Add Legacy Exception Rule

post /public_api/v1/legacy_exceptions/add

Create a new legacy exception rule.

Prerequisites:

Use Get Legacy Exceptions Modules API to find available module IDs, supported platforms, and the required conditions structure.
Use Get endpoint security profiles API to find existing profile IDs to pass as profile_ids.
New profiles can be created via /public_api/v1/profiles/prevention/add.

Request headers

Authorization String required

{api_key}

Example:

UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP

x-xdr-auth-id String required

{api_key_id}

Example: 241

CLIENT REQUEST

          curl -X 'POST'

        -H
        'Accept: application/json'
      
        -H
        'Content-Type: application/json'
      
          -H
          'Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP '
          -H
          'x-xdr-auth-id: 241'
      
      'https://api-yourfqdn/public_api/v1/legacy_exceptions/add'
    
      -d
      ''

import http.client

conn = http.client.HTTPSConnection("api-yourfqdn")

payload = "{\"request_data\":{\"name\":\"string\",\"platform\":\"Windows\",\"module\":1,\"profile_ids\":[0],\"status\":\"string\",\"scope\":\"string\",\"description\":\"string\",\"conditions\":{}}}"

headers = {
    'Authorization': "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ",
    'x-xdr-auth-id': "241",
    'content-type': "application/json"
    }

conn.request("POST", "/public_api/v1/legacy_exceptions/add", payload, headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))

require 'uri'
require 'net/http'
require 'openssl'

url = URI("https://api-yourfqdn/public_api/v1/legacy_exceptions/add")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Post.new(url)
request["Authorization"] = 'UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP '
request["x-xdr-auth-id"] = '241'
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"name\":\"string\",\"platform\":\"Windows\",\"module\":1,\"profile_ids\":[0],\"status\":\"string\",\"scope\":\"string\",\"description\":\"string\",\"conditions\":{}}}"

response = http.request(request)
puts response.read_body

const data = JSON.stringify({
  "request_data": {
    "name": "string",
    "platform": "Windows",
    "module": 1,
    "profile_ids": [
      0
    ],
    "status": "string",
    "scope": "string",
    "description": "string",
    "conditions": {}
  }
});

const xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener("readystatechange", function () {
  if (this.readyState === this.DONE) {
    console.log(this.responseText);
  }
});

xhr.open("POST", "https://api-yourfqdn/public_api/v1/legacy_exceptions/add");
xhr.setRequestHeader("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ");
xhr.setRequestHeader("x-xdr-auth-id", "241");
xhr.setRequestHeader("content-type", "application/json");

xhr.send(data);

HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/legacy_exceptions/add")
  .header("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ")
  .header("x-xdr-auth-id", "241")
  .header("content-type", "application/json")
  .body("{\"request_data\":{\"name\":\"string\",\"platform\":\"Windows\",\"module\":1,\"profile_ids\":[0],\"status\":\"string\",\"scope\":\"string\",\"description\":\"string\",\"conditions\":{}}}")
  .asString();

import Foundation

let headers = [
  "Authorization": "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ",
  "x-xdr-auth-id": "241",
  "content-type": "application/json"
]
let parameters = ["request_data": [
    "name": "string",
    "platform": "Windows",
    "module": 1,
    "profile_ids": [0],
    "status": "string",
    "scope": "string",
    "description": "string",
    "conditions": []
  ]] as [String : Any]

let postData = JSONSerialization.data(withJSONObject: parameters, options: [])

let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/legacy_exceptions/add")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    print(error)
  } else {
    let httpResponse = response as? HTTPURLResponse
    print(httpResponse)
  }
})

dataTask.resume()

<?php

$curl = curl_init();

curl_setopt_array($curl, [
  CURLOPT_URL => "https://api-yourfqdn/public_api/v1/legacy_exceptions/add",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_POSTFIELDS => "{\"request_data\":{\"name\":\"string\",\"platform\":\"Windows\",\"module\":1,\"profile_ids\":[0],\"status\":\"string\",\"scope\":\"string\",\"description\":\"string\",\"conditions\":{}}}",
  CURLOPT_HTTPHEADER => [
    "Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ",
    "content-type: application/json",
    "x-xdr-auth-id: 241"
  ],
]);

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}

CURL *hnd = curl_easy_init();

curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/legacy_exceptions/add");

struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ");
headers = curl_slist_append(headers, "x-xdr-auth-id: 241");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);

curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"name\":\"string\",\"platform\":\"Windows\",\"module\":1,\"profile_ids\":[0],\"status\":\"string\",\"scope\":\"string\",\"description\":\"string\",\"conditions\":{}}}");

CURLcode ret = curl_easy_perform(hnd);

var client = new RestClient("https://api-yourfqdn/public_api/v1/legacy_exceptions/add");
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ");
request.AddHeader("x-xdr-auth-id", "241");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"name\":\"string\",\"platform\":\"Windows\",\"module\":1,\"profile_ids\":[0],\"status\":\"string\",\"scope\":\"string\",\"description\":\"string\",\"conditions\":{}}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);

Body parameters

application/json

request_dataobjectrequired

Request body for creating a legacy exception rule.

namestring

Name for the legacy exception rule.

platformstring

Target platform for the exception. Must be one of the platforms supported by the chosen module (see /public_api/v1/legacy_exceptions/get_modules endpoint response).

Example:"Windows"

moduleinteger

Numeric ID of the protection module to create the exception for. Get valid module IDs from /public_api/v1/legacy_exceptions/get_modules endpoint.

Example:1

profile_idsarray[integer]

List of prevention profile IDs this exception rule applies to. Use /public_api/v1/endpoints/get_profiles endpoint to find existing profile IDs.

For scope: PROFILE: provide one or more profile IDs (e.g. [29])
For scope: GLOBAL: must be an empty array []

statusstring

Status of the rule. Allowed values: ENABLED or DISABLED.

scopestring

Scope of the exception:

PROFILE — exception applies to specific prevention profiles listed in profile_ids
GLOBAL — exception applies globally; profile_ids must be [] and the module must be an Exception-type module

descriptionstring

Optional description of the exception rule.

conditionsobject

The conditions structure depends on the chosen module. Use /public_api/v1/legacy_exceptions/get_modules endpoint to get the conditions_definition for each module.

REQUEST

{
  "request_data": {
    "name": "Test Legacy Exception rule 1",
    "platform": "Windows",
    "module": 1,
    "profile_ids": [
      29
    ],
    "status": "ENABLED",
    "scope": "PROFILE",
    "description": "my legacy rule desc",
    "conditions": {
      "remoteIpsWhitelist": [
        "192.168.1.45"
      ]
    }
  }
}

{
  "request_data": {
    "name": "Test kpep legacy rule",
    "platform": "macOS",
    "module": 43,
    "profile_ids": [
      53
    ],
    "status": "ENABLED",
    "scope": "PROFILE",
    "description": "my legacy desc rule 2",
    "conditions": {
      "process_exceptions": [
        {
          "processName": "test\\test.exe",
          "modules": [
            {
              "moduleId": 141,
              "moduleName": "Kernel Privilege Escalation Protection"
            }
          ]
        }
      ]
    }
  }
}

Responses

Body

application/json

replystring

The ID of the newly created legacy exception rule.

Example:"f87c6f24205249d896677ab63626d4f4"

RESPONSE

{
  "reply": "f87c6f24205249d896677ab63626d4f4"
}