Retrieves a paginated list of Legacy Exception rules for agents based on optional filters and sorting criteria.
This endpoint allows you to:
- Retrieve all rules or filter by specific criteria
- Sort results by any field in ascending or descending order
- Paginate through large result sets
- Get total count and filtered count of rules
Authorization
String
required
{api_key}
{api_key}
UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP
x-xdr-auth-id
String
required
{api_key_id}
{api_key_id}
241
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
-H
'Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP '
-H
'x-xdr-auth-id: 241'
'https://api-yourfqdn/public_api/v1/legacy_exceptions/fetch'
-d
'{
"request_data" : {
"search_from" : 0,
"sort" : {
"field" : "id",
"keyword" : "desc"
},
"filters" : [ {
"field" : "id",
"value" : "GetLegacyExceptionDataRequest_request_data_filters_inner_value",
"operator" : "eq"
}, {
"field" : "id",
"value" : "GetLegacyExceptionDataRequest_request_data_filters_inner_value",
"operator" : "eq"
} ],
"search_to" : 1
}
}'
import http.client
conn = http.client.HTTPSConnection("api-yourfqdn")
payload = "{\"request_data\":{\"search_from\":0,\"search_to\":1,\"sort\":{\"field\":\"id\",\"keyword\":\"desc\"},\"filters\":[{\"field\":\"id\",\"operator\":\"eq\",\"value\":\"string\"}]}}"
headers = {
'Authorization': "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ",
'x-xdr-auth-id': "241",
'content-type': "application/json"
}
conn.request("POST", "/public_api/v1/legacy_exceptions/fetch", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://api-yourfqdn/public_api/v1/legacy_exceptions/fetch")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["Authorization"] = 'UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP '
request["x-xdr-auth-id"] = '241'
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"search_from\":0,\"search_to\":1,\"sort\":{\"field\":\"id\",\"keyword\":\"desc\"},\"filters\":[{\"field\":\"id\",\"operator\":\"eq\",\"value\":\"string\"}]}}"
response = http.request(request)
puts response.read_bodyconst data = JSON.stringify({
"request_data": {
"search_from": 0,
"search_to": 1,
"sort": {
"field": "id",
"keyword": "desc"
},
"filters": [
{
"field": "id",
"operator": "eq",
"value": "string"
}
]
}
});
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api-yourfqdn/public_api/v1/legacy_exceptions/fetch");
xhr.setRequestHeader("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ");
xhr.setRequestHeader("x-xdr-auth-id", "241");
xhr.setRequestHeader("content-type", "application/json");
xhr.send(data);HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/legacy_exceptions/fetch")
.header("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ")
.header("x-xdr-auth-id", "241")
.header("content-type", "application/json")
.body("{\"request_data\":{\"search_from\":0,\"search_to\":1,\"sort\":{\"field\":\"id\",\"keyword\":\"desc\"},\"filters\":[{\"field\":\"id\",\"operator\":\"eq\",\"value\":\"string\"}]}}")
.asString();import Foundation
let headers = [
"Authorization": "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ",
"x-xdr-auth-id": "241",
"content-type": "application/json"
]
let parameters = ["request_data": [
"search_from": 0,
"search_to": 1,
"sort": [
"field": "id",
"keyword": "desc"
],
"filters": [
[
"field": "id",
"operator": "eq",
"value": "string"
]
]
]] as [String : Any]
let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/legacy_exceptions/fetch")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api-yourfqdn/public_api/v1/legacy_exceptions/fetch",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{\"request_data\":{\"search_from\":0,\"search_to\":1,\"sort\":{\"field\":\"id\",\"keyword\":\"desc\"},\"filters\":[{\"field\":\"id\",\"operator\":\"eq\",\"value\":\"string\"}]}}",
CURLOPT_HTTPHEADER => [
"Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ",
"content-type: application/json",
"x-xdr-auth-id: 241"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}CURL *hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/legacy_exceptions/fetch");
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ");
headers = curl_slist_append(headers, "x-xdr-auth-id: 241");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"search_from\":0,\"search_to\":1,\"sort\":{\"field\":\"id\",\"keyword\":\"desc\"},\"filters\":[{\"field\":\"id\",\"operator\":\"eq\",\"value\":\"string\"}]}}");
CURLcode ret = curl_easy_perform(hnd);var client = new RestClient("https://api-yourfqdn/public_api/v1/legacy_exceptions/fetch");
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ");
request.AddHeader("x-xdr-auth-id", "241");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"search_from\":0,\"search_to\":1,\"sort\":{\"field\":\"id\",\"keyword\":\"desc\"},\"filters\":[{\"field\":\"id\",\"operator\":\"eq\",\"value\":\"string\"}]}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);Request body containing pagination, sorting, and filtering parameters for fetching legacy exception rules.
request_dataobjectrequiredRequest body containing pagination, sorting, and filtering parameters.
Request body containing pagination, sorting, and filtering parameters.
search_fromintegerStarting index for pagination (zero-based). Defines the offset from which to begin returning results.
Starting index for pagination (zero-based). Defines the offset from which to begin returning results.
search_tointegerEnding index for pagination (exclusive). Defines the maximum number of results to return (search_to - search_from).
Ending index for pagination (exclusive). Defines the maximum number of results to return (search_to - search_from).
1100sortobjectDefines sorting criteria for query results.
Defines sorting criteria for query results.
fieldstringrequiredField name to sort by. For example, id, rule_name, platform, modification_time, status, and user_email.
Field name to sort by. For example, id, rule_name, platform, modification_time, status, and user_email.
"id"keywordstring (Enum)requiredDetermines the sort order.
Determines the sort order.
"desc"filtersarrayList of filter conditions. Multiple filters are combined with AND logic.
List of filter conditions. Multiple filters are combined with AND logic.
fieldstringrequiredThe field name to filter on. For example, id, rule_name, platform, status, created_by, user_email, module and profile_ids.
The field name to filter on. For example, id, rule_name, platform, status, created_by, user_email, module and profile_ids.
"id"operatorstringrequiredThe comparison operator. Most fields support eq operator. The module and profile_ids fields support in operator.
The comparison operator. Most fields support eq operator. The module and profile_ids fields support in operator.
"eq"valueobjectrequiredThe value to compare against. Type should match the field type.
Can be a string or number depending on the operator.
Examples:
- If the
field is status, the value can be ENABLED or DISABLED
- If the
field is platform, the value can be a string such as Windows, macOS, or Linux
The value to compare against. Type should match the field type. Can be a string or number depending on the operator. Examples:
- If the
fieldisstatus, thevaluecan beENABLEDorDISABLED - If the
fieldisplatform, thevaluecan be a string such asWindows,macOS, orLinux
stringThe value to compare against. Type should match the field type.
Can be a string or number depending on the operator.
Examples:
- If the
field is status, the value can be ENABLED or DISABLED
- If the
field is platform, the value can be a string such as Windows, macOS, or Linux
The value to compare against. Type should match the field type. Can be a string or number depending on the operator. Examples:
- If the
fieldisstatus, thevaluecan beENABLEDorDISABLED - If the
fieldisplatform, thevaluecan be a string such asWindows,macOS, orLinux
integerThe value to compare against. Type should match the field type.
Can be a string or number depending on the operator.
Examples:
- If the
field is status, the value can be ENABLED or DISABLED
- If the
field is platform, the value can be a string such as Windows, macOS, or Linux
The value to compare against. Type should match the field type. Can be a string or number depending on the operator. Examples:
- If the
fieldisstatus, thevaluecan beENABLEDorDISABLED - If the
fieldisplatform, thevaluecan be a string such asWindows,macOS, orLinux
{
"request_data": {
"search_from": 0,
"search_to": 10,
"sort": {
"field": "id",
"keyword": "desc"
},
"filters": [
{
"field": "status",
"operator": "eq",
"value": "ENABLED"
},
{
"field": "module",
"operator": "in",
"value": 43
},
{
"field": "platform",
"operator": "eq",
"value": "Windows"
}
]
}
}OK
A legacy exception record as returned by the fetch API.
replyobject
DATAarray
idstringUnique identifier of the legacy exception rule.
Unique identifier of the legacy exception rule.
"d9c06bfa3f9b45a7a0196244e68d181d"rule_namestringName of the legacy exception rule.
Name of the legacy exception rule.
platformstringTarget platform for the exception rule.
Target platform for the exception rule.
conditionsstringHuman-readable string representation of the exception conditions. This is a display string only.
Human-readable string representation of the exception conditions. This is a display string only.
moduleintegerNumeric ID of the protection module this exception applies to.
Numeric ID of the protection module this exception applies to.
43module_namestringName of the protection module.
Name of the protection module.
"Exceptions > Process Exceptions"descriptionstringOptional description of the exception rule.
Optional description of the exception rule.
generating_alert_idobjectID of the alert that generated this exception, if applicable.
ID of the alert that generated this exception, if applicable.
created_bystringName of the user or API key that created the legacy exception rule. Note: API-created exception rules show as "Public API - <key_id>".
Name of the user or API key that created the legacy exception rule. Note: API-created exception rules show as "Public API - <key_id>".
modification_timeintegerUnix timestamp in milliseconds of the last modification.
Unix timestamp in milliseconds of the last modification.
user_emailstringEmail of the user who created the exception. Note: API-created exceptions show n/a.
Email of the user who created the exception. Note: API-created exceptions show n/a.
statusstringIndicates the current status of the rule.
Indicates the current status of the rule.
profile_idsarray[integer]List of prevention profile IDs this exception is scoped to. Empty array [] indicates a GLOBAL scope exception.
List of prevention profile IDs this exception is scoped to. Empty array [] indicates a GLOBAL scope exception.
associated_targetsarray[string]Describes the endpoint targeting scope of the exception.
Describes the endpoint targeting scope of the exception.
is_in_user_scopebooleanWhether the exception is within the current user's RBAC scope.
Whether the exception is within the current user's RBAC scope.
FILTER_COUNTintegerThe number of rules returned in the current response after applying filters.
The number of rules returned in the current response after applying filters.
2TOTAL_COUNTintegerThe total number of rules available that match the filter criteria, regardless of pagination.
The total number of rules available that match the filter criteria, regardless of pagination.
2{
"reply": {
"DATA": [
{
"id": "d9c06bfa3f9b45a7a0196244e68d181d",
"rule_name": "Legacy Exception Rule 1",
"platform": "Linux",
"conditions": "Process Name = Another test process AND Modules = Disable Injection OR Process Name = Test process AND Modules = Child Process Protection",
"module": 43,
"module_name": "Exceptions > Process Exceptions",
"description": "rule 1",
"generating_alert_id": null,
"created_by": "John Doe",
"modification_time": 1772111647000,
"user_email": "john.doe@example.com",
"status": "ENABLED",
"profile_ids": [
27
],
"associated_targets": [
"Any"
],
"is_in_user_scope": true
},
{
"id": "0a2661779a2d4a87b051158ea47f0022",
"rule_name": "Legacy Exception Rule 2",
"platform": "Windows",
"conditions": "Remote IP Address : 192.168.1.45",
"module": 1,
"module_name": "Malware > Respond to Malicious Causality Chains",
"description": "test",
"generating_alert_id": null,
"created_by": "Jane Doe",
"modification_time": 1772089294000,
"user_email": "jane.doe@example.com",
"status": "ENABLED",
"profile_ids": [
29
],
"associated_targets": [],
"is_in_user_scope": true
}
],
"FILTER_COUNT": 2,
"TOTAL_COUNT": 2
}
}Bad Request
replyobject
err_codeintegerHTTP error code.
HTTP error code.
err_msgstringHigh-level error message
High-level error message
err_extrastringDetailed error information describing the specific validation failures.
Detailed error information describing the specific validation failures.
{
"reply": {
"err_code": 400,
"err_msg": "Got an invalid input while processing XDR public API",
"err_extra": "invalid request - operator contains is unsupported for rule_name, conditions is not supported for filtering, module_name is not supported for filtering, description is not supported for filtering, value Enabled is not valid for field status, modification_time is not supported for filtering, profiles is not supported for filtering, generating_alert_id is not supported for filtering"
}
}