Skip to main content
POST
/
v1
/
indicator-mappings
Create Indicator Mapping
curl --request POST \
  --url https://api.example.com/v1/indicator-mappings \
  --header 'Content-Type: application/json' \
  --data '
{
  "field_path": "<string>",
  "indicator_type": "<string>",
  "source_name": "<string>",
  "extraction_target": "normalized",
  "is_active": true,
  "description": "<string>"
}
'
{
  "data": {
    "uuid": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "source_name": "<string>",
    "field_path": "<string>",
    "indicator_type": "<string>",
    "extraction_target": "<string>",
    "is_system": true,
    "is_active": true,
    "description": "<string>",
    "created_at": "2023-11-07T05:31:56Z",
    "updated_at": "2023-11-07T05:31:56Z"
  },
  "meta": {}
}

Body

application/json
field_path
string
required

Dot-notation path into extraction_target (e.g. 'src_ip' or 'okta.data.client.ipAddress')

indicator_type
string
required

Indicator type: ip, domain, hash_md5, hash_sha1, hash_sha256, url, email, account

source_name
string | null

Restrict to a specific alert source (null = applies to all sources)

extraction_target
string
default:normalized

'normalized' (against CalsetaAlert fields) or 'raw_payload' (against source raw data)

is_active
boolean
default:true

Whether this mapping is active

description
string | null

Human-readable description

Response

Successful Response

data
IndicatorFieldMappingResponse · object
required
meta
Meta · object