Create an Application Security Rule

Cortex XSIAM Platform APIs

Limitation

Rules can only be created for IaC Security and Secrets Security; creating rules for CI/CD Security is not supported.

Required license

Cortex XSIAM Premium. In Cortex XSIAM Enterprise and Cortex NG SIEM, requires the Cortex Cloud Posture Management add-on. Not supported in XSIAM Enterprise Plus.

Request headers
Authorization String required

{api_key}
Example: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP
x-xdr-auth-id String required

{api_key_id}
Example: 241
CLIENT REQUEST
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H 'Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ' -H 'x-xdr-auth-id: 241'
'https://api-yourfqdn/public_api/appsec/v1/rules'
-d '{ "name" : "name", "scanner" : { "definitionLink" : "definitionLink", "subCategory" : "", "cspmRuleId" : "ff6a26a5-f036-4d3a-a650-d5de1d568bab", "definition" : "definition:\\n cond_type: attribute\\n resource_types:\\n - aws_s3_bucket_public_access_block\\n attribute: block_public_acls\\n operator: equals\\n value: false", "remediationDescription" : "Set block_public_acls to true in aws_s3_bucket_public_access_block resource" }, "description" : "description", "labels" : [ "Custom-Rule", "Custom-Rule" ] }'
import http.client conn = http.client.HTTPSConnection("api-yourfqdn") payload = "{\"name\":\"string\",\"description\":\"string\",\"severity\":\"CRITICAL\",\"labels\":[\"Custom-Rule\"],\"scanner\":{\"name\":\"ARM\",\"category\":\"AI_ML\",\"subCategory\":\"GUARDRAILS\",\"cspmRuleId\":\"ff6a26a5-f036-4d3a-a650-d5de1d568bab\",\"definition\":\"definition:\\\\n cond_type: attribute\\\\n resource_types:\\\\n - aws_s3_bucket_public_access_block\\\\n attribute: block_public_acls\\\\n operator: equals\\\\n value: false\",\"definitionLink\":\"string\",\"remediationDescription\":\"Set block_public_acls to true in aws_s3_bucket_public_access_block resource\"}}" headers = { 'Authorization': "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ", 'x-xdr-auth-id': "241", 'content-type': "application/json" } conn.request("POST", "/public_api/appsec/v1/rules", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8"))
require 'uri' require 'net/http' require 'openssl' url = URI("https://api-yourfqdn/public_api/appsec/v1/rules") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["Authorization"] = 'UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ' request["x-xdr-auth-id"] = '241' request["content-type"] = 'application/json' request.body = "{\"name\":\"string\",\"description\":\"string\",\"severity\":\"CRITICAL\",\"labels\":[\"Custom-Rule\"],\"scanner\":{\"name\":\"ARM\",\"category\":\"AI_ML\",\"subCategory\":\"GUARDRAILS\",\"cspmRuleId\":\"ff6a26a5-f036-4d3a-a650-d5de1d568bab\",\"definition\":\"definition:\\\\n cond_type: attribute\\\\n resource_types:\\\\n - aws_s3_bucket_public_access_block\\\\n attribute: block_public_acls\\\\n operator: equals\\\\n value: false\",\"definitionLink\":\"string\",\"remediationDescription\":\"Set block_public_acls to true in aws_s3_bucket_public_access_block resource\"}}" response = http.request(request) puts response.read_body
const data = JSON.stringify({ "name": "string", "description": "string", "severity": "CRITICAL", "labels": [ "Custom-Rule" ], "scanner": { "name": "ARM", "category": "AI_ML", "subCategory": "GUARDRAILS", "cspmRuleId": "ff6a26a5-f036-4d3a-a650-d5de1d568bab", "definition": "definition:\\n cond_type: attribute\\n resource_types:\\n - aws_s3_bucket_public_access_block\\n attribute: block_public_acls\\n operator: equals\\n value: false", "definitionLink": "string", "remediationDescription": "Set block_public_acls to true in aws_s3_bucket_public_access_block resource" } }); const xhr = new XMLHttpRequest(); xhr.withCredentials = true; xhr.addEventListener("readystatechange", function () { if (this.readyState === this.DONE) { console.log(this.responseText); } }); xhr.open("POST", "https://api-yourfqdn/public_api/appsec/v1/rules"); xhr.setRequestHeader("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP "); xhr.setRequestHeader("x-xdr-auth-id", "241"); xhr.setRequestHeader("content-type", "application/json"); xhr.send(data);
HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/appsec/v1/rules") .header("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ") .header("x-xdr-auth-id", "241") .header("content-type", "application/json") .body("{\"name\":\"string\",\"description\":\"string\",\"severity\":\"CRITICAL\",\"labels\":[\"Custom-Rule\"],\"scanner\":{\"name\":\"ARM\",\"category\":\"AI_ML\",\"subCategory\":\"GUARDRAILS\",\"cspmRuleId\":\"ff6a26a5-f036-4d3a-a650-d5de1d568bab\",\"definition\":\"definition:\\\\n cond_type: attribute\\\\n resource_types:\\\\n - aws_s3_bucket_public_access_block\\\\n attribute: block_public_acls\\\\n operator: equals\\\\n value: false\",\"definitionLink\":\"string\",\"remediationDescription\":\"Set block_public_acls to true in aws_s3_bucket_public_access_block resource\"}}") .asString();
import Foundation let headers = [ "Authorization": "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ", "x-xdr-auth-id": "241", "content-type": "application/json" ] let parameters = [ "name": "string", "description": "string", "severity": "CRITICAL", "labels": ["Custom-Rule"], "scanner": [ "name": "ARM", "category": "AI_ML", "subCategory": "GUARDRAILS", "cspmRuleId": "ff6a26a5-f036-4d3a-a650-d5de1d568bab", "definition": "definition:\n cond_type: attribute\n resource_types:\n - aws_s3_bucket_public_access_block\n attribute: block_public_acls\n operator: equals\n value: false", "definitionLink": "string", "remediationDescription": "Set block_public_acls to true in aws_s3_bucket_public_access_block resource" ] ] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/appsec/v1/rules")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume()
<?php $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://api-yourfqdn/public_api/appsec/v1/rules", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "{\"name\":\"string\",\"description\":\"string\",\"severity\":\"CRITICAL\",\"labels\":[\"Custom-Rule\"],\"scanner\":{\"name\":\"ARM\",\"category\":\"AI_ML\",\"subCategory\":\"GUARDRAILS\",\"cspmRuleId\":\"ff6a26a5-f036-4d3a-a650-d5de1d568bab\",\"definition\":\"definition:\\\\n cond_type: attribute\\\\n resource_types:\\\\n - aws_s3_bucket_public_access_block\\\\n attribute: block_public_acls\\\\n operator: equals\\\\n value: false\",\"definitionLink\":\"string\",\"remediationDescription\":\"Set block_public_acls to true in aws_s3_bucket_public_access_block resource\"}}", CURLOPT_HTTPHEADER => [ "Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ", "content-type: application/json", "x-xdr-auth-id: 241" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; }
CURL *hnd = curl_easy_init(); curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST"); curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/appsec/v1/rules"); struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP "); headers = curl_slist_append(headers, "x-xdr-auth-id: 241"); headers = curl_slist_append(headers, "content-type: application/json"); curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"name\":\"string\",\"description\":\"string\",\"severity\":\"CRITICAL\",\"labels\":[\"Custom-Rule\"],\"scanner\":{\"name\":\"ARM\",\"category\":\"AI_ML\",\"subCategory\":\"GUARDRAILS\",\"cspmRuleId\":\"ff6a26a5-f036-4d3a-a650-d5de1d568bab\",\"definition\":\"definition:\\\\n cond_type: attribute\\\\n resource_types:\\\\n - aws_s3_bucket_public_access_block\\\\n attribute: block_public_acls\\\\n operator: equals\\\\n value: false\",\"definitionLink\":\"string\",\"remediationDescription\":\"Set block_public_acls to true in aws_s3_bucket_public_access_block resource\"}}"); CURLcode ret = curl_easy_perform(hnd);
var client = new RestClient("https://api-yourfqdn/public_api/appsec/v1/rules"); var request = new RestRequest(Method.POST); request.AddHeader("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP "); request.AddHeader("x-xdr-auth-id", "241"); request.AddHeader("content-type", "application/json"); request.AddParameter("application/json", "{\"name\":\"string\",\"description\":\"string\",\"severity\":\"CRITICAL\",\"labels\":[\"Custom-Rule\"],\"scanner\":{\"name\":\"ARM\",\"category\":\"AI_ML\",\"subCategory\":\"GUARDRAILS\",\"cspmRuleId\":\"ff6a26a5-f036-4d3a-a650-d5de1d568bab\",\"definition\":\"definition:\\\\n cond_type: attribute\\\\n resource_types:\\\\n - aws_s3_bucket_public_access_block\\\\n attribute: block_public_acls\\\\n operator: equals\\\\n value: false\",\"definitionLink\":\"string\",\"remediationDescription\":\"Set block_public_acls to true in aws_s3_bucket_public_access_block resource\"}}", ParameterType.RequestBody); IRestResponse response = client.Execute(request);
Body parameters
required
application/json

Define the Application Security custom rule. The category option should match your selection for scanner.

namestringrequired

A unique name for the Appsec rule.

descriptionstring

Description of the rule

severitystring (Enum)required

Severity

Allowed values:"CRITICAL""HIGH""INFO""LOW""MEDIUM"
labelsarray[string]

Labels to be assigned to the rule

scannerobjectrequired

The type of security scanner used to detect findings of this rule. Choose any one of the scanners. Allowed Values: IAC or SECRETS.

namestring (Enum)required

Name of the configured frameworks.

Allowed values:"ARM""BICEP""CLOUDFORMATION""KUBERNETES""TERRAFORM"
categorystring (Enum)

Custom rule IaC category

Allowed values:"AI_ML""COMPUTE""IAM""KUBERNETES""LOGGING""MONITORING""NETWORKING""PUBLIC""STORAGE"
subCategoryobject
string (Enum)

Custom rule subcategory

Allowed values:"GUARDRAILS""RISKY_MODELS""PUBLIC_EXPOSURE""PERMISSIONS""ENCRYPTION""RETENTION""FORMATS""DISABLED_OR_MISSING""UNDER_USE""NETWORK_POLICIES""ACCESS_CONTROL""LOGGING_AND_MONITORING""RESOURCE_MANAGEMENT""NATIVE_SECURITY_CONTROLS""MANAGEMENT_SERVICES_EXPOSURE""OVERPROVISIONED""STARTUP_SCRIPT_LEAKS""DEFAULT_CREDENTIALS_OR_AUTH""UNSANCTIONED_RESOURCE_OR_TYPE""BACKUPS""VERSIONING""REPLICATION""ALERTING""REDUNDANCY""ADMIN_INTERFACES""DATABASE_ENDPOINTS""STORAGE_BUCKETS""APIS""SENSITIVE_PORTS""LOAD_BALANCING""INGRESS_CONTROLS""EGRESS_CONTROLS""ENCRYPTION_AND_PROTOCOLS""VPC_VCN_VNET""FLOW_LOGS""TAGS_AND_METADATA""RESOURCE_HEALTH""PERFORMANCE_MONITORING""ALERTING_AND_NOTIFICATIONS""UNINTEGRATED""STORAGE""OVERLY_PERMISSIVE""UNUSED""CREDENTIAL_EXPOSURE""MFA""ROLE_SEPARATION""SHARED""EXPIRED_KEY_CONTROLS""AUTHENTICATION_POLICIES"
cspmRuleIdstring

The unique identifier of the Cloud Security rule to which the custom Application Security rule will be mapped.

Example:"ff6a26a5-f036-4d3a-a650-d5de1d568bab"
definitionstringrequired

The rule definition

Example:"definition:\\n cond_type: attribute\\n resource_types:\\n - aws_s3_bucket_public_access_block\\n attribute: block_public_acls\\n operator: equals\\n value: false"
definitionLinkstring

http link to the definition documentation.

remediationDescriptionstring

The remediation steps that will appear on the Appsec rule's findings.

Example:"Set block_public_acls to true in aws_s3_bucket_public_access_block resource"
categorystring (Enum)

Custom rule secret category

Allowed values:"API_KEYS""DATABASE_CREDENTIALS""ENCRYPTION_KEYS""CLOUD_SERVICE_PROVIDER_KEYS""SSH_KEYS""ENVIRONMENT_VARIABLES""SENSITIVE_TOKENS""THIRD_PARTY_SERVICES"
definitionstringrequired

The rule definition

Example:"definition:\\n cond_type: secrets\\n value: AIza[0-9A-Za-z-_]{35}"
definitionLinkstring

http link to the documentation.

remediationDescriptionstring

The remediation steps that will appear on the Appsec rule's findings.

Example:"Revoke the GCP API key immediately through the Google Cloud Console."
REQUEST
{ "name": "S3 Bucket Public Access Check", "description": "Detects S3 buckets with public access enabled", "severity": "HIGH", "scanner": "IAC", "category": "PUBLIC", "subCategory": "STORAGE_BUCKETS", "labels": [ "Custom-Rule", "S3-Security" ], "frameworks": [ { "name": "TERRAFORM", "definition": "definition:\n cond_type: attribute\n resource_types:\n - aws_s3_bucket_public_access_block\n attribute: block_public_acls\n operator: equals\n value: false", "remediationDescription": "Set block_public_acls to true in aws_s3_bucket_public_access_block resource" } ] }
{ "name": "example secret rule", "description": "This is a secret rule description", "severity": "LOW", "scanner": "SECRETS", "labels": [ "my-label" ], "category": "API_KEYS", "frameworks": [ { "name": "GIT", "definition": "definition:\n cond_type: secrets\n value: AIza[0-9A-Za-z-_]{35}", "remediationDescription": "Revoke the GCP API key immediately through the Google Cloud Console." } ] }
Responses

Created

Body
application/json

Details of the Application Security rule

categorystring

Custom rule IaC category.

cloudProviderstring (Enum)
Allowed values:"ALIBABA_CLOUD""AWS""Azure""GCP""IBM""ORACLE""OTHER"
createdAtstringdate-time

The timestamp when the AppSec rule was created.

descriptionstring

The rule description.

detectionMethodstring

security scanner used to detect findings of this rule.

Example:"IaC Security"
docLinkstring

A link to the Cortex documentation.

domainstring

The domain associated with the rule.

Example:"POSTURE"
findingTypeIdnumberdouble

The finding type ID.

Example:30040031
frameworksarray
[
frameworkDetailsobject
definitionstring

The rule definition.

definition_linkstring

http link to the definition documentation.

namestring (Enum)

Name of the configured frameworks.

Allowed values:"ARM""BICEP""CLOUDFORMATION""KUBERNETES""TERRAFORM"
remediation_descriptionstring

The remediation steps that will appear on the Appsec rule's findings.

remediation_idsarray[string]

The IDs of related remediation resources.

resource_typesarray[string]

The resource types associated with the rule.

]
idstring

Appsec rule ID.

isCustomboolean

Indicates whether the rule is custom.

isEnabledboolean

Indicates whether the rule is enabled.

labelsarray[string]

Labels assigned to the rule.

namestring

Name of the Appsec rule.

ownerstring

Owner of the rule.

Example:"CAS"
scannerstring (Enum)
Allowed values:"CICD""IAC""SCA""SECRETS"
severitystring (Enum)

Severity

Allowed values:"CRITICAL""HIGH""INFO""LOW""MEDIUM"
subCategorystring

Custom rule subcategory.

Example:"STORAGE_BUCKETS"
updatedAtstringdate-time

The timestamp when the AppSec rule was updated.

findingCategorystring (Enum)
Allowed values:"Code""Configuration""Data""Vulnerability"
findingDocsstring
Example:"Custom IaC rule for Public Exposure Storage Buckets"
mitreTacticsarray[string]

The associated MITRE ATT&CK tactics.

mitreTechniquesarray[string]

The associated MITRE ATT&CK techniques.

shortDescriptionstring
RESPONSE
{ "category": "example", "cloudProvider": "ALIBABA_CLOUD", "createdAt": "2020-01-01T12:00:00Z", "description": "example", "detectionMethod": "IaC Security", "docLink": "example", "domain": "POSTURE", "findingTypeId": 30040031, "frameworks": [ { "frameworkDetails": { "definition": "example", "definition_link": "example", "name": "ARM", "remediation_description": "example", "remediation_ids": [ "example" ], "resource_types": [ "example" ] } } ], "id": "example", "isCustom": false, "isEnabled": false, "labels": [ "example" ], "name": "example", "owner": "CAS", "scanner": "CICD", "severity": "CRITICAL", "subCategory": "STORAGE_BUCKETS", "updatedAt": "2020-01-01T12:00:00Z", "findingCategory": "Code", "findingDocs": "Custom IaC rule for Public Exposure Storage Buckets", "mitreTactics": [ "example" ], "mitreTechniques": [ "example" ], "shortDescription": "example" }