03-24-2023 07:52 AM
Hello dear community,
Has anyone of you a ready to upload script for IOCs to cortex XDR (directly) from a file? Could you share it?
How and where do you handle the doublettes?
03-24-2023 01:14 PM
It looks like you're wanting to upload a list IOCs to Cortex XDR. Please see the sceenshot below for a look at the steps to Upload a File for IOC Rules.
I downloaded the example file to get an idea of what it should look like. You can see the sample file below.
IOCs come in the form of Full Path, File Name, Domain, Destination IP, and MD5 or SHA256 Hash. In your text (.txt) file you should place each IOC on it's own line. Cortex XDR has the ability to parse these IOCs and add them appropriately without any additional steps on your end.
When uploading your IOC file you'll be given to the option of what type of IOCs you've entered. You can do a 'Mixed' list as Cortex XDR has the ability to parse these IOCs and add them appropriately without any additional steps on your end. Or a upload a list that only contains 1 type of IOC i.e. File Name. Cortex XDR has the ability to parse these IOCs and add them appropriately without any additional steps on your end.
Uploading an IOC list also has one additional required selection which is severity. From there you can choose any of the options below depending on your individual needs.
Above I described the manual way to add IOCs to Cortex XDR by uploading a file. If you’re looking to do this process programmatically it would require use of the Cortex XDR API.
If the route you want to go is using the API I’m going to leave some resources down below. There are several ways you can interact with the API including writing your own script in Python, Powershell, cURL, or Postman. It really comes down to what you’re comfortable with. Take a look at these resources and if you have any more questions please let me know.
Cortex XDR Postman API Collection
I hope you find this information helpful.
04-07-2023 04:18 PM
Thank you so much! This is a good summary.
But I need to know what is best practise for doubled entries (you get CSV from TI in full) and you upload all IOCs. Does the API mechanism say, hey there is a doublette, I do not import it. Does it halt or does it go on uploading IOCs through API?
04-10-2023 02:19 PM
Thanks for clarifying. I'm going to do some research and get back to you as soon as I can.
Have a great day!
04-13-2023 11:51 PM
I've tested it, it will be overwritten.
The next question is, why the cleaning mechanism is not working, when we define 15 Minutes from now to the future?
I allready uploaded some IOCs and this is my last question, which needs to be clarified to get this running.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!