -X POST \ -H "Authorization: [[apiKey]]" \ -H "Accept: application/json" \
-H "Content-Type: application/json,application/xml" \
"https://hostname:443/incidenttype" \ -d '{ "sizeInBytes" : 4, "autorun" : true,
"syncHash" : "syncHash", "remote" : true, "readonly" : true, "closureScript" :
"closureScript", "toServerVersion" : { "Digits" : [ 5, 5 ], "Label" : "Label" },
"modified" : "2000-01-23T04:56:07.000+00:00", "reputationCalc" :
3.616076749251911, "id" : "id", "locked" : true, "numericId" : 2,
"sequenceNumber" : 2, "created" : "2000-01-23T04:56:07.000+00:00", "indexName" :
"indexName", "sla" : 7, "extractSettings" : { "mode" : "mode",
"fieldCliNameToExtractSettings" : { "key" : { "extractAsIsIndicatorTypeId" :
"extractAsIsIndicatorTypeId", "extractIndicatorTypesIDs" : [
"extractIndicatorTypesIDs", "extractIndicatorTypesIDs" ],
"isExtractingAllIndicatorTypes" : true } } }, "shouldCommit" : true,
"slaReminder" : 1, "version" : 1, "detached" : true, "system" : true,
"onChangeRepAlg" : 7.061401241503109, "playbookId" : "playbookId",
"preProcessingScript" : "preProcessingScript", "name" : "name",
"propagationLabels" : [ "propagationLabels", "propagationLabels" ], "weeks" : 1,
"color" : "color", "commitMessage" : "commitMessage", "primaryTerm" : 9,
"packID" : "packID", "highlight" : { "key" : [ "highlight", "highlight" ] },
"default" : true, "vcShouldIgnore" : true, "prevName" : "prevName", "disabled" :
true, "definitionId" : "definitionId", "fromServerVersion" : { "Digits" : [ 5, 5
], "Label" : "Label" }, "hours" : 5, "itemVersion" : { "Digits" : [ 5, 5 ],
"Label" : "Label" }, "packPropagationLabels" : [ "packPropagationLabels",
"packPropagationLabels" ], "hoursR" : 5, "cacheVersn" : 0, "sortValues" : [
"sortValues", "sortValues" ], "vcShouldKeepItemLegacyProdMachine" : true,
"layout" : "layout", "daysR" : 1, "days" : 6, "packName" : "packName", "weeksR"
: 6 }' \ -d ' true 123456789 aeiou aeiou aeiou 2000-01-23T04:56:07.000Z
123456789 123456789 true aeiou true true UNDEFINED_EXAMPLE_VALUE aeiou 123456789
aeiou UNDEFINED_EXAMPLE_VALUE 123456789 123456789 aeiou aeiou 123456789 aeiou
aeiou true 2000-01-23T04:56:07.000Z aeiou 123456789 3.149 aeiou aeiou aeiou
aeiou aeiou aeiou 123456789 aeiou true true 3.149 123456789 true 123456789
123456789 123456789 aeiou aeiou true 123456789 aeiou true true 123456789
123456789 123456789 '
Authentication: api_key Api Key "Authorization"
Request
Body
optional
autorun
optional
Boolean
cacheVersn
optional
Number (Long)
format: int64
closureScript
optional
String
color
optional
String
commitMessage
optional
String
created
optional
Object
format: date-time
days
optional
Number (Long)
format: int64
daysR
optional
Number (Long)
format: int64
default
optional
Boolean
definitionId
optional
String
detached
optional
Boolean
disabled
optional
Boolean
extractSettings
optional
fieldCliNameToExtractSettings
optional
Map
extractAsIsIndicatorTypeId
optional
String
extractIndicatorTypesIDs
optional
Array of strings
isExtractingAllIndicatorTypes
optional
Boolean
mode
optional
String
fromServerVersion
optional
Digits
optional
Array of numbers (Long)
WARNING: when adding new attributes or changing the names of the existing ones,
remember to add support in UnmarshalJSON for items that were exported by
msgpack. format: int64
Label
optional
String
highlight
optional
Map
hours
optional
Number (Long)
format: int64
hoursR
optional
Number (Long)
format: int64
id
optional
String
indexName
optional
String
itemVersion
optional
Digits
optional
Array of numbers (Long)
WARNING: when adding new attributes or changing the names of the existing ones,
remember to add support in UnmarshalJSON for items that were exported by
msgpack. format: int64
Label
optional
String
layout
optional
String
locked
optional
Boolean
modified
optional
Object
format: date-time
name
optional
String
numericId
optional
Number (Long)
format: int64
onChangeRepAlg
optional
Number (Double)
format: double
packID
optional
String
packName
optional
String
packPropagationLabels
optional
Array of strings
playbookId
optional
String
preProcessingScript
optional
String
prevName
optional
String
primaryTerm
optional
Number (Long)
format: int64
propagationLabels
optional
Array of strings
readonly
optional
Boolean
remote
optional
Boolean
reputationCalc
optional
Number (Double)
format: double
sequenceNumber
optional
Number (Long)
format: int64
shouldCommit
optional
Boolean
sizeInBytes
optional
Number (Long)
format: int64
sla
optional
Number (Long)
format: int64
slaReminder
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
syncHash
optional
String
system
optional
Boolean
toServerVersion
optional
Digits
optional
Array of numbers (Long)
WARNING: when adding new attributes or changing the names of the existing ones,
remember to add support in UnmarshalJSON for items that were exported by
msgpack. format: int64
Label
optional
String
vcShouldIgnore
optional
Boolean
vcShouldKeepItemLegacyProdMachine
optional
Boolean
version
optional
Number (Long)
format: int64
weeks
optional
Number (Long)
format: int64
weeksR
optional
Number (Long)
format: int64
Responses
IncidentType
Body
autorun
optional
Boolean
cacheVersn
optional
Number (Long)
format: int64
closureScript
optional
String
color
optional
String
commitMessage
optional
String
created
optional
Object
format: date-time
days
optional
Number (Long)
format: int64
daysR
optional
Number (Long)
format: int64
default
optional
Boolean
definitionId
optional
String
detached
optional
Boolean
disabled
optional
Boolean
extractSettings
optional
fieldCliNameToExtractSettings
optional
Map
extractAsIsIndicatorTypeId
optional
String
extractIndicatorTypesIDs
optional
Array of strings
isExtractingAllIndicatorTypes
optional
Boolean
mode
optional
String
fromServerVersion
optional
Digits
optional
Array of numbers (Long)
WARNING: when adding new attributes or changing the names of the existing ones,
remember to add support in UnmarshalJSON for items that were exported by
msgpack. format: int64
Label
optional
String
highlight
optional
Map
hours
optional
Number (Long)
format: int64
hoursR
optional
Number (Long)
format: int64
id
optional
String
indexName
optional
String
itemVersion
optional
Digits
optional
Array of numbers (Long)
WARNING: when adding new attributes or changing the names of the existing ones,
remember to add support in UnmarshalJSON for items that were exported by
msgpack. format: int64
Label
optional
String
layout
optional
String
locked
optional
Boolean
modified
optional
Object
format: date-time
name
optional
String
numericId
optional
Number (Long)
format: int64
onChangeRepAlg
optional
Number (Double)
format: double
packID
optional
String
packName
optional
String
packPropagationLabels
optional
Array of strings
playbookId
optional
String
preProcessingScript
optional
String
prevName
optional
String
primaryTerm
optional
Number (Long)
format: int64
propagationLabels
optional
Array of strings
readonly
optional
Boolean
remote
optional
Boolean
reputationCalc
optional
Number (Double)
format: double
sequenceNumber
optional
Number (Long)
format: int64
shouldCommit
optional
Boolean
sizeInBytes
optional
Number (Long)
format: int64
sla
optional
Number (Long)
format: int64
slaReminder
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
syncHash
optional
String
system
optional
Boolean
toServerVersion
optional
Digits
optional
Array of numbers (Long)
WARNING: when adding new attributes or changing the names of the existing ones,
remember to add support in UnmarshalJSON for items that were exported by
msgpack. format: int64
Label
optional
String
vcShouldIgnore
optional
Boolean
vcShouldKeepItemLegacyProdMachine
optional
Boolean
version
optional
Number (Long)
format: int64
weeks
optional
Number (Long)
format: int64
weeksR
optional
Number (Long)
format: int64
--------------------------------------------------------------------------------
IMPORT AN INCIDENT TYPE
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Rate this content
Rate this content
post /incidenttypes/import
Import an incident type to Cortex XSOAR.
CURL
curl -X POST \ -H "Authorization: [[apiKey]]" \ -H "Accept: application/json" \
-H "Content-Type: multipart/form-data" \
"https://hostname:443/incidenttypes/import"
Authentication: api_key Api Key "Authorization"
Form parameters
file
required
Object format: binary
file format: binary
Example: BINARY_DATA_HERE
Responses
The saved incident type
Body
error
optional
String
incidentTypes
optional
Array
autorun
optional
Boolean
cacheVersn
optional
Number (Long)
format: int64
closureScript
optional
String
color
optional
String
commitMessage
optional
String
created
optional
Object
format: date-time
days
optional
Number (Long)
format: int64
daysR
optional
Number (Long)
format: int64
default
optional
Boolean
definitionId
optional
String
detached
optional
Boolean
disabled
optional
Boolean
extractSettings
optional
fieldCliNameToExtractSettings
optional
Map
extractAsIsIndicatorTypeId
optional
String
extractIndicatorTypesIDs
optional
Array of strings
isExtractingAllIndicatorTypes
optional
Boolean
mode
optional
String
fromServerVersion
optional
Digits
optional
Array of numbers (Long)
WARNING: when adding new attributes or changing the names of the existing ones,
remember to add support in UnmarshalJSON for items that were exported by
msgpack. format: int64
Label
optional
String
highlight
optional
Map
hours
optional
Number (Long)
format: int64
hoursR
optional
Number (Long)
format: int64
id
optional
String
indexName
optional
String
itemVersion
optional
Digits
optional
Array of numbers (Long)
WARNING: when adding new attributes or changing the names of the existing ones,
remember to add support in UnmarshalJSON for items that were exported by
msgpack. format: int64
Label
optional
String
layout
optional
String
locked
optional
Boolean
modified
optional
Object
format: date-time
name
optional
String
numericId
optional
Number (Long)
format: int64
onChangeRepAlg
optional
Number (Double)
format: double
packID
optional
String
packName
optional
String
packPropagationLabels
optional
Array of strings
playbookId
optional
String
preProcessingScript
optional
String
prevName
optional
String
primaryTerm
optional
Number (Long)
format: int64
propagationLabels
optional
Array of strings
readonly
optional
Boolean
remote
optional
Boolean
reputationCalc
optional
Number (Double)
format: double
sequenceNumber
optional
Number (Long)
format: int64
shouldCommit
optional
Boolean
sizeInBytes
optional
Number (Long)
format: int64
sla
optional
Number (Long)
format: int64
slaReminder
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
syncHash
optional
String
system
optional
Boolean
toServerVersion
optional
Digits
optional
Array of numbers (Long)
WARNING: when adding new attributes or changing the names of the existing ones,
remember to add support in UnmarshalJSON for items that were exported by
msgpack. format: int64
Label
optional
String
vcShouldIgnore
optional
Boolean
vcShouldKeepItemLegacyProdMachine
optional
Boolean
version
optional
Number (Long)
format: int64
weeks
optional
Number (Long)
format: int64
weeksR
optional
Number (Long)
format: int64
--------------------------------------------------------------------------------
CREATE INDICATOR
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Rate this content
Rate this content
post /indicator/create
Create an indicator entity To update indicator custom fields you should
lowercase them and remove all spaces. For example: Scan IP -> scanip
CURL
curl -X POST \ -H "Authorization: [[apiKey]]" \ -H "Accept: application/json" \
-H "Content-Type: application/json,application/xml" \
"https://hostname:443/indicator/create" \ -d '{ "indicator" : { "modifiedTime" :
"2000-01-23T04:56:07.000+00:00", "deletedFeedFetchTime" :
"2000-01-23T04:56:07.000+00:00", "sizeInBytes" : 5, "relatedIncCount" : 7,
"primaryTerm" : 6, "investigationIDs" : [ "investigationIDs", "investigationIDs"
], "expirationStatus" : "expirationStatus", "indicator_type" : "indicator_type",
"syncHash" : "syncHash", "source" : "source", "manualSetTime" :
"2000-01-23T04:56:07.000+00:00", "manualExpirationTime" :
"2000-01-23T04:56:07.000+00:00", "calculatedTime" :
"2000-01-23T04:56:07.000+00:00", "highlight" : { "key" : [ "highlight",
"highlight" ] }, "score" : 1, "manuallyEditedFields" : [ "manuallyEditedFields",
"manuallyEditedFields" ], "lastReputationRun" : "2000-01-23T04:56:07.000+00:00",
"modified" : "2000-01-23T04:56:07.000+00:00", "moduleToFeedMap" : { "key" : {
"modifiedTime" : "2000-01-23T04:56:07.000+00:00", "sourceInstance" :
"sourceInstance", "comments" : [ { "created" : "2000-01-23T04:56:07.000+00:00",
"id" : "id", "user" : "user", "content" : "content" }, { "created" :
"2000-01-23T04:56:07.000+00:00", "id" : "id", "user" : "user", "content" :
"content" } ], "classifierId" : "classifierId", "reliability" : "reliability",
"mapperId" : "mapperId", "expirationPolicy" : "expirationPolicy",
"mapperVersion" : 5, "rawJSON" : { "key" : "{}" }, "type" : "type",
"isEnrichment" : true, "relationships" : [ { "entityA" : "entityA", "entityB" :
"entityB", "instance" : "instance", "reverseName" : "reverseName", "entityBType"
: "entityBType", "reliability" : "reliability", "entityAType" : "entityAType",
"entityAFamily" : "entityAFamily", "type" : "type", "entityBFamily" :
"entityBFamily", "name" : "name", "startTime" : "2000-01-23T04:56:07.000+00:00",
"id" : "id", "fields" : { "key" : "{}" }, "brand" : "brand" }, { "entityA" :
"entityA", "entityB" : "entityB", "instance" : "instance", "reverseName" :
"reverseName", "entityBType" : "entityBType", "reliability" : "reliability",
"entityAType" : "entityAType", "entityAFamily" : "entityAFamily", "type" :
"type", "entityBFamily" : "entityBFamily", "name" : "name", "startTime" :
"2000-01-23T04:56:07.000+00:00", "id" : "id", "fields" : { "key" : "{}" },
"brand" : "brand" } ], "score" : 2, "bypassExclusionList" : true, "sourceBrand"
: "sourceBrand", "expirationInterval" : 5, "fetchTime" :
"2000-01-23T04:56:07.000+00:00", "ExpirationSource" : { "instance" : "instance",
"expirationInterval" : 6, "expirationPolicy" : "expirationPolicy", "source" :
"source", "moduleId" : "moduleId", "brand" : "brand", "user" : "user", "setTime"
: "2000-01-23T04:56:07.000+00:00" }, "fields" : { "key" : "{}" }, "moduleId" :
"moduleId", "classifierVersion" : 1, "value" : "value", "timestamp" :
"2000-01-23T04:56:07.000+00:00" } }, "id" : "id", "setBy" : "setBy", "value" :
"value", "aggregatedReliability" : "aggregatedReliability", "timestamp" :
"2000-01-23T04:56:07.000+00:00", "manualScore" : true, "numericId" : 1,
"sequenceNumber" : 4, "comments" : [ { "numericId" : 1, "sequenceNumber" : 5,
"sizeInBytes" : 2, "created" : "2000-01-23T04:56:07.000+00:00", "indexName" :
"indexName", "primaryTerm" : 5, "cacheVersn" : 6, "syncHash" : "syncHash",
"source" : "source", "type" : "type", "sortValues" : [ "sortValues",
"sortValues" ], "version" : 7, "content" : "content", "entryId" : "entryId",
"highlight" : { "key" : [ "highlight", "highlight" ] }, "modified" :
"2000-01-23T04:56:07.000+00:00", "id" : "id", "category" : "category", "user" :
"user" }, { "numericId" : 1, "sequenceNumber" : 5, "sizeInBytes" : 2, "created"
: "2000-01-23T04:56:07.000+00:00", "indexName" : "indexName", "primaryTerm" : 5,
"cacheVersn" : 6, "syncHash" : "syncHash", "source" : "source", "type" : "type",
"sortValues" : [ "sortValues", "sortValues" ], "version" : 7, "content" :
"content", "entryId" : "entryId", "highlight" : { "key" : [ "highlight",
"highlight" ] }, "modified" : "2000-01-23T04:56:07.000+00:00", "id" : "id",
"category" : "category", "user" : "user" } ], "created" :
"2000-01-23T04:56:07.000+00:00", "firstSeen" : "2000-01-23T04:56:07.000+00:00",
"indexName" : "indexName", "expirationSource" : { "instance" : "instance",
"expirationInterval" : 6, "expirationPolicy" : "expirationPolicy", "source" :
"source", "moduleId" : "moduleId", "brand" : "brand", "user" : "user", "setTime"
: "2000-01-23T04:56:07.000+00:00" }, "insightCache" : { "numericId" : 3,
"sequenceNumber" : 7, "sizeInBytes" : 1, "scores" : { "key" : { "score" : 4,
"isTypedIndicator" : true, "contentFormat" : "contentFormat", "reliability" :
"reliability", "scoreChangeTimestamp" : "2000-01-23T04:56:07.000+00:00",
"context" : { "key" : "{}" }, "type" : "type", "content" : "content",
"timestamp" : "2000-01-23T04:56:07.000+00:00" } }, "created" :
"2000-01-23T04:56:07.000+00:00", "indexName" : "indexName", "primaryTerm" : 2,
"cacheVersn" : 9, "syncHash" : "syncHash", "sortValues" : [ "sortValues",
"sortValues" ], "version" : 1, "highlight" : { "key" : [ "highlight",
"highlight" ] }, "modified" : "2000-01-23T04:56:07.000+00:00", "id" : "id" },
"cacheVersn" : 0, "lastSeenEntryID" : "lastSeenEntryID", "sortValues" : [
"sortValues", "sortValues" ], "version" : 9, "CustomFields" : { "key" : "{}" },
"sourceInstances" : [ "sourceInstances", "sourceInstances" ], "lastSeen" :
"2000-01-23T04:56:07.000+00:00", "isPreventable" : true, "firstSeenEntryID" :
"firstSeenEntryID", "sourceBrands" : [ "sourceBrands", "sourceBrands" ],
"comment" : "comment", "expiration" : "2000-01-23T04:56:07.000+00:00", "account"
: "account", "isShared" : true, "isDetectable" : true }, "investigationId" :
"investigationId", "manually" : true, "seenNow" : true, "entryId" : "entryId" }'
\ -d ' aeiou UNDEFINED_EXAMPLE_VALUE aeiou aeiou 123456789
2000-01-23T04:56:07.000Z aeiou 2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z
2000-01-23T04:56:07.000Z aeiou 2000-01-23T04:56:07.000Z aeiou
UNDEFINED_EXAMPLE_VALUE aeiou aeiou aeiou aeiou true true true
2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z aeiou 2000-01-23T04:56:07.000Z
true 2000-01-23T04:56:07.000Z aeiou 2000-01-23T04:56:07.000Z
2000-01-23T04:56:07.000Z UNDEFINED_EXAMPLE_VALUE 123456789 123456789 123456789
123456789 123456789 aeiou 123456789 aeiou aeiou aeiou aeiou aeiou
2000-01-23T04:56:07.000Z aeiou 123456789 aeiou true true '
Authentication: api_key Api Key "Authorization"
Request
Body
optional
entryId
optional
String
indicator
optional
IocObject - represents an Ioc (or simply an indicator) object
CustomFields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For
example: Scan IP -> scanip To get the actual key name you can also go to Cortex
XSOAR CLI and run /incident_add and look for the key that you would like to
update
account
optional
String
aggregatedReliability
optional
String
cacheVersn
optional
Number (Long)
format: int64
calculatedTime
optional
Object
Do not set the fields bellow this line format: date-time
comment
optional
String
comments
optional
Array
cacheVersn
optional
Number (Long)
format: int64
category
optional
String
content
optional
String
created
optional
Object
format: date-time
entryId
optional
String
highlight
optional
Map
id
optional
String
indexName
optional
String
modified
optional
Object
format: date-time
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
source
optional
String
syncHash
optional
String
type
optional
String
user
optional
String
version
optional
Number (Long)
format: int64
created
optional
Object
format: date-time
deletedFeedFetchTime
optional
Object
format: date-time
expiration
optional
Object
format: date-time
expirationSource
optional
brand
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
instance
optional
String
moduleId
optional
String
setTime
optional
Object
format: date-time
source
optional
String
user
optional
String
expirationStatus
optional
String
firstSeen
optional
Object
format: date-time
firstSeenEntryID
optional
String
highlight
optional
Map
id
optional
String
indexName
optional
String
indicator_type
optional
String
insightCache
optional
InsightCache - map insight name to all its metadata, name will be case
insensitive
cacheVersn
optional
Number (Long)
format: int64
created
optional
Object
format: date-time
highlight
optional
Map
id
optional
String
indexName
optional
String
modified
optional
Object
format: date-time
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
scores
optional
Map
DBotScore - Contain the score of a specific brand for a specific insight
content
optional
String
contentFormat
optional
String
context
optional
Map of objects
isTypedIndicator
optional
Boolean
reliability
optional
String
score
optional
Number (Long)
format: int64
scoreChangeTimestamp
optional
Object
We need to track when the score changes to know if we need to re-calculate the
overall score format: date-time
timestamp
optional
Object
format: date-time
type
optional
String
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
syncHash
optional
String
version
optional
Number (Long)
format: int64
investigationIDs
optional
Array of strings
isDetectable
optional
Boolean
isPreventable
optional
Boolean
isShared
optional
Boolean
lastReputationRun
optional
Object
format: date-time
lastSeen
optional
Object
format: date-time
lastSeenEntryID
optional
String
manualExpirationTime
optional
Object
format: date-time
manualScore
optional
Boolean
manualSetTime
optional
Object
format: date-time
manuallyEditedFields
optional
Array of strings
modified
optional
Object
format: date-time
modifiedTime
optional
Object
format: date-time
moduleToFeedMap
optional
Map
ExpirationSource
optional
brand
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
instance
optional
String
moduleId
optional
String
setTime
optional
Object
format: date-time
source
optional
String
user
optional
String
bypassExclusionList
optional
Boolean
classifierId
optional
String
classifierVersion
optional
Number (Long)
format: int64
comments
optional
Array
content
optional
String
created
optional
Object
format: date-time
id
optional
String
user
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
fetchTime
optional
Object
format: date-time
fields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For
example: Scan IP -> scanip To get the actual key name you can also go to Cortex
XSOAR CLI and run /incident_add and look for the key that you would like to
update
isEnrichment
optional
Boolean
mapperId
optional
String
mapperVersion
optional
Number (Long)
format: int64
modifiedTime
optional
Object
format: date-time
moduleId
optional
String
rawJSON
optional
Map of objects
relationships
optional
Array
brand
optional
String
entityA
optional
String
entityAFamily
optional
String
entityAType
optional
String
entityB
optional
String
entityBFamily
optional
String
entityBType
optional
String
fields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For
example: Scan IP -> scanip To get the actual key name you can also go to Cortex
XSOAR CLI and run /incident_add and look for the key that you would like to
update
id
optional
String
instance
optional
String
name
optional
String
reliability
optional
String
reverseName
optional
String
startTime
optional
Object
format: date-time
type
optional
String
reliability
optional
String
score
optional
Number (Long)
format: int64
sourceBrand
optional
String
sourceInstance
optional
String
timestamp
optional
Object
format: date-time
type
optional
String
value
optional
String
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
relatedIncCount
optional
Number (Long)
format: int64
score
optional
Number (Long)
format: int64
sequenceNumber
optional
Number (Long)
format: int64
setBy
optional
String
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
source
optional
String
sourceBrands
optional
Array of strings
sourceInstances
optional
Array of strings
syncHash
optional
String
timestamp
optional
Object
format: date-time
value
optional
String
version
optional
Number (Long)
format: int64
investigationId
optional
String
manually
optional
Boolean
seenNow
optional
Boolean
Responses
IocObject
Body
IocObject - represents an Ioc (or simply an indicator) object
CustomFields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For
example: Scan IP -> scanip To get the actual key name you can also go to Cortex
XSOAR CLI and run /incident_add and look for the key that you would like to
update
account
optional
String
aggregatedReliability
optional
String
cacheVersn
optional
Number (Long)
format: int64
calculatedTime
optional
Object
Do not set the fields bellow this line format: date-time
comment
optional
String
comments
optional
Array
cacheVersn
optional
Number (Long)
format: int64
category
optional
String
content
optional
String
created
optional
Object
format: date-time
entryId
optional
String
highlight
optional
Map
id
optional
String
indexName
optional
String
modified
optional
Object
format: date-time
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
source
optional
String
syncHash
optional
String
type
optional
String
user
optional
String
version
optional
Number (Long)
format: int64
created
optional
Object
format: date-time
deletedFeedFetchTime
optional
Object
format: date-time
expiration
optional
Object
format: date-time
expirationSource
optional
brand
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
instance
optional
String
moduleId
optional
String
setTime
optional
Object
format: date-time
source
optional
String
user
optional
String
expirationStatus
optional
String
firstSeen
optional
Object
format: date-time
firstSeenEntryID
optional
String
highlight
optional
Map
id
optional
String
indexName
optional
String
indicator_type
optional
String
insightCache
optional
InsightCache - map insight name to all its metadata, name will be case
insensitive
cacheVersn
optional
Number (Long)
format: int64
created
optional
Object
format: date-time
highlight
optional
Map
id
optional
String
indexName
optional
String
modified
optional
Object
format: date-time
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
scores
optional
Map
DBotScore - Contain the score of a specific brand for a specific insight
content
optional
String
contentFormat
optional
String
context
optional
Map of objects
isTypedIndicator
optional
Boolean
reliability
optional
String
score
optional
Number (Long)
format: int64
scoreChangeTimestamp
optional
Object
We need to track when the score changes to know if we need to re-calculate the
overall score format: date-time
timestamp
optional
Object
format: date-time
type
optional
String
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
syncHash
optional
String
version
optional
Number (Long)
format: int64
investigationIDs
optional
Array of strings
isDetectable
optional
Boolean
isPreventable
optional
Boolean
isShared
optional
Boolean
lastReputationRun
optional
Object
format: date-time
lastSeen
optional
Object
format: date-time
lastSeenEntryID
optional
String
manualExpirationTime
optional
Object
format: date-time
manualScore
optional
Boolean
manualSetTime
optional
Object
format: date-time
manuallyEditedFields
optional
Array of strings
modified
optional
Object
format: date-time
modifiedTime
optional
Object
format: date-time
moduleToFeedMap
optional
Map
ExpirationSource
optional
brand
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
instance
optional
String
moduleId
optional
String
setTime
optional
Object
format: date-time
source
optional
String
user
optional
String
bypassExclusionList
optional
Boolean
classifierId
optional
String
classifierVersion
optional
Number (Long)
format: int64
comments
optional
Array
content
optional
String
created
optional
Object
format: date-time
id
optional
String
user
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
fetchTime
optional
Object
format: date-time
fields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For
example: Scan IP -> scanip To get the actual key name you can also go to Cortex
XSOAR CLI and run /incident_add and look for the key that you would like to
update
isEnrichment
optional
Boolean
mapperId
optional
String
mapperVersion
optional
Number (Long)
format: int64
modifiedTime
optional
Object
format: date-time
moduleId
optional
String
rawJSON
optional
Map of objects
relationships
optional
Array
brand
optional
String
entityA
optional
String
entityAFamily
optional
String
entityAType
optional
String
entityB
optional
String
entityBFamily
optional
String
entityBType
optional
String
fields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For
example: Scan IP -> scanip To get the actual key name you can also go to Cortex
XSOAR CLI and run /incident_add and look for the key that you would like to
update
id
optional
String
instance
optional
String
name
optional
String
reliability
optional
String
reverseName
optional
String
startTime
optional
Object
format: date-time
type
optional
String
reliability
optional
String
score
optional
Number (Long)
format: int64
sourceBrand
optional
String
sourceInstance
optional
String
timestamp
optional
Object
format: date-time
type
optional
String
value
optional
String
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
relatedIncCount
optional
Number (Long)
format: int64
score
optional
Number (Long)
format: int64
sequenceNumber
optional
Number (Long)
format: int64
setBy
optional
String
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
source
optional
String
sourceBrands
optional
Array of strings
sourceInstances
optional
Array of strings
syncHash
optional
String
timestamp
optional
Object
format: date-time
value
optional
String
version
optional
Number (Long)
format: int64
--------------------------------------------------------------------------------
EDIT INDICATOR
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Rate this content
Rate this content
post /indicator/edit
Edit an indicator entity To update indicator custom fields you should lowercase
them and remove all spaces. For example: Scan IP -> scanip
CURL
curl -X POST \ -H "Authorization: [[apiKey]]" \ -H "Accept: application/json" \
-H "Content-Type: application/json,application/xml" \
"https://hostname:443/indicator/edit" \ -d '{ "modifiedTime" :
"2000-01-23T04:56:07.000+00:00", "deletedFeedFetchTime" :
"2000-01-23T04:56:07.000+00:00", "sizeInBytes" : 5, "relatedIncCount" : 7,
"primaryTerm" : 6, "investigationIDs" : [ "investigationIDs", "investigationIDs"
], "expirationStatus" : "expirationStatus", "indicator_type" : "indicator_type",
"syncHash" : "syncHash", "source" : "source", "manualSetTime" :
"2000-01-23T04:56:07.000+00:00", "manualExpirationTime" :
"2000-01-23T04:56:07.000+00:00", "calculatedTime" :
"2000-01-23T04:56:07.000+00:00", "highlight" : { "key" : [ "highlight",
"highlight" ] }, "score" : 1, "manuallyEditedFields" : [ "manuallyEditedFields",
"manuallyEditedFields" ], "lastReputationRun" : "2000-01-23T04:56:07.000+00:00",
"modified" : "2000-01-23T04:56:07.000+00:00", "moduleToFeedMap" : { "key" : {
"modifiedTime" : "2000-01-23T04:56:07.000+00:00", "sourceInstance" :
"sourceInstance", "comments" : [ { "created" : "2000-01-23T04:56:07.000+00:00",
"id" : "id", "user" : "user", "content" : "content" }, { "created" :
"2000-01-23T04:56:07.000+00:00", "id" : "id", "user" : "user", "content" :
"content" } ], "classifierId" : "classifierId", "reliability" : "reliability",
"mapperId" : "mapperId", "expirationPolicy" : "expirationPolicy",
"mapperVersion" : 5, "rawJSON" : { "key" : "{}" }, "type" : "type",
"isEnrichment" : true, "relationships" : [ { "entityA" : "entityA", "entityB" :
"entityB", "instance" : "instance", "reverseName" : "reverseName", "entityBType"
: "entityBType", "reliability" : "reliability", "entityAType" : "entityAType",
"entityAFamily" : "entityAFamily", "type" : "type", "entityBFamily" :
"entityBFamily", "name" : "name", "startTime" : "2000-01-23T04:56:07.000+00:00",
"id" : "id", "fields" : { "key" : "{}" }, "brand" : "brand" }, { "entityA" :
"entityA", "entityB" : "entityB", "instance" : "instance", "reverseName" :
"reverseName", "entityBType" : "entityBType", "reliability" : "reliability",
"entityAType" : "entityAType", "entityAFamily" : "entityAFamily", "type" :
"type", "entityBFamily" : "entityBFamily", "name" : "name", "startTime" :
"2000-01-23T04:56:07.000+00:00", "id" : "id", "fields" : { "key" : "{}" },
"brand" : "brand" } ], "score" : 2, "bypassExclusionList" : true, "sourceBrand"
: "sourceBrand", "expirationInterval" : 5, "fetchTime" :
"2000-01-23T04:56:07.000+00:00", "ExpirationSource" : { "instance" : "instance",
"expirationInterval" : 6, "expirationPolicy" : "expirationPolicy", "source" :
"source", "moduleId" : "moduleId", "brand" : "brand", "user" : "user", "setTime"
: "2000-01-23T04:56:07.000+00:00" }, "fields" : { "key" : "{}" }, "moduleId" :
"moduleId", "classifierVersion" : 1, "value" : "value", "timestamp" :
"2000-01-23T04:56:07.000+00:00" } }, "id" : "id", "setBy" : "setBy", "value" :
"value", "aggregatedReliability" : "aggregatedReliability", "timestamp" :
"2000-01-23T04:56:07.000+00:00", "manualScore" : true, "numericId" : 1,
"sequenceNumber" : 4, "comments" : [ { "numericId" : 1, "sequenceNumber" : 5,
"sizeInBytes" : 2, "created" : "2000-01-23T04:56:07.000+00:00", "indexName" :
"indexName", "primaryTerm" : 5, "cacheVersn" : 6, "syncHash" : "syncHash",
"source" : "source", "type" : "type", "sortValues" : [ "sortValues",
"sortValues" ], "version" : 7, "content" : "content", "entryId" : "entryId",
"highlight" : { "key" : [ "highlight", "highlight" ] }, "modified" :
"2000-01-23T04:56:07.000+00:00", "id" : "id", "category" : "category", "user" :
"user" }, { "numericId" : 1, "sequenceNumber" : 5, "sizeInBytes" : 2, "created"
: "2000-01-23T04:56:07.000+00:00", "indexName" : "indexName", "primaryTerm" : 5,
"cacheVersn" : 6, "syncHash" : "syncHash", "source" : "source", "type" : "type",
"sortValues" : [ "sortValues", "sortValues" ], "version" : 7, "content" :
"content", "entryId" : "entryId", "highlight" : { "key" : [ "highlight",
"highlight" ] }, "modified" : "2000-01-23T04:56:07.000+00:00", "id" : "id",
"category" : "category", "user" : "user" } ], "created" :
"2000-01-23T04:56:07.000+00:00", "firstSeen" : "2000-01-23T04:56:07.000+00:00",
"indexName" : "indexName", "expirationSource" : { "instance" : "instance",
"expirationInterval" : 6, "expirationPolicy" : "expirationPolicy", "source" :
"source", "moduleId" : "moduleId", "brand" : "brand", "user" : "user", "setTime"
: "2000-01-23T04:56:07.000+00:00" }, "insightCache" : { "numericId" : 3,
"sequenceNumber" : 7, "sizeInBytes" : 1, "scores" : { "key" : { "score" : 4,
"isTypedIndicator" : true, "contentFormat" : "contentFormat", "reliability" :
"reliability", "scoreChangeTimestamp" : "2000-01-23T04:56:07.000+00:00",
"context" : { "key" : "{}" }, "type" : "type", "content" : "content",
"timestamp" : "2000-01-23T04:56:07.000+00:00" } }, "created" :
"2000-01-23T04:56:07.000+00:00", "indexName" : "indexName", "primaryTerm" : 2,
"cacheVersn" : 9, "syncHash" : "syncHash", "sortValues" : [ "sortValues",
"sortValues" ], "version" : 1, "highlight" : { "key" : [ "highlight",
"highlight" ] }, "modified" : "2000-01-23T04:56:07.000+00:00", "id" : "id" },
"cacheVersn" : 0, "lastSeenEntryID" : "lastSeenEntryID", "sortValues" : [
"sortValues", "sortValues" ], "version" : 9, "CustomFields" : { "key" : "{}" },
"sourceInstances" : [ "sourceInstances", "sourceInstances" ], "lastSeen" :
"2000-01-23T04:56:07.000+00:00", "isPreventable" : true, "firstSeenEntryID" :
"firstSeenEntryID", "sourceBrands" : [ "sourceBrands", "sourceBrands" ],
"comment" : "comment", "expiration" : "2000-01-23T04:56:07.000+00:00", "account"
: "account", "isShared" : true, "isDetectable" : true }' \ -d '
UNDEFINED_EXAMPLE_VALUE aeiou aeiou 123456789 2000-01-23T04:56:07.000Z aeiou
123456789 aeiou aeiou 2000-01-23T04:56:07.000Z aeiou UNDEFINED_EXAMPLE_VALUE
aeiou aeiou 2000-01-23T04:56:07.000Z 123456789 123456789 123456789 123456789
aeiou aeiou aeiou aeiou aeiou 123456789 2000-01-23T04:56:07.000Z
2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z aeiou 123456789 aeiou aeiou
aeiou 2000-01-23T04:56:07.000Z aeiou aeiou aeiou 2000-01-23T04:56:07.000Z aeiou
UNDEFINED_EXAMPLE_VALUE aeiou aeiou aeiou 123456789 2000-01-23T04:56:07.000Z
UNDEFINED_EXAMPLE_VALUE aeiou aeiou 2000-01-23T04:56:07.000Z 123456789 123456789
UNDEFINED_EXAMPLE_VALUE 123456789 123456789 aeiou aeiou 123456789 aeiou true
true true 2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z aeiou
2000-01-23T04:56:07.000Z true 2000-01-23T04:56:07.000Z aeiou
2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z UNDEFINED_EXAMPLE_VALUE
123456789 123456789 123456789 123456789 123456789 aeiou 123456789 aeiou aeiou
aeiou aeiou aeiou 2000-01-23T04:56:07.000Z aeiou 123456789 '
Authentication: api_key Api Key "Authorization"
Request
Body
optional
CustomFields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For
example: Scan IP -> scanip To get the actual key name you can also go to Cortex
XSOAR CLI and run /incident_add and look for the key that you would like to
update
account
optional
String
aggregatedReliability
optional
String
cacheVersn
optional
Number (Long)
format: int64
calculatedTime
optional
Object
Do not set the fields bellow this line format: date-time
comment
optional
String
comments
optional
Array
cacheVersn
optional
Number (Long)
format: int64
category
optional
String
content
optional
String
created
optional
Object
format: date-time
entryId
optional
String
highlight
optional
Map
id
optional
String
indexName
optional
String
modified
optional
Object
format: date-time
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
source
optional
String
syncHash
optional
String
type
optional
String
user
optional
String
version
optional
Number (Long)
format: int64
created
optional
Object
format: date-time
deletedFeedFetchTime
optional
Object
format: date-time
expiration
optional
Object
format: date-time
expirationSource
optional
brand
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
instance
optional
String
moduleId
optional
String
setTime
optional
Object
format: date-time
source
optional
String
user
optional
String
expirationStatus
optional
String
firstSeen
optional
Object
format: date-time
firstSeenEntryID
optional
String
highlight
optional
Map
id
optional
String
indexName
optional
String
indicator_type
optional
String
insightCache
optional
InsightCache - map insight name to all its metadata, name will be case
insensitive
cacheVersn
optional
Number (Long)
format: int64
created
optional
Object
format: date-time
highlight
optional
Map
id
optional
String
indexName
optional
String
modified
optional
Object
format: date-time
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
scores
optional
Map
DBotScore - Contain the score of a specific brand for a specific insight
content
optional
String
contentFormat
optional
String
context
optional
Map of objects
isTypedIndicator
optional
Boolean
reliability
optional
String
score
optional
Number (Long)
format: int64
scoreChangeTimestamp
optional
Object
We need to track when the score changes to know if we need to re-calculate the
overall score format: date-time
timestamp
optional
Object
format: date-time
type
optional
String
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
syncHash
optional
String
version
optional
Number (Long)
format: int64
investigationIDs
optional
Array of strings
isDetectable
optional
Boolean
isPreventable
optional
Boolean
isShared
optional
Boolean
lastReputationRun
optional
Object
format: date-time
lastSeen
optional
Object
format: date-time
lastSeenEntryID
optional
String
manualExpirationTime
optional
Object
format: date-time
manualScore
optional
Boolean
manualSetTime
optional
Object
format: date-time
manuallyEditedFields
optional
Array of strings
modified
optional
Object
format: date-time
modifiedTime
optional
Object
format: date-time
moduleToFeedMap
optional
Map
ExpirationSource
optional
brand
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
instance
optional
String
moduleId
optional
String
setTime
optional
Object
format: date-time
source
optional
String
user
optional
String
bypassExclusionList
optional
Boolean
classifierId
optional
String
classifierVersion
optional
Number (Long)
format: int64
comments
optional
Array
content
optional
String
created
optional
Object
format: date-time
id
optional
String
user
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
fetchTime
optional
Object
format: date-time
fields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For
example: Scan IP -> scanip To get the actual key name you can also go to Cortex
XSOAR CLI and run /incident_add and look for the key that you would like to
update
isEnrichment
optional
Boolean
mapperId
optional
String
mapperVersion
optional
Number (Long)
format: int64
modifiedTime
optional
Object
format: date-time
moduleId
optional
String
rawJSON
optional
Map of objects
relationships
optional
Array
brand
optional
String
entityA
optional
String
entityAFamily
optional
String
entityAType
optional
String
entityB
optional
String
entityBFamily
optional
String
entityBType
optional
String
fields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For
example: Scan IP -> scanip To get the actual key name you can also go to Cortex
XSOAR CLI and run /incident_add and look for the key that you would like to
update
id
optional
String
instance
optional
String
name
optional
String
reliability
optional
String
reverseName
optional
String
startTime
optional
Object
format: date-time
type
optional
String
reliability
optional
String
score
optional
Number (Long)
format: int64
sourceBrand
optional
String
sourceInstance
optional
String
timestamp
optional
Object
format: date-time
type
optional
String
value
optional
String
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
relatedIncCount
optional
Number (Long)
format: int64
score
optional
Number (Long)
format: int64
sequenceNumber
optional
Number (Long)
format: int64
setBy
optional
String
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
source
optional
String
sourceBrands
optional
Array of strings
sourceInstances
optional
Array of strings
syncHash
optional
String
timestamp
optional
Object
format: date-time
value
optional
String
version
optional
Number (Long)
format: int64
Responses
IocObject
Body
IocObject - represents an Ioc (or simply an indicator) object
CustomFields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For
example: Scan IP -> scanip To get the actual key name you can also go to Cortex
XSOAR CLI and run /incident_add and look for the key that you would like to
update
account
optional
String
aggregatedReliability
optional
String
cacheVersn
optional
Number (Long)
format: int64
calculatedTime
optional
Object
Do not set the fields bellow this line format: date-time
comment
optional
String
comments
optional
Array
cacheVersn
optional
Number (Long)
format: int64
category
optional
String
content
optional
String
created
optional
Object
format: date-time
entryId
optional
String
highlight
optional
Map
id
optional
String
indexName
optional
String
modified
optional
Object
format: date-time
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
source
optional
String
syncHash
optional
String
type
optional
String
user
optional
String
version
optional
Number (Long)
format: int64
created
optional
Object
format: date-time
deletedFeedFetchTime
optional
Object
format: date-time
expiration
optional
Object
format: date-time
expirationSource
optional
brand
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
instance
optional
String
moduleId
optional
String
setTime
optional
Object
format: date-time
source
optional
String
user
optional
String
expirationStatus
optional
String
firstSeen
optional
Object
format: date-time
firstSeenEntryID
optional
String
highlight
optional
Map
id
optional
String
indexName
optional
String
indicator_type
optional
String
insightCache
optional
InsightCache - map insight name to all its metadata, name will be case
insensitive
cacheVersn
optional
Number (Long)
format: int64
created
optional
Object
format: date-time
highlight
optional
Map
id
optional
String
indexName
optional
String
modified
optional
Object
format: date-time
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
scores
optional
Map
DBotScore - Contain the score of a specific brand for a specific insight
content
optional
String
contentFormat
optional
String
context
optional
Map of objects
isTypedIndicator
optional
Boolean
reliability
optional
String
score
optional
Number (Long)
format: int64
scoreChangeTimestamp
optional
Object
We need to track when the score changes to know if we need to re-calculate the
overall score format: date-time
timestamp
optional
Object
format: date-time
type
optional
String
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
syncHash
optional
String
version
optional
Number (Long)
format: int64
investigationIDs
optional
Array of strings
isDetectable
optional
Boolean
isPreventable
optional
Boolean
isShared
optional
Boolean
lastReputationRun
optional
Object
format: date-time
lastSeen
optional
Object
format: date-time
lastSeenEntryID
optional
String
manualExpirationTime
optional
Object
format: date-time
manualScore
optional
Boolean
manualSetTime
optional
Object
format: date-time
manuallyEditedFields
optional
Array of strings
modified
optional
Object
format: date-time
modifiedTime
optional
Object
format: date-time
moduleToFeedMap
optional
Map
ExpirationSource
optional
brand
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
instance
optional
String
moduleId
optional
String
setTime
optional
Object
format: date-time
source
optional
String
user
optional
String
bypassExclusionList
optional
Boolean
classifierId
optional
String
classifierVersion
optional
Number (Long)
format: int64
comments
optional
Array
content
optional
String
created
optional
Object
format: date-time
id
optional
String
user
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
fetchTime
optional
Object
format: date-time
fields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For
example: Scan IP -> scanip To get the actual key name you can also go to Cortex
XSOAR CLI and run /incident_add and look for the key that you would like to
update
isEnrichment
optional
Boolean
mapperId
optional
String
mapperVersion
optional
Number (Long)
format: int64
modifiedTime
optional
Object
format: date-time
moduleId
optional
String
rawJSON
optional
Map of objects
relationships
optional
Array
brand
optional
String
entityA
optional
String
entityAFamily
optional
String
entityAType
optional
String
entityB
optional
String
entityBFamily
optional
String
entityBType
optional
String
fields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For
example: Scan IP -> scanip To get the actual key name you can also go to Cortex
XSOAR CLI and run /incident_add and look for the key that you would like to
update
id
optional
String
instance
optional
String
name
optional
String
reliability
optional
String
reverseName
optional
String
startTime
optional
Object
format: date-time
type
optional
String
reliability
optional
String
score
optional
Number (Long)
format: int64
sourceBrand
optional
String
sourceInstance
optional
String
timestamp
optional
Object
format: date-time
type
optional
String
value
optional
String
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
relatedIncCount
optional
Number (Long)
format: int64
score
optional
Number (Long)
format: int64
sequenceNumber
optional
Number (Long)
format: int64
setBy
optional
String
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
source
optional
String
sourceBrands
optional
Array of strings
sourceInstances
optional
Array of strings
syncHash
optional
String
timestamp
optional
Object
format: date-time
value
optional
String
version
optional
Number (Long)
format: int64
--------------------------------------------------------------------------------
WHITELISTS OR DELETES INDICATOR
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Rate this content
Rate this content
post /indicator/whitelist
Whitelists or deletes an indicator entity In order to delete an indicator and
not whitelist, set doNotWhitelist boolean field to true
CURL
curl -X POST \ -H "Authorization: [[apiKey]]" \ -H "Accept: application/json" \
-H "Content-Type: application/json,application/xml" \
"https://hostname:443/indicator/whitelist" \ -d '{ "manualScore" : true,
"reason" : "reason", "reputations" : [ "reputations", "reputations" ],
"reputation" : 0, "InvestigationId" : "InvestigationId", "doNotWhitelist" :
true, "value" : "value", "entryId" : "entryId" }' \ -d ' aeiou true aeiou true
aeiou 123456789 aeiou aeiou '
Authentication: api_key Api Key "Authorization"
Request
Body
optional
InvestigationId
optional
String
doNotWhitelist
optional
Boolean
entryId
optional
String
manualScore
optional
Boolean
reason
optional
String
reputation
optional
Number (Long)
format: int64
reputations
optional
Array of strings
value
optional
String
Responses
UpdateResponse
Body
notUpdated
optional
Number (Long)
format: int64
updatedIds
optional
Array of strings
uppdated
optional
Number (Long)
format: int64
--------------------------------------------------------------------------------
BATCH EXPORT INDICATORS TO STIX
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Rate this content
Rate this content
post /indicators/batch/export/stix
Exports an indicators batch to STIX file (returns file ID)
CURL
curl -X POST \ -H "Authorization: [[apiKey]]" \ -H "Accept: application/json" \
-H "Content-Type: application/json,application/xml" \
"https://hostname:443/indicators/batch/export/stix" \ -d '{ "all" : true,
"filter" : { "ignoreWorkers" : true, "filterobjectquery" : "filterobjectquery",
"fromDateLicense" : "2000-01-23T04:56:07.000+00:00", "searchAfterElastic" : [
"searchAfterElastic", "searchAfterElastic" ], "searchBefore" : [ "searchBefore",
"searchBefore" ], "laterTimeInPage" : "2000-01-23T04:56:07.000+00:00", "period"
: { "fromValue" : "fromValue", "toValue" : "toValue", "byFrom" : "byFrom",
"field" : "field", "by" : "by", "byTo" : "byTo" }, "searchAfterMap" : { "key" :
[ "searchAfterMap", "searchAfterMap" ] }, "searchAfterMapOrder" : { "key" : 1 },
"firstSeen" : { "fromDate" : "2000-01-23T04:56:07.000+00:00", "fromDateLicense"
: "2000-01-23T04:56:07.000+00:00", "period" : { "fromValue" : "fromValue",
"toValue" : "toValue", "byFrom" : "byFrom", "field" : "field", "by" : "by",
"byTo" : "byTo" }, "toDate" : "2000-01-23T04:56:07.000+00:00", "timeFrame" : 0
}, "earlyTimeInPage" : "2000-01-23T04:56:07.000+00:00", "query" : "query",
"searchBeforeElastic" : [ "searchBeforeElastic", "searchBeforeElastic" ],
"toDate" : "2000-01-23T04:56:07.000+00:00", "trim_events" : 2, "prevPage" :
true, "sort" : [ { "asc" : true, "field" : "field", "fieldType" : "fieldType" },
{ "asc" : true, "field" : "field", "fieldType" : "fieldType" } ], "timeFrame" :
5, "fromDate" : "2000-01-23T04:56:07.000+00:00", "lastSeen" : { "fromDate" :
"2000-01-23T04:56:07.000+00:00", "fromDateLicense" :
"2000-01-23T04:56:07.000+00:00", "period" : { "fromValue" : "fromValue",
"toValue" : "toValue", "byFrom" : "byFrom", "field" : "field", "by" : "by",
"byTo" : "byTo" }, "toDate" : "2000-01-23T04:56:07.000+00:00", "timeFrame" : 0
}, "size" : 5, "searchAfter" : [ "searchAfter", "searchAfter" ], "accounts" : {
"key" : "{}" }, "page" : 6, "fields" : [ "fields", "fields" ], "Cache" : { "key"
: [ "Cache", "Cache" ] } }, "reason" : "reason", "reputations" : [
"reputations", "reputations" ], "columns" : [ "columns", "columns" ], "ids" : [
"ids", "ids" ], "doNotWhitelist" : true }' \ -d ' true aeiou true
UNDEFINED_EXAMPLE_VALUE UNDEFINED_EXAMPLE_VALUE 2000-01-23T04:56:07.000Z aeiou
aeiou 2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z true
2000-01-23T04:56:07.000Z 123456789 true aeiou aeiou aeiou
UNDEFINED_EXAMPLE_VALUE UNDEFINED_EXAMPLE_VALUE aeiou aeiou 123456789 123456789
2000-01-23T04:56:07.000Z 123456789 aeiou aeiou aeiou '
Authentication: api_key Api Key "Authorization"
Request
Body
optional
all
optional
Boolean
columns
optional
Array of strings
doNotWhitelist
optional
Boolean
filter
optional
IndicatorFilter is a general filter that fetches entities using a query string
query using the Query value
Cache
optional
Map
Cache of join functions
accounts
optional
Map of objects
earlyTimeInPage
optional
Object
format: date-time
fields
optional
Array of strings
filterobjectquery
optional
String
firstSeen
optional
DateRangeFilter provides common fields for date filtering
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
timeFrame
optional
Number (Long)
A Duration represents the elapsed time between two instants as an int64
nanosecond count. The representation limits the largest representable duration
to approximately 290 years. format: int64
toDate
optional
Object
format: date-time
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
ignoreWorkers
optional
Boolean
Do not use workers mechanism while searching bleve
lastSeen
optional
DateRangeFilter provides common fields for date filtering
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
timeFrame
optional
Number (Long)
A Duration represents the elapsed time between two instants as an int64
nanosecond count. The representation limits the largest representable duration
to approximately 290 years. format: int64
toDate
optional
Object
format: date-time
laterTimeInPage
optional
Object
format: date-time
page
optional
Number (Long)
0-based page format: int64
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
prevPage
optional
Boolean
MT support - these fields are for indicator search according to calculatedTime
query
optional
String
searchAfter
optional
Array of strings
Efficient next page, pass max sort value from previous page
searchAfterElastic
optional
Array of strings
Efficient next page, pass max ES sort value from previous page
searchAfterMap
optional
Map
Map accounts search after values - stores next page sort values per account.
There is no need to store searchBeforeMap as [current page searchBefore] equals
to [prev page searchAfter] More, there is no way to generate correct
searchBefore from current page as some tenants may not appear at all. The map is
relevant in proxy mode and used by tenants, each tenant extracts the searchAfter
keys from the map.
searchAfterMapOrder
optional
Map of numbers (Long)
format: int64
searchBefore
optional
Array of strings
Efficient prev page, pass min sort value from next page
searchBeforeElastic
optional
Array of strings
Efficient prev page, pass min ES sort value from next page
size
optional
Number (Long)
Size is limited to 1000, if not passed it defaults to 0, and no results will
return format: int64
sort
optional
Array
The sort order
Order struct holds a sort field and the direction of sorting
asc
optional
Boolean
field
optional
String
fieldType
optional
String
timeFrame
optional
Number (Long)
A Duration represents the elapsed time between two instants as an int64
nanosecond count. The representation limits the largest representable duration
to approximately 290 years. format: int64
toDate
optional
Object
format: date-time
trim_events
optional
Number (Long)
format: int64
ids
optional
Array of strings
reason
optional
String
reputations
optional
Array of strings
Responses
STIX file name
Body
--------------------------------------------------------------------------------
BATCH EXPORT INDICATORS TO CSV
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Rate this content
Rate this content
post /indicators/batch/exportToCsv
Exports an indicators batch to CSV file (returns file ID)
CURL
curl -X POST \ -H "Authorization: [[apiKey]]" \ -H "Accept: application/json" \
-H "Content-Type: application/json,application/xml" \
"https://hostname:443/indicators/batch/exportToCsv" \ -d '{ "all" : true,
"filter" : { "ignoreWorkers" : true, "filterobjectquery" : "filterobjectquery",
"fromDateLicense" : "2000-01-23T04:56:07.000+00:00", "searchAfterElastic" : [
"searchAfterElastic", "searchAfterElastic" ], "searchBefore" : [ "searchBefore",
"searchBefore" ], "laterTimeInPage" : "2000-01-23T04:56:07.000+00:00", "period"
: { "fromValue" : "fromValue", "toValue" : "toValue", "byFrom" : "byFrom",
"field" : "field", "by" : "by", "byTo" : "byTo" }, "searchAfterMap" : { "key" :
[ "searchAfterMap", "searchAfterMap" ] }, "searchAfterMapOrder" : { "key" : 1 },
"firstSeen" : { "fromDate" : "2000-01-23T04:56:07.000+00:00", "fromDateLicense"
: "2000-01-23T04:56:07.000+00:00", "period" : { "fromValue" : "fromValue",
"toValue" : "toValue", "byFrom" : "byFrom", "field" : "field", "by" : "by",
"byTo" : "byTo" }, "toDate" : "2000-01-23T04:56:07.000+00:00", "timeFrame" : 0
}, "earlyTimeInPage" : "2000-01-23T04:56:07.000+00:00", "query" : "query",
"searchBeforeElastic" : [ "searchBeforeElastic", "searchBeforeElastic" ],
"toDate" : "2000-01-23T04:56:07.000+00:00", "trim_events" : 2, "prevPage" :
true, "sort" : [ { "asc" : true, "field" : "field", "fieldType" : "fieldType" },
{ "asc" : true, "field" : "field", "fieldType" : "fieldType" } ], "timeFrame" :
5, "fromDate" : "2000-01-23T04:56:07.000+00:00", "lastSeen" : { "fromDate" :
"2000-01-23T04:56:07.000+00:00", "fromDateLicense" :
"2000-01-23T04:56:07.000+00:00", "period" : { "fromValue" : "fromValue",
"toValue" : "toValue", "byFrom" : "byFrom", "field" : "field", "by" : "by",
"byTo" : "byTo" }, "toDate" : "2000-01-23T04:56:07.000+00:00", "timeFrame" : 0
}, "size" : 5, "searchAfter" : [ "searchAfter", "searchAfter" ], "accounts" : {
"key" : "{}" }, "page" : 6, "fields" : [ "fields", "fields" ], "Cache" : { "key"
: [ "Cache", "Cache" ] } }, "reason" : "reason", "reputations" : [
"reputations", "reputations" ], "columns" : [ "columns", "columns" ], "ids" : [
"ids", "ids" ], "doNotWhitelist" : true }' \ -d ' true aeiou true
UNDEFINED_EXAMPLE_VALUE UNDEFINED_EXAMPLE_VALUE 2000-01-23T04:56:07.000Z aeiou
aeiou 2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z true
2000-01-23T04:56:07.000Z 123456789 true aeiou aeiou aeiou
UNDEFINED_EXAMPLE_VALUE UNDEFINED_EXAMPLE_VALUE aeiou aeiou 123456789 123456789
2000-01-23T04:56:07.000Z 123456789 aeiou aeiou aeiou '
Authentication: api_key Api Key "Authorization"
Request
Body
optional
Required parameters from genericIndicatorUpdateBatch: columns, filter. You
should also include either all or ids
all
optional
Boolean
columns
optional
Array of strings
doNotWhitelist
optional
Boolean
filter
optional
IndicatorFilter is a general filter that fetches entities using a query string
query using the Query value
Cache
optional
Map
Cache of join functions
accounts
optional
Map of objects
earlyTimeInPage
optional
Object
format: date-time
fields
optional
Array of strings
filterobjectquery
optional
String
firstSeen
optional
DateRangeFilter provides common fields for date filtering
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
timeFrame
optional
Number (Long)
A Duration represents the elapsed time between two instants as an int64
nanosecond count. The representation limits the largest representable duration
to approximately 290 years. format: int64
toDate
optional
Object
format: date-time
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
ignoreWorkers
optional
Boolean
Do not use workers mechanism while searching bleve
lastSeen
optional
DateRangeFilter provides common fields for date filtering
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
timeFrame
optional
Number (Long)
A Duration represents the elapsed time between two instants as an int64
nanosecond count. The representation limits the largest representable duration
to approximately 290 years. format: int64
toDate
optional
Object
format: date-time
laterTimeInPage
optional
Object
format: date-time
page
optional
Number (Long)
0-based page format: int64
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
prevPage
optional
Boolean
MT support - these fields are for indicator search according to calculatedTime
query
optional
String
searchAfter
optional
Array of strings
Efficient next page, pass max sort value from previous page
searchAfterElastic
optional
Array of strings
Efficient next page, pass max ES sort value from previous page
searchAfterMap
optional
Map
Map accounts search after values - stores next page sort values per account.
There is no need to store searchBeforeMap as [current page searchBefore] equals
to [prev page searchAfter] More, there is no way to generate correct
searchBefore from current page as some tenants may not appear at all. The map is
relevant in proxy mode and used by tenants, each tenant extracts the searchAfter
keys from the map.
searchAfterMapOrder
optional
Map of numbers (Long)
format: int64
searchBefore
optional
Array of strings
Efficient prev page, pass min sort value from next page
searchBeforeElastic
optional
Array of strings
Efficient prev page, pass min ES sort value from next page
size
optional
Number (Long)
Size is limited to 1000, if not passed it defaults to 0, and no results will
return format: int64
sort
optional
Array
The sort order
Order struct holds a sort field and the direction of sorting
asc
optional
Boolean
field
optional
String
fieldType
optional
String
timeFrame
optional
Number (Long)
A Duration represents the elapsed time between two instants as an int64
nanosecond count. The representation limits the largest representable duration
to approximately 290 years. format: int64
toDate
optional
Object
format: date-time
trim_events
optional
Number (Long)
format: int64
ids
optional
Array of strings
reason
optional
String
reputations
optional
Array of strings
Responses
csv file name
Body
--------------------------------------------------------------------------------
BATCH WHITELIST OR DELETE INDICATORS
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Rate this content
Rate this content
post /indicators/batchDelete
Batch whitelist or delete indicators entities In order to delete indicators and
not whitelist, set doNotWhitelist boolean field to true
CURL
curl -X POST \ -H "Authorization: [[apiKey]]" \ -H "Accept: application/json" \
-H "Content-Type: application/json,application/xml" \
"https://hostname:443/indicators/batchDelete" \ -d '{ "all" : true, "filter" : {
"ignoreWorkers" : true, "filterobjectquery" : "filterobjectquery",
"fromDateLicense" : "2000-01-23T04:56:07.000+00:00", "searchAfterElastic" : [
"searchAfterElastic", "searchAfterElastic" ], "searchBefore" : [ "searchBefore",
"searchBefore" ], "laterTimeInPage" : "2000-01-23T04:56:07.000+00:00", "period"
: { "fromValue" : "fromValue", "toValue" : "toValue", "byFrom" : "byFrom",
"field" : "field", "by" : "by", "byTo" : "byTo" }, "searchAfterMap" : { "key" :
[ "searchAfterMap", "searchAfterMap" ] }, "searchAfterMapOrder" : { "key" : 1 },
"firstSeen" : { "fromDate" : "2000-01-23T04:56:07.000+00:00", "fromDateLicense"
: "2000-01-23T04:56:07.000+00:00", "period" : { "fromValue" : "fromValue",
"toValue" : "toValue", "byFrom" : "byFrom", "field" : "field", "by" : "by",
"byTo" : "byTo" }, "toDate" : "2000-01-23T04:56:07.000+00:00", "timeFrame" : 0
}, "earlyTimeInPage" : "2000-01-23T04:56:07.000+00:00", "query" : "query",
"searchBeforeElastic" : [ "searchBeforeElastic", "searchBeforeElastic" ],
"toDate" : "2000-01-23T04:56:07.000+00:00", "trim_events" : 2, "prevPage" :
true, "sort" : [ { "asc" : true, "field" : "field", "fieldType" : "fieldType" },
{ "asc" : true, "field" : "field", "fieldType" : "fieldType" } ], "timeFrame" :
5, "fromDate" : "2000-01-23T04:56:07.000+00:00", "lastSeen" : { "fromDate" :
"2000-01-23T04:56:07.000+00:00", "fromDateLicense" :
"2000-01-23T04:56:07.000+00:00", "period" : { "fromValue" : "fromValue",
"toValue" : "toValue", "byFrom" : "byFrom", "field" : "field", "by" : "by",
"byTo" : "byTo" }, "toDate" : "2000-01-23T04:56:07.000+00:00", "timeFrame" : 0
}, "size" : 5, "searchAfter" : [ "searchAfter", "searchAfter" ], "accounts" : {
"key" : "{}" }, "page" : 6, "fields" : [ "fields", "fields" ], "Cache" : { "key"
: [ "Cache", "Cache" ] } }, "reason" : "reason", "reputations" : [
"reputations", "reputations" ], "columns" : [ "columns", "columns" ], "ids" : [
"ids", "ids" ], "doNotWhitelist" : true }' \ -d ' true aeiou true
UNDEFINED_EXAMPLE_VALUE UNDEFINED_EXAMPLE_VALUE 2000-01-23T04:56:07.000Z aeiou
aeiou 2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z true
2000-01-23T04:56:07.000Z 123456789 true aeiou aeiou aeiou
UNDEFINED_EXAMPLE_VALUE UNDEFINED_EXAMPLE_VALUE aeiou aeiou 123456789 123456789
2000-01-23T04:56:07.000Z 123456789 aeiou aeiou aeiou '
Authentication: api_key Api Key "Authorization"
Request
Body
optional
all
optional
Boolean
columns
optional
Array of strings
doNotWhitelist
optional
Boolean
filter
optional
IndicatorFilter is a general filter that fetches entities using a query string
query using the Query value
Cache
optional
Map
Cache of join functions
accounts
optional
Map of objects
earlyTimeInPage
optional
Object
format: date-time
fields
optional
Array of strings
filterobjectquery
optional
String
firstSeen
optional
DateRangeFilter provides common fields for date filtering
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
timeFrame
optional
Number (Long)
A Duration represents the elapsed time between two instants as an int64
nanosecond count. The representation limits the largest representable duration
to approximately 290 years. format: int64
toDate
optional
Object
format: date-time
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
ignoreWorkers
optional
Boolean
Do not use workers mechanism while searching bleve
lastSeen
optional
DateRangeFilter provides common fields for date filtering
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
timeFrame
optional
Number (Long)
A Duration represents the elapsed time between two instants as an int64
nanosecond count. The representation limits the largest representable duration
to approximately 290 years. format: int64
toDate
optional
Object
format: date-time
laterTimeInPage
optional
Object
format: date-time
page
optional
Number (Long)
0-based page format: int64
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
prevPage
optional
Boolean
MT support - these fields are for indicator search according to calculatedTime
query
optional
String
searchAfter
optional
Array of strings
Efficient next page, pass max sort value from previous page
searchAfterElastic
optional
Array of strings
Efficient next page, pass max ES sort value from previous page
searchAfterMap
optional
Map
Map accounts search after values - stores next page sort values per account.
There is no need to store searchBeforeMap as [current page searchBefore] equals
to [prev page searchAfter] More, there is no way to generate correct
searchBefore from current page as some tenants may not appear at all. The map is
relevant in proxy mode and used by tenants, each tenant extracts the searchAfter
keys from the map.
searchAfterMapOrder
optional
Map of numbers (Long)
format: int64
searchBefore
optional
Array of strings
Efficient prev page, pass min sort value from next page
searchBeforeElastic
optional
Array of strings
Efficient prev page, pass min ES sort value from next page
size
optional
Number (Long)
Size is limited to 1000, if not passed it defaults to 0, and no results will
return format: int64
sort
optional
Array
The sort order
Order struct holds a sort field and the direction of sorting
asc
optional
Boolean
field
optional
String
fieldType
optional
String
timeFrame
optional
Number (Long)
A Duration represents the elapsed time between two instants as an int64
nanosecond count. The representation limits the largest representable duration
to approximately 290 years. format: int64
toDate
optional
Object
format: date-time
trim_events
optional
Number (Long)
format: int64
ids
optional
Array of strings
reason
optional
String
reputations
optional
Array of strings
Responses
UpdateResponse
Body
notUpdated
optional
Number (Long)
format: int64
updatedIds
optional
Array of strings
uppdated
optional
Number (Long)
format: int64
--------------------------------------------------------------------------------
GET INDICATORS AS CSV
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Rate this content
Rate this content
get /indicators/csv/{id}
Get an indicators CSV file that was exported, by ID
CURL
curl -X GET \ -H "Authorization: [[apiKey]]" \ -H "Accept:
application/octet-stream" \ "https://hostname:443/indicators/csv/{id}"
Authentication: api_key Api Key "Authorization"
Path parameters
id
required
String
CSV file to fetch (returned from batch export to csv call)
Example: id_example
Responses
Return Csv file
Body
--------------------------------------------------------------------------------
CREATE FEED INDICATORS FROM JSON
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Rate this content
Rate this content
post /indicators/feed/json
Create indicators from raw JSON (similar to ingesting from a feed). Builds
indicators according to the specified feed classifier, or uses the default one
if not specified. Indicator properties (all optional except for value): value
(string, required) | type (string) | score (number, 0-3, default 0, where 0
means None, 1 Good, 2 Suspicious, and 3 Bad) | sourceBrand (string, default
"External") | sourceInstance (string, default "External") | reliability (string,
one of "A - Completely reliable", "B - Usually reliable", "C - Fairly reliable",
"D - Not usually reliable", "E - Unreliable", "F - Reliability cannot be
judged") | expirationPolicy (string, one of "never", "interval",
"indicatorType") | expirationInterval (number, in minutes)
CURL
curl -X POST \ -H "Authorization: [[apiKey]]" \ \ -H "Content-Type:
application/json,application/xml" \ "https://hostname:443/indicators/feed/json"
\ -d '{ "bypassExclusionList" : true, "classifierId" : "classifierId",
"mapperId" : "mapperId", "indicators" : [ null, null ] }' \ -d ' true aeiou
aeiou '
Authentication: api_key Api Key "Authorization"
Request
Body
required
bypassExclusionList
optional
Boolean
classifierId
optional
String
indicators
optional
Array
mapperId
optional
String
Responses
Indicators created
--------------------------------------------------------------------------------
SEARCH INDICATORS
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Rate this content
Rate this content
post /indicators/search
Search indicators by filter
CURL
curl -X POST \ -H "Authorization: [[apiKey]]" \ -H "Accept: application/json" \
-H "Content-Type: application/json,application/xml" \
"https://hostname:443/indicators/search" \ -d '{ "ignoreWorkers" : true,
"filterobjectquery" : "filterobjectquery", "fromDateLicense" :
"2000-01-23T04:56:07.000+00:00", "searchAfterElastic" : [ "searchAfterElastic",
"searchAfterElastic" ], "searchBefore" : [ "searchBefore", "searchBefore" ],
"laterTimeInPage" : "2000-01-23T04:56:07.000+00:00", "period" : { "fromValue" :
"fromValue", "toValue" : "toValue", "byFrom" : "byFrom", "field" : "field", "by"
: "by", "byTo" : "byTo" }, "searchAfterMap" : { "key" : [ "searchAfterMap",
"searchAfterMap" ] }, "searchAfterMapOrder" : { "key" : 1 }, "firstSeen" : {
"fromDate" : "2000-01-23T04:56:07.000+00:00", "fromDateLicense" :
"2000-01-23T04:56:07.000+00:00", "period" : { "fromValue" : "fromValue",
"toValue" : "toValue", "byFrom" : "byFrom", "field" : "field", "by" : "by",
"byTo" : "byTo" }, "toDate" : "2000-01-23T04:56:07.000+00:00", "timeFrame" : 0
}, "earlyTimeInPage" : "2000-01-23T04:56:07.000+00:00", "query" : "query",
"searchBeforeElastic" : [ "searchBeforeElastic", "searchBeforeElastic" ],
"toDate" : "2000-01-23T04:56:07.000+00:00", "trim_events" : 2, "prevPage" :
true, "sort" : [ { "asc" : true, "field" : "field", "fieldType" : "fieldType" },
{ "asc" : true, "field" : "field", "fieldType" : "fieldType" } ], "timeFrame" :
5, "fromDate" : "2000-01-23T04:56:07.000+00:00", "lastSeen" : { "fromDate" :
"2000-01-23T04:56:07.000+00:00", "fromDateLicense" :
"2000-01-23T04:56:07.000+00:00", "period" : { "fromValue" : "fromValue",
"toValue" : "toValue", "byFrom" : "byFrom", "field" : "field", "by" : "by",
"byTo" : "byTo" }, "toDate" : "2000-01-23T04:56:07.000+00:00", "timeFrame" : 0
}, "size" : 5, "searchAfter" : [ "searchAfter", "searchAfter" ], "accounts" : {
"key" : "{}" }, "page" : 6, "fields" : [ "fields", "fields" ], "Cache" : { "key"
: [ "Cache", "Cache" ] } }' \ -d ' UNDEFINED_EXAMPLE_VALUE
UNDEFINED_EXAMPLE_VALUE 2000-01-23T04:56:07.000Z aeiou aeiou
2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z 123456789
2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z true
2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z 123456789
2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z 123456789 aeiou aeiou aeiou
aeiou aeiou aeiou true aeiou aeiou aeiou UNDEFINED_EXAMPLE_VALUE
UNDEFINED_EXAMPLE_VALUE aeiou aeiou 123456789 true aeiou aeiou 123456789
2000-01-23T04:56:07.000Z 123456789 '
Authentication: api_key Api Key "Authorization"
Request
Body
optional
Cache
optional
Map
Cache of join functions
accounts
optional
Map of objects
earlyTimeInPage
optional
Object
format: date-time
fields
optional
Array of strings
filterobjectquery
optional
String
firstSeen
optional
DateRangeFilter provides common fields for date filtering
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
timeFrame
optional
Number (Long)
A Duration represents the elapsed time between two instants as an int64
nanosecond count. The representation limits the largest representable duration
to approximately 290 years. format: int64
toDate
optional
Object
format: date-time
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
ignoreWorkers
optional
Boolean
Do not use workers mechanism while searching bleve
lastSeen
optional
DateRangeFilter provides common fields for date filtering
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
timeFrame
optional
Number (Long)
A Duration represents the elapsed time between two instants as an int64
nanosecond count. The representation limits the largest representable duration
to approximately 290 years. format: int64
toDate
optional
Object
format: date-time
laterTimeInPage
optional
Object
format: date-time
page
optional
Number (Long)
0-based page format: int64
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
prevPage
optional
Boolean
MT support - these fields are for indicator search according to calculatedTime
query
optional
String
searchAfter
optional
Array of strings
Efficient next page, pass max sort value from previous page
searchAfterElastic
optional
Array of strings
Efficient next page, pass max ES sort value from previous page
searchAfterMap
optional
Map
Map accounts search after values - stores next page sort values per account.
There is no need to store searchBeforeMap as [current page searchBefore] equals
to [prev page searchAfter] More, there is no way to generate correct
searchBefore from current page as some tenants may not appear at all. The map is
relevant in proxy mode and used by tenants, each tenant extracts the searchAfter
keys from the map.
searchAfterMapOrder
optional
Map of numbers (Long)
format: int64
searchBefore
optional
Array of strings
Efficient prev page, pass min sort value from next page
searchBeforeElastic
optional
Array of strings
Efficient prev page, pass min ES sort value from next page
size
optional
Number (Long)
Size is limited to 1000, if not passed it defaults to 0, and no results will
return format: int64
sort
optional
Array
The sort order
Order struct holds a sort field and the direction of sorting
asc
optional
Boolean
field
optional
String
fieldType
optional
String
timeFrame
optional
Number (Long)
A Duration represents the elapsed time between two instants as an int64
nanosecond count. The representation limits the largest representable duration
to approximately 290 years. format: int64
toDate
optional
Object
format: date-time
trim_events
optional
Number (Long)
format: int64
Responses
indicatorResult
Body
accountErrors
optional
Array of strings
iocObjects
optional
Array
IocObject - represents an Ioc (or simply an indicator) object
CustomFields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For
example: Scan IP -> scanip To get the actual key name you can also go to Cortex
XSOAR CLI and run /incident_add and look for the key that you would like to
update
account
optional
String
aggregatedReliability
optional
String
cacheVersn
optional
Number (Long)
format: int64
calculatedTime
optional
Object
Do not set the fields bellow this line format: date-time
comment
optional
String
comments
optional
Array
cacheVersn
optional
Number (Long)
format: int64
category
optional
String
content
optional
String
created
optional
Object
format: date-time
entryId
optional
String
highlight
optional
Map
id
optional
String
indexName
optional
String
modified
optional
Object
format: date-time
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
source
optional
String
syncHash
optional
String
type
optional
String
user
optional
String
version
optional
Number (Long)
format: int64
created
optional
Object
format: date-time
deletedFeedFetchTime
optional
Object
format: date-time
expiration
optional
Object
format: date-time
expirationSource
optional
brand
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
instance
optional
String
moduleId
optional
String
setTime
optional
Object
format: date-time
source
optional
String
user
optional
String
expirationStatus
optional
String
firstSeen
optional
Object
format: date-time
firstSeenEntryID
optional
String
highlight
optional
Map
id
optional
String
indexName
optional
String
indicator_type
optional
String
insightCache
optional
InsightCache - map insight name to all its metadata, name will be case
insensitive
cacheVersn
optional
Number (Long)
format: int64
created
optional
Object
format: date-time
highlight
optional
Map
id
optional
String
indexName
optional
String
modified
optional
Object
format: date-time
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
scores
optional
Map
DBotScore - Contain the score of a specific brand for a specific insight
content
optional
String
contentFormat
optional
String
context
optional
Map of objects
isTypedIndicator
optional
Boolean
reliability
optional
String
score
optional
Number (Long)
format: int64
scoreChangeTimestamp
optional
Object
We need to track when the score changes to know if we need to re-calculate the
overall score format: date-time
timestamp
optional
Object
format: date-time
type
optional
String
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
syncHash
optional
String
version
optional
Number (Long)
format: int64
investigationIDs
optional
Array of strings
isDetectable
optional
Boolean
isPreventable
optional
Boolean
isShared
optional
Boolean
lastReputationRun
optional
Object
format: date-time
lastSeen
optional
Object
format: date-time
lastSeenEntryID
optional
String
manualExpirationTime
optional
Object
format: date-time
manualScore
optional
Boolean
manualSetTime
optional
Object
format: date-time
manuallyEditedFields
optional
Array of strings
modified
optional
Object
format: date-time
modifiedTime
optional
Object
format: date-time
moduleToFeedMap
optional
Map
ExpirationSource
optional
brand
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
instance
optional
String
moduleId
optional
String
setTime
optional
Object
format: date-time
source
optional
String
user
optional
String
bypassExclusionList
optional
Boolean
classifierId
optional
String
classifierVersion
optional
Number (Long)
format: int64
comments
optional
Array
content
optional
String
created
optional
Object
format: date-time
id
optional
String
user
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
fetchTime
optional
Object
format: date-time
fields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For
example: Scan IP -> scanip To get the actual key name you can also go to Cortex
XSOAR CLI and run /incident_add and look for the key that you would like to
update
isEnrichment
optional
Boolean
mapperId
optional
String
mapperVersion
optional
Number (Long)
format: int64
modifiedTime
optional
Object
format: date-time
moduleId
optional
String
rawJSON
optional
Map of objects
relationships
optional
Array
brand
optional
String
entityA
optional
String
entityAFamily
optional
String
entityAType
optional
String
entityB
optional
String
entityBFamily
optional
String
entityBType
optional
String
fields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For
example: Scan IP -> scanip To get the actual key name you can also go to Cortex
XSOAR CLI and run /incident_add and look for the key that you would like to
update
id
optional
String
instance
optional
String
name
optional
String
reliability
optional
String
reverseName
optional
String
startTime
optional
Object
format: date-time
type
optional
String
reliability
optional
String
score
optional
Number (Long)
format: int64
sourceBrand
optional
String
sourceInstance
optional
String
timestamp
optional
Object
format: date-time
type
optional
String
value
optional
String
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
relatedIncCount
optional
Number (Long)
format: int64
score
optional
Number (Long)
format: int64
sequenceNumber
optional
Number (Long)
format: int64
setBy
optional
String
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
source
optional
String
sourceBrands
optional
Array of strings
sourceInstances
optional
Array of strings
syncHash
optional
String
timestamp
optional
Object
format: date-time
value
optional
String
version
optional
Number (Long)
format: int64
total
optional
Number (Long)
format: int64
totalAccounts
optional
Number (Long)
format: int64
--------------------------------------------------------------------------------
GET INDICATORS AS STIX V2
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Rate this content
Rate this content
get /indicators/stix/v2/{id}
Get an indicators STIX V2 file that was exported, by ID
CURL
curl -X GET \ -H "Authorization: [[apiKey]]" \ -H "Accept:
application/octet-stream" \ "https://hostname:443/indicators/stix/v2/{id}"
Authentication: api_key Api Key "Authorization"
Path parameters
id
required
String
STIX V2 file to fetch (returned from batch export to STIX call)
Example: id_example
Responses
Return STIX V2 file
Body
--------------------------------------------------------------------------------
DELETE INDICATORS TIMELINE
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Rate this content
Rate this content
post /indicators/timeline/delete
Delete indicators timeline by filter
CURL
curl -X POST \ -H "Authorization: [[apiKey]]" \ -H "Accept: application/json" \
-H "Content-Type: application/json,application/xml" \
"https://hostname:443/indicators/timeline/delete" \ -d '{ "ignoreWorkers" :
true, "filterobjectquery" : "filterobjectquery", "fromDateLicense" :
"2000-01-23T04:56:07.000+00:00", "searchAfterElastic" : [ "searchAfterElastic",
"searchAfterElastic" ], "searchBefore" : [ "searchBefore", "searchBefore" ],
"laterTimeInPage" : "2000-01-23T04:56:07.000+00:00", "period" : { "fromValue" :
"fromValue", "toValue" : "toValue", "byFrom" : "byFrom", "field" : "field", "by"
: "by", "byTo" : "byTo" }, "searchAfterMap" : { "key" : [ "searchAfterMap",
"searchAfterMap" ] }, "searchAfterMapOrder" : { "key" : 1 }, "firstSeen" : {
"fromDate" : "2000-01-23T04:56:07.000+00:00", "fromDateLicense" :
"2000-01-23T04:56:07.000+00:00", "period" : { "fromValue" : "fromValue",
"toValue" : "toValue", "byFrom" : "byFrom", "field" : "field", "by" : "by",
"byTo" : "byTo" }, "toDate" : "2000-01-23T04:56:07.000+00:00", "timeFrame" : 0
}, "earlyTimeInPage" : "2000-01-23T04:56:07.000+00:00", "query" : "query",
"searchBeforeElastic" : [ "searchBeforeElastic", "searchBeforeElastic" ],
"toDate" : "2000-01-23T04:56:07.000+00:00", "trim_events" : 2, "prevPage" :
true, "sort" : [ { "asc" : true, "field" : "field", "fieldType" : "fieldType" },
{ "asc" : true, "field" : "field", "fieldType" : "fieldType" } ], "timeFrame" :
5, "fromDate" : "2000-01-23T04:56:07.000+00:00", "lastSeen" : { "fromDate" :
"2000-01-23T04:56:07.000+00:00", "fromDateLicense" :
"2000-01-23T04:56:07.000+00:00", "period" : { "fromValue" : "fromValue",
"toValue" : "toValue", "byFrom" : "byFrom", "field" : "field", "by" : "by",
"byTo" : "byTo" }, "toDate" : "2000-01-23T04:56:07.000+00:00", "timeFrame" : 0
}, "size" : 5, "searchAfter" : [ "searchAfter", "searchAfter" ], "accounts" : {
"key" : "{}" }, "page" : 6, "fields" : [ "fields", "fields" ], "Cache" : { "key"
: [ "Cache", "Cache" ] } }' \ -d ' UNDEFINED_EXAMPLE_VALUE
UNDEFINED_EXAMPLE_VALUE 2000-01-23T04:56:07.000Z aeiou aeiou
2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z 123456789
2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z true
2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z 123456789
2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z 123456789 aeiou aeiou aeiou
aeiou aeiou aeiou true aeiou aeiou aeiou UNDEFINED_EXAMPLE_VALUE
UNDEFINED_EXAMPLE_VALUE aeiou aeiou 123456789 true aeiou aeiou 123456789
2000-01-23T04:56:07.000Z 123456789 '
Authentication: api_key Api Key "Authorization"
Request
Body
optional
Cache
optional
Map
Cache of join functions
accounts
optional
Map of objects
earlyTimeInPage
optional
Object
format: date-time
fields
optional
Array of strings
filterobjectquery
optional
String
firstSeen
optional
DateRangeFilter provides common fields for date filtering
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
timeFrame
optional
Number (Long)
A Duration represents the elapsed time between two instants as an int64
nanosecond count. The representation limits the largest representable duration
to approximately 290 years. format: int64
toDate
optional
Object
format: date-time
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
ignoreWorkers
optional
Boolean
Do not use workers mechanism while searching bleve
lastSeen
optional
DateRangeFilter provides common fields for date filtering
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
timeFrame
optional
Number (Long)
A Duration represents the elapsed time between two instants as an int64
nanosecond count. The representation limits the largest representable duration
to approximately 290 years. format: int64
toDate
optional
Object
format: date-time
laterTimeInPage
optional
Object
format: date-time
page
optional
Number (Long)
0-based page format: int64
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
prevPage
optional
Boolean
MT support - these fields are for indicator search according to calculatedTime
query
optional
String
searchAfter
optional
Array of strings
Efficient next page, pass max sort value from previous page
searchAfterElastic
optional
Array of strings
Efficient next page, pass max ES sort value from previous page
searchAfterMap
optional
Map
Map accounts search after values - stores next page sort values per account.
There is no need to store searchBeforeMap as [current page searchBefore] equals
to [prev page searchAfter] More, there is no way to generate correct
searchBefore from current page as some tenants may not appear at all. The map is
relevant in proxy mode and used by tenants, each tenant extracts the searchAfter
keys from the map.
searchAfterMapOrder
optional
Map of numbers (Long)
format: int64
searchBefore
optional
Array of strings
Efficient prev page, pass min sort value from next page
searchBeforeElastic
optional
Array of strings
Efficient prev page, pass min ES sort value from next page
size
optional
Number (Long)
Size is limited to 1000, if not passed it defaults to 0, and no results will
return format: int64
sort
optional
Array
The sort order
Order struct holds a sort field and the direction of sorting
asc
optional
Boolean
field
optional
String
fieldType
optional
String
timeFrame
optional
Number (Long)
A Duration represents the elapsed time between two instants as an int64
nanosecond count. The representation limits the largest representable duration
to approximately 290 years. format: int64
toDate
optional
Object
format: date-time
trim_events
optional
Number (Long)
format: int64
Responses
IndicatorEditBulkResponse
Body
total
optional
Integer
format: uint64
updated
optional
Integer
format: uint64
--------------------------------------------------------------------------------
CREATE INDICATORS
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Rate this content
Rate this content
post /indicators/upload
Create indicators from a file
CURL
curl -X POST \ -H "Authorization: [[apiKey]]" \ -H "Accept: application/json" \
-H "Content-Type: multipart/form-data" \
"https://hostname:443/indicators/upload"
Authentication: api_key Api Key "Authorization"
Form parameters
fileName
optional
String
file name
Example: fileName_example
file
required
Object format: binary
file format: binary
Example: BINARY_DATA_HERE
Responses
IocObjects
Body
IocObject - represents an Ioc (or simply an indicator) object
CustomFields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For
example: Scan IP -> scanip To get the actual key name you can also go to Cortex
XSOAR CLI and run /incident_add and look for the key that you would like to
update
account
optional
String
aggregatedReliability
optional
String
cacheVersn
optional
Number (Long)
format: int64
calculatedTime
optional
Object
Do not set the fields bellow this line format: date-time
comment
optional
String
comments
optional
Array
cacheVersn
optional
Number (Long)
format: int64
category
optional
String
content
optional
String
created
optional
Object
format: date-time
entryId
optional
String
highlight
optional
Map
id
optional
String
indexName
optional
String
modified
optional
Object
format: date-time
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
source
optional
String
syncHash
optional
String
type
optional
String
user
optional
String
version
optional
Number (Long)
format: int64
created
optional
Object
format: date-time
deletedFeedFetchTime
optional
Object
format: date-time
expiration
optional
Object
format: date-time
expirationSource
optional
brand
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
instance
optional
String
moduleId
optional
String
setTime
optional
Object
format: date-time
source
optional
String
user
optional
String
expirationStatus
optional
String
firstSeen
optional
Object
format: date-time
firstSeenEntryID
optional
String
highlight
optional
Map
id
optional
String
indexName
optional
String
indicator_type
optional
String
insightCache
optional
InsightCache - map insight name to all its metadata, name will be case
insensitive
cacheVersn
optional
Number (Long)
format: int64
created
optional
Object
format: date-time
highlight
optional
Map
id
optional
String
indexName
optional
String
modified
optional
Object
format: date-time
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
scores
optional
Map
DBotScore - Contain the score of a specific brand for a specific insight
content
optional
String
contentFormat
optional
String
context
optional
Map of objects
isTypedIndicator
optional
Boolean
reliability
optional
String
score
optional
Number (Long)
format: int64
scoreChangeTimestamp
optional
Object
We need to track when the score changes to know if we need to re-calculate the
overall score format: date-time
timestamp
optional
Object
format: date-time
type
optional
String
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
syncHash
optional
String
version
optional
Number (Long)
format: int64
investigationIDs
optional
Array of strings
isDetectable
optional
Boolean
isPreventable
optional
Boolean
isShared
optional
Boolean
lastReputationRun
optional
Object
format: date-time
lastSeen
optional
Object
format: date-time
lastSeenEntryID
optional
String
manualExpirationTime
optional
Object
format: date-time
manualScore
optional
Boolean
manualSetTime
optional
Object
format: date-time
manuallyEditedFields
optional
Array of strings
modified
optional
Object
format: date-time
modifiedTime
optional
Object
format: date-time
moduleToFeedMap
optional
Map
ExpirationSource
optional
brand
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
instance
optional
String
moduleId
optional
String
setTime
optional
Object
format: date-time
source
optional
String
user
optional
String
bypassExclusionList
optional
Boolean
classifierId
optional
String
classifierVersion
optional
Number (Long)
format: int64
comments
optional
Array
content
optional
String
created
optional
Object
format: date-time
id
optional
String
user
optional
String
expirationInterval
optional
Number (Long)
format: int64
expirationPolicy
optional
String
fetchTime
optional
Object
format: date-time
fields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For
example: Scan IP -> scanip To get the actual key name you can also go to Cortex
XSOAR CLI and run /incident_add and look for the key that you would like to
update
isEnrichment
optional
Boolean
mapperId
optional
String
mapperVersion
optional
Number (Long)
format: int64
modifiedTime
optional
Object
format: date-time
moduleId
optional
String
rawJSON
optional
Map of objects
relationships
optional
Array
brand
optional
String
entityA
optional
String
entityAFamily
optional
String
entityAType
optional
String
entityB
optional
String
entityBFamily
optional
String
entityBType
optional
String
fields
optional
Map of objects
The keys should be the field's display name all lower and without spaces. For
example: Scan IP -> scanip To get the actual key name you can also go to Cortex
XSOAR CLI and run /incident_add and look for the key that you would like to
update
id
optional
String
instance
optional
String
name
optional
String
reliability
optional
String
reverseName
optional
String
startTime
optional
Object
format: date-time
type
optional
String
reliability
optional
String
score
optional
Number (Long)
format: int64
sourceBrand
optional
String
sourceInstance
optional
String
timestamp
optional
Object
format: date-time
type
optional
String
value
optional
String
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
relatedIncCount
optional
Number (Long)
format: int64
score
optional
Number (Long)
format: int64
sequenceNumber
optional
Number (Long)
format: int64
setBy
optional
String
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
source
optional
String
sourceBrands
optional
Array of strings
sourceInstances
optional
Array of strings
syncHash
optional
String
timestamp
optional
Object
format: date-time
value
optional
String
version
optional
Number (Long)
format: int64
--------------------------------------------------------------------------------
CREATE WHITELISTED
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Rate this content
Rate this content
post /indicators/whitelist/update
Create or update excluded indicators list
CURL
curl -X POST \ -H "Authorization: [[apiKey]]" \ -H "Accept: application/json" \
-H "Content-Type: application/json,application/xml" \
"https://hostname:443/indicators/whitelist/update" \ -d '{ "numericId" : 6,
"reason" : "reason", "sequenceNumber" : 5, "reputations" : [ "reputations",
"reputations" ], "sizeInBytes" : 5, "created" : "2000-01-23T04:56:07.000+00:00",
"indexName" : "indexName", "primaryTerm" : 1, "whitelistTime" :
"2000-01-23T04:56:07.000+00:00", "cacheVersn" : 0, "syncHash" : "syncHash",
"type" : "type", "sortValues" : [ "sortValues", "sortValues" ], "version" : 2,
"highlight" : { "key" : [ "highlight", "highlight" ] }, "modified" :
"2000-01-23T04:56:07.000+00:00", "id" : "id", "locked" : true, "user" : "user",
"value" : "value" }' \ -d ' 123456789 2000-01-23T04:56:07.000Z
UNDEFINED_EXAMPLE_VALUE aeiou aeiou true 2000-01-23T04:56:07.000Z 123456789
123456789 aeiou aeiou 123456789 123456789 aeiou aeiou aeiou aeiou aeiou
123456789 2000-01-23T04:56:07.000Z '
Authentication: api_key Api Key "Authorization"
Request
Body
required
cacheVersn
optional
Number (Long)
format: int64
created
optional
Object
format: date-time
highlight
optional
Map
id
optional
String
indexName
optional
String
locked
optional
Boolean
modified
optional
Object
format: date-time
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
reason
optional
String
reputations
optional
Array of strings
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
syncHash
optional
String
type
optional
String
user
optional
String
value
optional
String
version
optional
Number (Long)
format: int64
whitelistTime
optional
Object
format: date-time
Responses
WhitelistedIndicator
Body
WhitelistedIndicator Excluded indicator
cacheVersn
optional
Number (Long)
format: int64
created
optional
Object
format: date-time
highlight
optional
Map
id
optional
String
indexName
optional
String
locked
optional
Boolean
modified
optional
Object
format: date-time
numericId
optional
Number (Long)
format: int64
primaryTerm
optional
Number (Long)
format: int64
reason
optional
String
reputations
optional
Array of strings
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
syncHash
optional
String
type
optional
String
user
optional
String
value
optional
String
version
optional
Number (Long)
format: int64
whitelistTime
optional
Object
format: date-time
--------------------------------------------------------------------------------
ADD AD-HOC TASK
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Rate this content
Rate this content
post /inv-playbook/task/add/{investigationId}
Add an ad-hoc task to a running playbook
CURL
curl -X POST \ -H "Authorization: [[apiKey]]" \ -H "Accept: application/json" \
-H "Content-Type: application/json,application/xml" \
"https://hostname:443/inv-playbook/task/add/{investigationId}" \ -d '{
"addAfter" : true, "scriptArguments" : { "key" : { "keyValue" : [ { "key" :
"key" }, { "key" : "key" } ], "complex" : { "transformers" : [ { "args" : {
"key" : { "isContext" : true } }, "operator" : "operator" }, { "args" : { "key"
: { "isContext" : true } }, "operator" : "operator" } ], "root" : "root",
"accessor" : "accessor", "filters" : [ null, null ] }, "simple" : "simple" } },
"separateContext" : true, "addToSeparateBranch" : true, "neighborInvPBTaskId" :
"neighborInvPBTaskId", "loop" : { "scriptId" : "scriptId", "wait" : 6,
"scriptArguments" : { "key" : { "keyValue" : [ { "key" : "key" }, { "key" :
"key" } ], "complex" : { "transformers" : [ { "args" : { "key" : { "isContext" :
true } }, "operator" : "operator" }, { "args" : { "key" : { "isContext" : true }
}, "operator" : "operator" } ], "root" : "root", "accessor" : "accessor",
"filters" : [ null, null ] }, "simple" : "simple" } }, "max" : 1, "forEach" :
true, "isCommand" : true, "scriptName" : "scriptName", "exitCondition" :
"exitCondition", "builtinCondition" : [ null, null ], "brand" : "brand" },
"playbookId" : "playbookId", "automationScript" : "automationScript", "name" :
"name", "description" : "description", "type" : "type", "tags" : [ "tags",
"tags" ] }' \ -d ' true true aeiou aeiou aeiou aeiou true true 123456789
UNDEFINED_EXAMPLE_VALUE aeiou aeiou 123456789 aeiou aeiou aeiou
UNDEFINED_EXAMPLE_VALUE true aeiou aeiou '
Authentication: api_key Api Key "Authorization"
Path parameters
investigationId
required
String
investigation ID
Example: investigationId_example
Request
Body
optional
addAfter
optional
Boolean
addToSeparateBranch
optional
Boolean
automationScript
optional
String
description
optional
String
loop
optional
name
optional
String
neighborInvPBTaskId
optional
String
playbookId
optional
String
scriptArguments
optional
Map
separateContext
optional
Boolean
tags
optional
Array of strings
type
optional
String
TaskType is the Task in the playbook context as a node
Responses
InvestigationPlaybook
Body
InvestigationPlaybook
--------------------------------------------------------------------------------