Add Disable Prevention Rule

Cortex XDR REST API
post /public_api/v1/disable_prevention/add

Creates a new Disable Prevention rule.

Request headers
Authorization String required

{api_key}
Example: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP
x-xdr-auth-id String required

{api_key_id}
Example: 241
CLIENT REQUEST
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H 'Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ' -H 'x-xdr-auth-id: 241'
'https://api-yourfqdn/public_api/v1/disable_prevention/add'
-d ''
import http.client conn = http.client.HTTPSConnection("api-yourfqdn") payload = "{\"request_data\":{\"rule_name\":\"string\",\"description\":\"string\",\"platform\":\"string\",\"module_ids\":[0],\"conditions\":{\"hash\":\"string\",\"path\":\"string\",\"signer\":\"string\",\"command\":\"string\",\"sign_thumbprint\":\"string\"},\"profile_ids\":[0],\"status\":\"string\",\"scope\":\"string\"}}" headers = { 'Authorization': "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ", 'x-xdr-auth-id': "241", 'content-type': "application/json" } conn.request("POST", "/public_api/v1/disable_prevention/add", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8"))
require 'uri' require 'net/http' require 'openssl' url = URI("https://api-yourfqdn/public_api/v1/disable_prevention/add") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["Authorization"] = 'UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ' request["x-xdr-auth-id"] = '241' request["content-type"] = 'application/json' request.body = "{\"request_data\":{\"rule_name\":\"string\",\"description\":\"string\",\"platform\":\"string\",\"module_ids\":[0],\"conditions\":{\"hash\":\"string\",\"path\":\"string\",\"signer\":\"string\",\"command\":\"string\",\"sign_thumbprint\":\"string\"},\"profile_ids\":[0],\"status\":\"string\",\"scope\":\"string\"}}" response = http.request(request) puts response.read_body
const data = JSON.stringify({ "request_data": { "rule_name": "string", "description": "string", "platform": "string", "module_ids": [ 0 ], "conditions": { "hash": "string", "path": "string", "signer": "string", "command": "string", "sign_thumbprint": "string" }, "profile_ids": [ 0 ], "status": "string", "scope": "string" } }); const xhr = new XMLHttpRequest(); xhr.withCredentials = true; xhr.addEventListener("readystatechange", function () { if (this.readyState === this.DONE) { console.log(this.responseText); } }); xhr.open("POST", "https://api-yourfqdn/public_api/v1/disable_prevention/add"); xhr.setRequestHeader("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP "); xhr.setRequestHeader("x-xdr-auth-id", "241"); xhr.setRequestHeader("content-type", "application/json"); xhr.send(data);
HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/disable_prevention/add") .header("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ") .header("x-xdr-auth-id", "241") .header("content-type", "application/json") .body("{\"request_data\":{\"rule_name\":\"string\",\"description\":\"string\",\"platform\":\"string\",\"module_ids\":[0],\"conditions\":{\"hash\":\"string\",\"path\":\"string\",\"signer\":\"string\",\"command\":\"string\",\"sign_thumbprint\":\"string\"},\"profile_ids\":[0],\"status\":\"string\",\"scope\":\"string\"}}") .asString();
import Foundation let headers = [ "Authorization": "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ", "x-xdr-auth-id": "241", "content-type": "application/json" ] let parameters = ["request_data": [ "rule_name": "string", "description": "string", "platform": "string", "module_ids": [0], "conditions": [ "hash": "string", "path": "string", "signer": "string", "command": "string", "sign_thumbprint": "string" ], "profile_ids": [0], "status": "string", "scope": "string" ]] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/disable_prevention/add")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume()
<?php $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://api-yourfqdn/public_api/v1/disable_prevention/add", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "{\"request_data\":{\"rule_name\":\"string\",\"description\":\"string\",\"platform\":\"string\",\"module_ids\":[0],\"conditions\":{\"hash\":\"string\",\"path\":\"string\",\"signer\":\"string\",\"command\":\"string\",\"sign_thumbprint\":\"string\"},\"profile_ids\":[0],\"status\":\"string\",\"scope\":\"string\"}}", CURLOPT_HTTPHEADER => [ "Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ", "content-type: application/json", "x-xdr-auth-id: 241" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; }
CURL *hnd = curl_easy_init(); curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST"); curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/disable_prevention/add"); struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP "); headers = curl_slist_append(headers, "x-xdr-auth-id: 241"); headers = curl_slist_append(headers, "content-type: application/json"); curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"rule_name\":\"string\",\"description\":\"string\",\"platform\":\"string\",\"module_ids\":[0],\"conditions\":{\"hash\":\"string\",\"path\":\"string\",\"signer\":\"string\",\"command\":\"string\",\"sign_thumbprint\":\"string\"},\"profile_ids\":[0],\"status\":\"string\",\"scope\":\"string\"}}"); CURLcode ret = curl_easy_perform(hnd);
var client = new RestClient("https://api-yourfqdn/public_api/v1/disable_prevention/add"); var request = new RestRequest(Method.POST); request.AddHeader("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP "); request.AddHeader("x-xdr-auth-id", "241"); request.AddHeader("content-type", "application/json"); request.AddParameter("application/json", "{\"request_data\":{\"rule_name\":\"string\",\"description\":\"string\",\"platform\":\"string\",\"module_ids\":[0],\"conditions\":{\"hash\":\"string\",\"path\":\"string\",\"signer\":\"string\",\"command\":\"string\",\"sign_thumbprint\":\"string\"},\"profile_ids\":[0],\"status\":\"string\",\"scope\":\"string\"}}", ParameterType.RequestBody); IRestResponse response = client.Execute(request);
Body parameters
required
application/json
request_dataobject
rule_namestringrequired

Name of the disable prevention rule.

descriptionstringrequired

Description explaining the purpose and behavior of the rule.

platformstringrequired

Indicates the operating system to which the rule applies. For example, windows, linux, or macos

module_idsarray[integer]required

A list of module ids associated with the rule.

conditionsobjectrequired

A combination of parameters configured during rule creation.

hashstring

SHA256 hash

pathstring

Path to the required files or folders

signerstring

Trusted signer

commandstring

Command line argument

sign_thumbprintstring

Certificate thumbprint

profile_idsarray[integer]

A list of profile ids to which the rule is applied.

statusstringrequired

Status of the rule (for example, enabled or disabled).

scopestringrequired

Specifies the scope of the rule, such as global (All endpoints) or profile (Exception profiles).

REQUEST
{ "request_data": { "rule_name": "My MacOS Rule", "description": "Data prevention rule for MacOS", "platform": "macos", "module_ids": [ 38 ], "conditions": { "hash": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", "path": "/usr/", "signer": "Trusted Company Inc.", "command": "command line argument" }, "profile_ids": [ 96 ], "status": "enabled", "scope": "profile" } }
Responses

OK

Body
application/json
replystring

Returns the Disable Prevention Rule ID.

Example:"330fc8dec96a4810af886af328e73264"
RESPONSE
{ "reply": "330fc8dec96a4810af886af328e73264" }