Edit Disable Prevention Rule

Cortex XDR REST API
post /public_api/v1/disable_prevention/edit

Updates an existing Disable Prevention rule.

Request headers
Authorization String required

{api_key}
Example: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP
x-xdr-auth-id String required

{api_key_id}
Example: 241
CLIENT REQUEST
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H 'Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ' -H 'x-xdr-auth-id: 241'
'https://api-yourfqdn/public_api/v1/disable_prevention/edit'
-d ''
import http.client conn = http.client.HTTPSConnection("api-yourfqdn") payload = "{\"request_data\":{\"rule_name\":\"string\",\"description\":\"string\",\"platform\":\"string\",\"module_ids\":[0],\"conditions\":{\"hash\":\"string\",\"path\":\"string\",\"signer\":\"string\",\"command\":\"string\",\"sign_thumbprint\":\"string\"},\"profile_ids\":[0],\"status\":\"string\",\"scope\":\"string\",\"rule_id\":\"5bfb2a15ca2a4525a4e69f11792dfe61\"}}" headers = { 'Authorization': "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ", 'x-xdr-auth-id': "241", 'content-type': "application/json" } conn.request("POST", "/public_api/v1/disable_prevention/edit", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8"))
require 'uri' require 'net/http' require 'openssl' url = URI("https://api-yourfqdn/public_api/v1/disable_prevention/edit") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["Authorization"] = 'UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ' request["x-xdr-auth-id"] = '241' request["content-type"] = 'application/json' request.body = "{\"request_data\":{\"rule_name\":\"string\",\"description\":\"string\",\"platform\":\"string\",\"module_ids\":[0],\"conditions\":{\"hash\":\"string\",\"path\":\"string\",\"signer\":\"string\",\"command\":\"string\",\"sign_thumbprint\":\"string\"},\"profile_ids\":[0],\"status\":\"string\",\"scope\":\"string\",\"rule_id\":\"5bfb2a15ca2a4525a4e69f11792dfe61\"}}" response = http.request(request) puts response.read_body
const data = JSON.stringify({ "request_data": { "rule_name": "string", "description": "string", "platform": "string", "module_ids": [ 0 ], "conditions": { "hash": "string", "path": "string", "signer": "string", "command": "string", "sign_thumbprint": "string" }, "profile_ids": [ 0 ], "status": "string", "scope": "string", "rule_id": "5bfb2a15ca2a4525a4e69f11792dfe61" } }); const xhr = new XMLHttpRequest(); xhr.withCredentials = true; xhr.addEventListener("readystatechange", function () { if (this.readyState === this.DONE) { console.log(this.responseText); } }); xhr.open("POST", "https://api-yourfqdn/public_api/v1/disable_prevention/edit"); xhr.setRequestHeader("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP "); xhr.setRequestHeader("x-xdr-auth-id", "241"); xhr.setRequestHeader("content-type", "application/json"); xhr.send(data);
HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/disable_prevention/edit") .header("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ") .header("x-xdr-auth-id", "241") .header("content-type", "application/json") .body("{\"request_data\":{\"rule_name\":\"string\",\"description\":\"string\",\"platform\":\"string\",\"module_ids\":[0],\"conditions\":{\"hash\":\"string\",\"path\":\"string\",\"signer\":\"string\",\"command\":\"string\",\"sign_thumbprint\":\"string\"},\"profile_ids\":[0],\"status\":\"string\",\"scope\":\"string\",\"rule_id\":\"5bfb2a15ca2a4525a4e69f11792dfe61\"}}") .asString();
import Foundation let headers = [ "Authorization": "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ", "x-xdr-auth-id": "241", "content-type": "application/json" ] let parameters = ["request_data": [ "rule_name": "string", "description": "string", "platform": "string", "module_ids": [0], "conditions": [ "hash": "string", "path": "string", "signer": "string", "command": "string", "sign_thumbprint": "string" ], "profile_ids": [0], "status": "string", "scope": "string", "rule_id": "5bfb2a15ca2a4525a4e69f11792dfe61" ]] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/disable_prevention/edit")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume()
<?php $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://api-yourfqdn/public_api/v1/disable_prevention/edit", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "{\"request_data\":{\"rule_name\":\"string\",\"description\":\"string\",\"platform\":\"string\",\"module_ids\":[0],\"conditions\":{\"hash\":\"string\",\"path\":\"string\",\"signer\":\"string\",\"command\":\"string\",\"sign_thumbprint\":\"string\"},\"profile_ids\":[0],\"status\":\"string\",\"scope\":\"string\",\"rule_id\":\"5bfb2a15ca2a4525a4e69f11792dfe61\"}}", CURLOPT_HTTPHEADER => [ "Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ", "content-type: application/json", "x-xdr-auth-id: 241" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; }
CURL *hnd = curl_easy_init(); curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST"); curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/disable_prevention/edit"); struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP "); headers = curl_slist_append(headers, "x-xdr-auth-id: 241"); headers = curl_slist_append(headers, "content-type: application/json"); curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"rule_name\":\"string\",\"description\":\"string\",\"platform\":\"string\",\"module_ids\":[0],\"conditions\":{\"hash\":\"string\",\"path\":\"string\",\"signer\":\"string\",\"command\":\"string\",\"sign_thumbprint\":\"string\"},\"profile_ids\":[0],\"status\":\"string\",\"scope\":\"string\",\"rule_id\":\"5bfb2a15ca2a4525a4e69f11792dfe61\"}}"); CURLcode ret = curl_easy_perform(hnd);
var client = new RestClient("https://api-yourfqdn/public_api/v1/disable_prevention/edit"); var request = new RestRequest(Method.POST); request.AddHeader("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP "); request.AddHeader("x-xdr-auth-id", "241"); request.AddHeader("content-type", "application/json"); request.AddParameter("application/json", "{\"request_data\":{\"rule_name\":\"string\",\"description\":\"string\",\"platform\":\"string\",\"module_ids\":[0],\"conditions\":{\"hash\":\"string\",\"path\":\"string\",\"signer\":\"string\",\"command\":\"string\",\"sign_thumbprint\":\"string\"},\"profile_ids\":[0],\"status\":\"string\",\"scope\":\"string\",\"rule_id\":\"5bfb2a15ca2a4525a4e69f11792dfe61\"}}", ParameterType.RequestBody); IRestResponse response = client.Execute(request);
Body parameters
required
application/json
request_dataobject
rule_namestring

Name of the disable prevention rule.

descriptionstring

Description explaining the purpose and behavior of the rule.

platformstring

Indicates the operating system to which the rule applies. For example, windows, linux, or macos

module_idsarray[integer]

A list of module ids associated with the rule.

conditionsobject

A combination of parameters configured during rule creation.

hashstring

SHA256 hash

pathstring

Path to the required files or folders

signerstring

Trusted signer

commandstring

Command line argument

sign_thumbprintstring

Certificate thumbprint

profile_idsarray[integer]

A list of profile ids to which the rule is applied.

statusstring

Status of the rule (for example, enabled or disabled).

scopestring

Specifies the scope of the rule, such as global (All endpoints) or profile (Exception profiles).

rule_idstring

The unique identifier of the Disable Prevention rule.

Example:"5bfb2a15ca2a4525a4e69f11792dfe61"
REQUEST
{ "request_data": { "rule_name": "My MacOS Rule", "description": "Data prevention rule for MacOS", "platform": "macos", "module_ids": [ 38 ], "conditions": { "hash": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", "path": "/usr/", "signer": "Trusted Company Inc.", "command": "command line argument" }, "profile_ids": [ 96 ], "status": "enabled", "scope": "profile", "rule_id": "5bfb2a15ca2a4525a4e69f11792dfe61" } }
Responses

OK

Body
application/json
replystring

Returns the Disable Prevention Rule ID.

Example:"330fc8dec96a4810af886af328e73264"
RESPONSE
{ "reply": "330fc8dec96a4810af886af328e73264" }