https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ioc-upload-automation-in-cortex-xdr/m-p/536389#M3936 <P><SPAN>Hi ,</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>It looks like you're wanting to upload a list</SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Create-an-IOC-Rule" target="_blank"> <SPAN>IOCs</SPAN></A><SPAN> to Cortex XDR.&nbsp; Please see the sceenshot below for a look at the steps to Upload a File for IOC Rules.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="anlynch_0-1679688850528.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49014iD39980221B053521/image-size/medium?v=v2&amp;px=400" role="button" title="anlynch_0-1679688850528.png" alt="anlynch_0-1679688850528.png" /></span></P> <P>&nbsp;</P> <P><SPAN>I downloaded the example file to get an idea of what it should look like.&nbsp; You can see the sample file below.</SPAN></P> <P><SPAN> </SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="anlynch_1-1679688850323.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49012iDE0B60324C0AE678/image-size/medium?v=v2&amp;px=400" role="button" title="anlynch_1-1679688850323.png" alt="anlynch_1-1679688850323.png" /></span></P> <P>&nbsp;</P> <P><SPAN>IOCs come in the form of Full Path, File Name, Domain, Destination IP, and MD5 or SHA256 Hash.&nbsp; In your text (.txt) file you should place each IOC on it's own line.&nbsp; Cortex XDR has the ability to parse these IOCs and add them appropriately without any additional steps on your end.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>When uploading your IOC file you'll be given to the option of what type of IOCs you've entered.&nbsp; You can do a 'Mixed' list as Cortex XDR has the ability to parse these IOCs and add them appropriately without any additional steps on your end.&nbsp; Or a upload a list that only contains 1 type of IOC i.e. File Name.&nbsp; Cortex XDR has the ability to parse these IOCs and add them appropriately without any additional steps on your end.</SPAN></P> <P><SPAN> </SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="anlynch_2-1679688850387.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49013i7CB2FFAE7535DBF2/image-size/medium?v=v2&amp;px=400" role="button" title="anlynch_2-1679688850387.png" alt="anlynch_2-1679688850387.png" /></span></P> <P>&nbsp;</P> <P><SPAN> </SPAN></P> <P><SPAN>Uploading an IOC list also has one additional required selection which is severity.&nbsp; From there you can choose any of the options below depending on your individual needs.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="anlynch_3-1679688850338.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49015iB0F7DC54159B999C/image-size/medium?v=v2&amp;px=400" role="button" title="anlynch_3-1679688850338.png" alt="anlynch_3-1679688850338.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>Above I described the manual way to add IOCs to Cortex XDR by uploading a file.&nbsp; If you’re looking to do this process programmatically it would require use of the </SPAN><A href="https://cortex-panw.stoplight.io/docs/cortex-xdr/axpm6b98x4p18-cortex-xdr-api-overview" target="_blank"><SPAN>Cortex XDR API</SPAN></A><SPAN>.</SPAN></P> <P><SPAN>If the route you want to go is using the API I’m going to leave some resources down below.&nbsp; There are several ways you can interact with the API including writing your own script in Python, Powershell, cURL, or Postman.&nbsp; It really comes down to what you’re comfortable with.&nbsp; Take a look at these resources and if you have any more questions please let me know.</SPAN></P> <P><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-articles/cortex-xdr-postman-api-collection/ta-p/443667" target="_blank"><SPAN>Cortex XDR Postman API Collection</SPAN></A></P> <P><A href="https://cortex-panw.stoplight.io/docs/cortex-xdr/9c8d6942105e6-insert-simple-indicators-csv" target="_blank"><SPAN>Insert Simple Indicators, CSV</SPAN></A></P> <P><SPAN>&nbsp;I hope you find this information helpful.</SPAN></P> Fri, 24 Mar 2023 20:14:22 GMT anlynch 2023-03-24T20:14:22Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ioc-upload-automation-in-cortex-xdr/m-p/536338#M3929 <P>Hello dear community,</P> <P>&nbsp;</P> <P>Has anyone of you a ready to upload script for IOCs to cortex XDR (directly) from a file? Could you share it?&nbsp;</P> <P>How and where do you handle the doublettes?&nbsp;</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> Fri, 24 Mar 2023 14:52:44 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ioc-upload-automation-in-cortex-xdr/m-p/536338#M3929 Cyber1985 2023-03-24T14:52:44Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ioc-upload-automation-in-cortex-xdr/m-p/536389#M3936 <P><SPAN>Hi ,</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>It looks like you're wanting to upload a list</SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Create-an-IOC-Rule" target="_blank"> <SPAN>IOCs</SPAN></A><SPAN> to Cortex XDR.&nbsp; Please see the sceenshot below for a look at the steps to Upload a File for IOC Rules.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="anlynch_0-1679688850528.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49014iD39980221B053521/image-size/medium?v=v2&amp;px=400" role="button" title="anlynch_0-1679688850528.png" alt="anlynch_0-1679688850528.png" /></span></P> <P>&nbsp;</P> <P><SPAN>I downloaded the example file to get an idea of what it should look like.&nbsp; You can see the sample file below.</SPAN></P> <P><SPAN> </SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="anlynch_1-1679688850323.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49012iDE0B60324C0AE678/image-size/medium?v=v2&amp;px=400" role="button" title="anlynch_1-1679688850323.png" alt="anlynch_1-1679688850323.png" /></span></P> <P>&nbsp;</P> <P><SPAN>IOCs come in the form of Full Path, File Name, Domain, Destination IP, and MD5 or SHA256 Hash.&nbsp; In your text (.txt) file you should place each IOC on it's own line.&nbsp; Cortex XDR has the ability to parse these IOCs and add them appropriately without any additional steps on your end.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>When uploading your IOC file you'll be given to the option of what type of IOCs you've entered.&nbsp; You can do a 'Mixed' list as Cortex XDR has the ability to parse these IOCs and add them appropriately without any additional steps on your end.&nbsp; Or a upload a list that only contains 1 type of IOC i.e. File Name.&nbsp; Cortex XDR has the ability to parse these IOCs and add them appropriately without any additional steps on your end.</SPAN></P> <P><SPAN> </SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="anlynch_2-1679688850387.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49013i7CB2FFAE7535DBF2/image-size/medium?v=v2&amp;px=400" role="button" title="anlynch_2-1679688850387.png" alt="anlynch_2-1679688850387.png" /></span></P> <P>&nbsp;</P> <P><SPAN> </SPAN></P> <P><SPAN>Uploading an IOC list also has one additional required selection which is severity.&nbsp; From there you can choose any of the options below depending on your individual needs.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="anlynch_3-1679688850338.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49015iB0F7DC54159B999C/image-size/medium?v=v2&amp;px=400" role="button" title="anlynch_3-1679688850338.png" alt="anlynch_3-1679688850338.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>Above I described the manual way to add IOCs to Cortex XDR by uploading a file.&nbsp; If you’re looking to do this process programmatically it would require use of the </SPAN><A href="https://cortex-panw.stoplight.io/docs/cortex-xdr/axpm6b98x4p18-cortex-xdr-api-overview" target="_blank"><SPAN>Cortex XDR API</SPAN></A><SPAN>.</SPAN></P> <P><SPAN>If the route you want to go is using the API I’m going to leave some resources down below.&nbsp; There are several ways you can interact with the API including writing your own script in Python, Powershell, cURL, or Postman.&nbsp; It really comes down to what you’re comfortable with.&nbsp; Take a look at these resources and if you have any more questions please let me know.</SPAN></P> <P><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-articles/cortex-xdr-postman-api-collection/ta-p/443667" target="_blank"><SPAN>Cortex XDR Postman API Collection</SPAN></A></P> <P><A href="https://cortex-panw.stoplight.io/docs/cortex-xdr/9c8d6942105e6-insert-simple-indicators-csv" target="_blank"><SPAN>Insert Simple Indicators, CSV</SPAN></A></P> <P><SPAN>&nbsp;I hope you find this information helpful.</SPAN></P> Fri, 24 Mar 2023 20:14:22 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ioc-upload-automation-in-cortex-xdr/m-p/536389#M3936 anlynch 2023-03-24T20:14:22Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ioc-upload-automation-in-cortex-xdr/m-p/538025#M4064 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/232716">@anlynch</a>!</P> <P>&nbsp;</P> <P>Thank you so much! This is a good summary.&nbsp;</P> <P>But I need to know what is best practise for doubled entries (you get CSV from TI in full) and you upload all IOCs. Does the API mechanism say, hey there is a doublette, I do not import it. Does it halt or does it go on uploading IOCs through API?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 07 Apr 2023 23:18:01 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ioc-upload-automation-in-cortex-xdr/m-p/538025#M4064 RFeyertag 2023-04-07T23:18:01Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ioc-upload-automation-in-cortex-xdr/m-p/538172#M4071 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190671">@RFeyertag</a>,</P> <P>&nbsp;</P> <P>Thanks for clarifying.&nbsp; I'm going to do some research and get back to you as soon as I can.</P> <P>&nbsp;</P> <P>Have a great day!</P> Mon, 10 Apr 2023 21:19:23 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ioc-upload-automation-in-cortex-xdr/m-p/538172#M4071 anlynch 2023-04-10T21:19:23Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ioc-upload-automation-in-cortex-xdr/m-p/538721#M4124 <P>Hello <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/232716">@anlynch</a>,&nbsp;</P> <P>&nbsp;</P> <P>I've tested it, it will be overwritten.&nbsp;</P> <P>&nbsp;The next question is, why the cleaning mechanism is not working, when we define 15 Minutes from now to the future?&nbsp;</P> <P>I allready uploaded some IOCs and this is my last question, which needs to be clarified to get this running.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> Fri, 14 Apr 2023 06:51:10 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ioc-upload-automation-in-cortex-xdr/m-p/538721#M4124 Cyber1985 2023-04-14T06:51:10Z