Get Disable Injection and Prevention rules

post /public_api/v1/disable_injection_prevention_rules/fetch

Retrieves a paginated list of Disable Injection and Prevention rules based on optional filters and sorting criteria.

This endpoint allows you to:

Retrieve all rules or filter by specific criteria
Sort results by any field in ascending or descending order
Paginate through large result sets
Get total count and filtered count of rules

Request headers

Authorization String required

{api_key}

Example:

UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP

x-xdr-auth-id String required

{api_key_id}

Example: 241

CLIENT REQUEST

          curl -X 'POST'

        -H
        'Accept: application/json'
      
        -H
        'Content-Type: application/json'
      
          -H
          'Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP'
          -H
          'x-xdr-auth-id: 241'
      
      'https://api-yourfqdn/public_api/v1/disable_injection_prevention_rules/fetch'
    
      -d
      ''

import http.client

conn = http.client.HTTPSConnection("api-yourfqdn")

payload = "{\"request_data\":{\"search_from\":0,\"search_to\":1,\"sort\":{\"field\":\"rule_id\",\"keyword\":\"desc\"},\"filters\":[{\"field\":\"status\",\"operator\":\"eq\",\"value\":\"active\"}]}}"

headers = {
    'Authorization': "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP",
    'x-xdr-auth-id': "241",
    'content-type': "application/json"
    }

conn.request("POST", "/public_api/v1/disable_injection_prevention_rules/fetch", payload, headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))

require 'uri'
require 'net/http'
require 'openssl'

url = URI("https://api-yourfqdn/public_api/v1/disable_injection_prevention_rules/fetch")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Post.new(url)
request["Authorization"] = 'UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP'
request["x-xdr-auth-id"] = '241'
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"search_from\":0,\"search_to\":1,\"sort\":{\"field\":\"rule_id\",\"keyword\":\"desc\"},\"filters\":[{\"field\":\"status\",\"operator\":\"eq\",\"value\":\"active\"}]}}"

response = http.request(request)
puts response.read_body

const data = JSON.stringify({
  "request_data": {
    "search_from": 0,
    "search_to": 1,
    "sort": {
      "field": "rule_id",
      "keyword": "desc"
    },
    "filters": [
      {
        "field": "status",
        "operator": "eq",
        "value": "active"
      }
    ]
  }
});

const xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener("readystatechange", function () {
  if (this.readyState === this.DONE) {
    console.log(this.responseText);
  }
});

xhr.open("POST", "https://api-yourfqdn/public_api/v1/disable_injection_prevention_rules/fetch");
xhr.setRequestHeader("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP");
xhr.setRequestHeader("x-xdr-auth-id", "241");
xhr.setRequestHeader("content-type", "application/json");

xhr.send(data);

HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/disable_injection_prevention_rules/fetch")
  .header("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP")
  .header("x-xdr-auth-id", "241")
  .header("content-type", "application/json")
  .body("{\"request_data\":{\"search_from\":0,\"search_to\":1,\"sort\":{\"field\":\"rule_id\",\"keyword\":\"desc\"},\"filters\":[{\"field\":\"status\",\"operator\":\"eq\",\"value\":\"active\"}]}}")
  .asString();

import Foundation

let headers = [
  "Authorization": "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP",
  "x-xdr-auth-id": "241",
  "content-type": "application/json"
]
let parameters = ["request_data": [
    "search_from": 0,
    "search_to": 1,
    "sort": [
      "field": "rule_id",
      "keyword": "desc"
    ],
    "filters": [
      [
        "field": "status",
        "operator": "eq",
        "value": "active"
      ]
    ]
  ]] as [String : Any]

let postData = JSONSerialization.data(withJSONObject: parameters, options: [])

let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/disable_injection_prevention_rules/fetch")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    print(error)
  } else {
    let httpResponse = response as? HTTPURLResponse
    print(httpResponse)
  }
})

dataTask.resume()

<?php

$curl = curl_init();

curl_setopt_array($curl, [
  CURLOPT_URL => "https://api-yourfqdn/public_api/v1/disable_injection_prevention_rules/fetch",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_POSTFIELDS => "{\"request_data\":{\"search_from\":0,\"search_to\":1,\"sort\":{\"field\":\"rule_id\",\"keyword\":\"desc\"},\"filters\":[{\"field\":\"status\",\"operator\":\"eq\",\"value\":\"active\"}]}}",
  CURLOPT_HTTPHEADER => [
    "Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP",
    "content-type: application/json",
    "x-xdr-auth-id: 241"
  ],
]);

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}

CURL *hnd = curl_easy_init();

curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/disable_injection_prevention_rules/fetch");

struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP");
headers = curl_slist_append(headers, "x-xdr-auth-id: 241");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);

curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"search_from\":0,\"search_to\":1,\"sort\":{\"field\":\"rule_id\",\"keyword\":\"desc\"},\"filters\":[{\"field\":\"status\",\"operator\":\"eq\",\"value\":\"active\"}]}}");

CURLcode ret = curl_easy_perform(hnd);

var client = new RestClient("https://api-yourfqdn/public_api/v1/disable_injection_prevention_rules/fetch");
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP");
request.AddHeader("x-xdr-auth-id", "241");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"search_from\":0,\"search_to\":1,\"sort\":{\"field\":\"rule_id\",\"keyword\":\"desc\"},\"filters\":[{\"field\":\"status\",\"operator\":\"eq\",\"value\":\"active\"}]}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);

Body parameters

required

application/json

request_dataobject

Request body containing pagination, sorting, and filtering parameters.

search_frominteger

Starting index for pagination (zero-based). Defines the offset from which to begin returning results.

search_tointeger

Ending index for pagination (exclusive). Defines the maximum number of results to return (search_to - search_from).

Example:1

Default:100

sortobjectrequired

Defines sorting criteria for query results.

fieldstring

The field name to filter on. For example, rule_id, rule_name, status,platform.

Example:"rule_id"

keywordstring (Enum)

Determines the sort order.

Example:"desc"

Allowed values:"asc""desc"

filtersarray

[

fieldstring

The field name to filter on. For example, rule_id, rule_name, status,platform.

Example:"status"

operatorstring

Comparison operator to use for filtering. For example, (eq (equals), neq (not equals), gte (greater than or equal), lte (less than or equal), contains or not_contains)

Default:"eq"

valuestring

The value to compare against. Type should match the field type. Can be a string or number depending on the operator. Examples:

If the field is status, the value can be active, disabled, or expired
If the field is platform, the value can be a string such as windows, macos, or linux

Example:"active"

]

REQUEST

{
  "request_data": {
    "search_from": 0,
    "search_to": 1,
    "sort": {
      "field": "rule_id",
      "keyword": "desc"
    },
    "filters": [
      {
        "field": "status",
        "operator": "eq",
        "value": "active"
      }
    ]
  }
}

{
  "request_data": {
    "search_from": 0,
    "search_to": 10,
    "filters": [
      {
        "field": "rule_name",
        "operator": "eq",
        "value": "Protect Critical app"
      },
      {
        "field": "status",
        "operator": "eq",
        "value": "active"
      }
    ]
  }
}

Responses

Successful response

Body

application/json

replyobject

Container object for the response data and metadata

dataarray

[

rule_idstring

Unique identifier for the rule. Auto-generated upon rule creation and used for all subsequent operations.

Example:"24bd70bab9d94905aa18773de2555969"

rule_namestring

Name of the rule.

Example:"Protect Critical App"

descriptionstring

Description of the rule's purpose and context.

Example:"Disable injection prevention for critical business application"

platformstring

Target operating system to which the rule applies. For example: windows, linux, or macos.

Example:"windows"

statusstring

Current status of the rule. For example: active, disabled, or expired.

active: Rule is active and being applied
disabled: Rule is inactive and not being applied
expired: Rule has passed its expiration time

Example:"active"

expiration_timeintegerint64

Unix timestamp (milliseconds) when the rule will expire.

Example:1770445053461

process_namestring

Name of the process executable to which this rule applies. Should match the exact process name as it appears in the system.

Example:"criticalApp.exe"

pathstring

Full file system path to the process executable.

created_bystring

Name of the user or API key ID that created this rule.

Example:"John Doe"

creation_timeintegerint64

Unix timestamp (milliseconds) when the rule was created.

Example:1770358653000

is_globalboolean

Indicates whether the rule applies globally to all endpoints or only to specific profiles.

true: Rule applies to all endpoints in the tenant.
false: Rule applies only to endpoints in the specified profile_ids.

profile_idsarray[integer]

Array of profile IDs to which this rule applies. Only relevant when is_global is false. null or empty when is_global is true.

]

filter_countinteger

The number of rules returned in the current response after applying filters.

Example:4

total_countinteger

The total number of rules available that match the filter criteria, regardless of pagination.

Example:6

RESPONSE

{
  "reply": {
    "data": [
      {
        "rule_id": "24bd70bab9d94905aa18773de2555969",
        "rule_name": "Protect Critical App",
        "description": "Disable injection prevention for critical business application",
        "platform": "windows",
        "status": "active",
        "expiration_time": 1770445053461,
        "process_name": "criticalApp.exe",
        "path": "string",
        "created_by": "John Doe",
        "creation_time": 1770358653000,
        "is_global": false,
        "profile_ids": [
          96
        ]
      }
    ],
    "filter_count": 1,
    "total_count": 6
  }
}

{
  "reply": {
    "data": [
      {
        "rule_id": "24bd70bab9d94905aa18773de2555969",
        "rule_name": "Protect Critical App",
        "description": "Disable injection prevention for critical business application",
        "platform": "windows",
        "status": "active",
        "expiration_time": 1770445053461,
        "process_name": "criticalApp.exe",
        "path": "string",
        "created_by": "Public API - 241",
        "creation_time": 1770358653000,
        "is_global": true,
        "profile_ids": null
      }
    ],
    "filter_count": 1,
    "total_count": 6
  }
}

Bad Request

Body

application/json

replyobject

err_codeinteger

Numeric error code returned by the API.

err_msgstring

Human-readable summary of the error.

err_extrastring

Detailed description of the error, including the cause and how to resolve it when applicable.

RESPONSE

{
  "reply": {
    "err_code": 400,
    "err_msg": "Got an invalid input while processing XDR public API",
    "err_extra": "search_from: Input should be greater than or equal to 0"
  }
}

{
  "reply": {
    "err_code": 400,
    "err_msg": "Got an invalid input while processing XDR public API",
    "err_extra": "search_from: Input should be greater than or equal to 0"
  }
}

{
  "reply": {
    "err_code": 400,
    "err_msg": "Got an invalid input while processing XDR public API",
    "err_extra": "Unknown field 'scope'"
  }
}

{
  "reply": {
    "err_code": 400,
    "err_msg": "Got an invalid input while processing XDR public API",
    "err_extra": "Unsupported operator 'lte' for field rule_id"
  }
}