Edit prevention policy rules

Cortex XSIAM Platform APIs
post /public_api/v1/policies/prevention/edit

Updates one or more prevention policy rules. Each item in edit_requests specifies a rule by its 32-character hexadecimal UUID and includes the fields to modify. Only explicitly provided (non-null) fields are updated; all others remain unchanged.

Constraints

  • The default (catch-all) rule (is_any = true) cannot be modified for name, description, or target_filter.
  • Profile IDs must exist, correspond to the correct profile type (exploit, malware, restrictions, agent_settings, or exceptions), and match the OS platform of the target rule.
  • Updates are applied atomically. If the policy has been modified since it was last retrieved, the request fails with a 409 Conflict error due to stale data.

Required license: Cortex XSIAM Premium or Cortex XSIAM Enterprise. In Cortex NG SIEM, requires endpoints or the Cortex Cloud Runtime Security add-on.

Request headers
Authorization String required

{api_key}
Example: authorization_example
x-xdr-auth-id String required

{api_key_id}
Example: xXdrAuthId_example
CLIENT REQUEST
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H 'Authorization: authorization_example' -H 'x-xdr-auth-id: xXdrAuthId_example'
'https://api-yourfqdn/public_api/v1/policies/prevention/edit'
-d '{ "request_data" : { "edit_requests" : [ { "restrictions_id" : 5, "exceptions_id" : 7, "target_filter" : { "filterData" : { "AND" : [ { "field" : "hostname", "value" : "DESKTOP-ABC123", "operator" : "EQ" }, { "field" : "hostname", "value" : "DESKTOP-ABC123", "operator" : "EQ" } ] } }, "exploit_id" : 10, "malware_id" : 42, "agent_settings_id" : 3, "name" : "My Custom Prevention Rule", "description" : "Applies to all Windows workstations in Group A", "id" : "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4" }, { "restrictions_id" : 5, "exceptions_id" : 7, "target_filter" : { "filterData" : { "AND" : [ { "field" : "hostname", "value" : "DESKTOP-ABC123", "operator" : "EQ" }, { "field" : "hostname", "value" : "DESKTOP-ABC123", "operator" : "EQ" } ] } }, "exploit_id" : 10, "malware_id" : 42, "agent_settings_id" : 3, "name" : "My Custom Prevention Rule", "description" : "Applies to all Windows workstations in Group A", "id" : "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4" } ] } }'
import http.client conn = http.client.HTTPSConnection("api-yourfqdn") payload = "{\"request_data\":{\"edit_requests\":[{\"id\":\"a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4\",\"name\":\"My Custom Prevention Rule\",\"description\":\"Applies to all Windows workstations in Group A\",\"target_filter\":{\"filterData\":{\"AND\":[{\"field\":\"hostname\",\"operator\":\"EQ\",\"value\":\"DESKTOP-ABC123\"}]}},\"exploit_id\":10,\"malware_id\":42,\"restrictions_id\":5,\"agent_settings_id\":3,\"exceptions_id\":7}]}}" headers = { 'Authorization': "SOME_STRING_VALUE", 'x-xdr-auth-id': "SOME_STRING_VALUE", 'content-type': "application/json" } conn.request("POST", "/public_api/v1/policies/prevention/edit", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8"))
require 'uri' require 'net/http' require 'openssl' url = URI("https://api-yourfqdn/public_api/v1/policies/prevention/edit") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["Authorization"] = 'SOME_STRING_VALUE' request["x-xdr-auth-id"] = 'SOME_STRING_VALUE' request["content-type"] = 'application/json' request.body = "{\"request_data\":{\"edit_requests\":[{\"id\":\"a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4\",\"name\":\"My Custom Prevention Rule\",\"description\":\"Applies to all Windows workstations in Group A\",\"target_filter\":{\"filterData\":{\"AND\":[{\"field\":\"hostname\",\"operator\":\"EQ\",\"value\":\"DESKTOP-ABC123\"}]}},\"exploit_id\":10,\"malware_id\":42,\"restrictions_id\":5,\"agent_settings_id\":3,\"exceptions_id\":7}]}}" response = http.request(request) puts response.read_body
const data = JSON.stringify({ "request_data": { "edit_requests": [ { "id": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4", "name": "My Custom Prevention Rule", "description": "Applies to all Windows workstations in Group A", "target_filter": { "filterData": { "AND": [ { "field": "hostname", "operator": "EQ", "value": "DESKTOP-ABC123" } ] } }, "exploit_id": 10, "malware_id": 42, "restrictions_id": 5, "agent_settings_id": 3, "exceptions_id": 7 } ] } }); const xhr = new XMLHttpRequest(); xhr.withCredentials = true; xhr.addEventListener("readystatechange", function () { if (this.readyState === this.DONE) { console.log(this.responseText); } }); xhr.open("POST", "https://api-yourfqdn/public_api/v1/policies/prevention/edit"); xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE"); xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE"); xhr.setRequestHeader("content-type", "application/json"); xhr.send(data);
HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/policies/prevention/edit") .header("Authorization", "SOME_STRING_VALUE") .header("x-xdr-auth-id", "SOME_STRING_VALUE") .header("content-type", "application/json") .body("{\"request_data\":{\"edit_requests\":[{\"id\":\"a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4\",\"name\":\"My Custom Prevention Rule\",\"description\":\"Applies to all Windows workstations in Group A\",\"target_filter\":{\"filterData\":{\"AND\":[{\"field\":\"hostname\",\"operator\":\"EQ\",\"value\":\"DESKTOP-ABC123\"}]}},\"exploit_id\":10,\"malware_id\":42,\"restrictions_id\":5,\"agent_settings_id\":3,\"exceptions_id\":7}]}}") .asString();
import Foundation let headers = [ "Authorization": "SOME_STRING_VALUE", "x-xdr-auth-id": "SOME_STRING_VALUE", "content-type": "application/json" ] let parameters = ["request_data": ["edit_requests": [ [ "id": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4", "name": "My Custom Prevention Rule", "description": "Applies to all Windows workstations in Group A", "target_filter": ["filterData": ["AND": [ [ "field": "hostname", "operator": "EQ", "value": "DESKTOP-ABC123" ] ]]], "exploit_id": 10, "malware_id": 42, "restrictions_id": 5, "agent_settings_id": 3, "exceptions_id": 7 ] ]]] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/policies/prevention/edit")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume()
<?php $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://api-yourfqdn/public_api/v1/policies/prevention/edit", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "{\"request_data\":{\"edit_requests\":[{\"id\":\"a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4\",\"name\":\"My Custom Prevention Rule\",\"description\":\"Applies to all Windows workstations in Group A\",\"target_filter\":{\"filterData\":{\"AND\":[{\"field\":\"hostname\",\"operator\":\"EQ\",\"value\":\"DESKTOP-ABC123\"}]}},\"exploit_id\":10,\"malware_id\":42,\"restrictions_id\":5,\"agent_settings_id\":3,\"exceptions_id\":7}]}}", CURLOPT_HTTPHEADER => [ "Authorization: SOME_STRING_VALUE", "content-type: application/json", "x-xdr-auth-id: SOME_STRING_VALUE" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; }
CURL *hnd = curl_easy_init(); curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST"); curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/policies/prevention/edit"); struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "content-type: application/json"); curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"edit_requests\":[{\"id\":\"a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4\",\"name\":\"My Custom Prevention Rule\",\"description\":\"Applies to all Windows workstations in Group A\",\"target_filter\":{\"filterData\":{\"AND\":[{\"field\":\"hostname\",\"operator\":\"EQ\",\"value\":\"DESKTOP-ABC123\"}]}},\"exploit_id\":10,\"malware_id\":42,\"restrictions_id\":5,\"agent_settings_id\":3,\"exceptions_id\":7}]}}"); CURLcode ret = curl_easy_perform(hnd);
var client = new RestClient("https://api-yourfqdn/public_api/v1/policies/prevention/edit"); var request = new RestRequest(Method.POST); request.AddHeader("Authorization", "SOME_STRING_VALUE"); request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE"); request.AddHeader("content-type", "application/json"); request.AddParameter("application/json", "{\"request_data\":{\"edit_requests\":[{\"id\":\"a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4\",\"name\":\"My Custom Prevention Rule\",\"description\":\"Applies to all Windows workstations in Group A\",\"target_filter\":{\"filterData\":{\"AND\":[{\"field\":\"hostname\",\"operator\":\"EQ\",\"value\":\"DESKTOP-ABC123\"}]}},\"exploit_id\":10,\"malware_id\":42,\"restrictions_id\":5,\"agent_settings_id\":3,\"exceptions_id\":7}]}}", ParameterType.RequestBody); IRestResponse response = client.Execute(request);
Body parameters
required
application/json
request_dataobject
edit_requestsarrayrequired

List of policy rule edits to apply. All edits are validated before any change is persisted.

[
idstringrequired

32-character hexadecimal UUID of the prevention policy rule to edit. Must be an existing rule ID.

Example:"a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4"
namestring

New display name for the rule. Must be a non-empty string. Cannot be set on the default (catch-all) rule.

Example:"My Custom Prevention Rule"
descriptionstring

New description for the rule. Must be a string (may be empty only if the field is omitted entirely; an explicit empty string is rejected). Cannot be set on the default rule.

Example:"Applies to all Windows workstations in Group A"
target_filterobject

Replaces the rule's target filter. Must be a valid filter object (see TargetFilter). Cannot be set on the default rule. The locked portion of the existing filter is preserved automatically.

filterDataobject

Root of the condition tree. Must contain exactly one key: either AND or OR.

ANDarrayrequired

List of search condition objects (all must match).

[
fieldstringrequired

The endpoint attribute to filter on. Must be one of: agent_type, group_id, hostname, os_description, tags.

Example:"hostname"
operatorstringrequired

Comparison operator. Valid operators depend on the field:

  • agent_type: EQ, NEQ
  • group_id: AGENTS_GROUP_EQ, AGENTS_GROUP_NEQ
  • hostname, os_description: string operators (e.g. EQ, NEQ, CONTAINS)
  • tags: string or list operators
Example:"EQ"
valueobjectrequired

The value to compare against. Type depends on the field:

  • agent_type: string (AgentType enum value)
  • group_id: string (group name)
  • hostname, os_description: string
  • tags: string or array of strings
Example:"DESKTOP-ABC123"
string

The value to compare against. Type depends on the field:

  • agent_type: string (AgentType enum value)
  • group_id: string (group name)
  • hostname, os_description: string
  • tags: string or array of strings
Example:"DESKTOP-ABC123"
Array
]
ORarrayrequired

List of AND-groups (at least two). The rule matches if any group matches.

[
ANDarrayrequired

List of search condition objects (all must match).

[
fieldstringrequired

The endpoint attribute to filter on. Must be one of: agent_type, group_id, hostname, os_description, tags.

Example:"hostname"
operatorstringrequired

Comparison operator. Valid operators depend on the field:

  • agent_type: EQ, NEQ
  • group_id: AGENTS_GROUP_EQ, AGENTS_GROUP_NEQ
  • hostname, os_description: string operators (e.g. EQ, NEQ, CONTAINS)
  • tags: string or list operators
Example:"EQ"
valueobjectrequired

The value to compare against. Type depends on the field:

  • agent_type: string (AgentType enum value)
  • group_id: string (group name)
  • hostname, os_description: string
  • tags: string or array of strings
Example:"DESKTOP-ABC123"
string

The value to compare against. Type depends on the field:

  • agent_type: string (AgentType enum value)
  • group_id: string (group name)
  • hostname, os_description: string
  • tags: string or array of strings
Example:"DESKTOP-ABC123"
Array
]
]
exploit_idinteger

ID of the Exploit profile to assign to this rule. The profile must exist, be of type EXPLOIT, and match the rule's OS platform.

Example:10
malware_idinteger

ID of the Malware profile to assign to this rule. The profile must exist, be of type MALWARE, and match the rule's OS platform.

Example:42
restrictions_idinteger

ID of the Restrictions profile to assign to this rule. The profile must exist, be of type RESTRICTIONS, and match the rule's OS platform.

Example:5
agent_settings_idinteger

ID of the Agent Settings profile to assign to this rule. The profile must exist, be of type AGENT_SETTINGS, and match the rule's OS platform.

Example:3
exceptions_idinteger

ID of the Exceptions profile to assign to this rule. The profile must exist, be of type EXCEPTIONS, and match the rule's OS platform.

Example:7
]
REQUEST
{ "request_data": { "edit_requests": [ { "id": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4", "name": "Updated Rule Name", "malware_id": 42 } ] } }
{ "request_data": { "edit_requests": [ { "id": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4", "target_filter": { "filterData": { "AND": [ { "field": "hostname", "operator": "EQ", "value": "DESKTOP-ABC123" } ] } } } ] } }
{ "request_data": { "edit_requests": [ { "id": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4", "exploit_id": 10, "restrictions_id": 5 }, { "id": "b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5", "description": "Updated description" } ] } }
Responses

All requested edits were applied successfully.

Body
application/json
replyboolean

Always true on success.

Example:true
RESPONSE
{ "reply": true }

Bad request. Possible causes include:

  • Missing required parameters (for example, edit_requests or id).
  • Invalid field values (for example, incorrect type or empty string).
  • Invalid target_filter structure.
  • Unsupported filter field.
  • Invalid operator for the specified filter field.
  • Invalid value for the specified filter field.
  • Attempt to modify metadata or target_filter of the default (catch-all) rule.
  • Profile type does not match the expected type for the slot.
  • Profile OS does not match the rule's platform.

Body
application/json
replyobject
err_codeinteger

HTTP-aligned error code.

Example:400
err_msgstring

Human-readable error message.

Example:"A mandatory parameter is missing."
err_extraobject

Additional context about the error (field names, IDs, invalid values, etc.). Shape varies by error type.

Free-Form object
RESPONSE
{ "reply": { "err_code": 400, "err_msg": "A mandatory parameter is missing.", "err_extra": { "field_name": "edit_requests" } } }
{ "reply": { "err_code": 400, "err_msg": "A mandatory parameter is missing.", "err_extra": { "field_name": "id" } } }
{ "reply": { "err_code": 400, "err_msg": "Invalid target filter fields in target filter", "err_extra": { "rule_id": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4", "invalid_fields": [ "unsupported_field" ] } } }
{ "reply": { "err_code": 400, "err_msg": "This policy rule edit operation is not allowed", "err_extra": { "rule_id": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4", "reason": "Default rule metadata cannot be edited" } } }

A referenced rule ID or profile ID was not found.

Body
application/json
replyobject
err_codeinteger

HTTP-aligned error code.

Example:400
err_msgstring

Human-readable error message.

Example:"A mandatory parameter is missing."
err_extraobject

Additional context about the error (field names, IDs, invalid values, etc.). Shape varies by error type.

Free-Form object
RESPONSE
{ "reply": { "err_code": 404, "err_msg": "The specified rule was not found.", "err_extra": { "rule_id": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4" } } }
{ "reply": { "err_code": 404, "err_msg": "The profile ID was not found", "err_extra": { "rule_id": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4", "profile_id": 99 } } }

Stale data conflict. The policy was modified by another actor since it was last read. Retry the operation.

Body
application/json
replyobject
err_codeinteger

HTTP-aligned error code.

Example:400
err_msgstring

Human-readable error message.

Example:"A mandatory parameter is missing."
err_extraobject

Additional context about the error (field names, IDs, invalid values, etc.). Shape varies by error type.

Free-Form object
RESPONSE
{ "reply": { "err_code": 409, "err_msg": "The policy update failed because the policy was changed since the last read. Retry the operation.\n" } }

Internal server error. The policy update failed for an unexpected reason, or the saved policy failed internal validation.

Body
application/json
replyobject
err_codeinteger

HTTP-aligned error code.

Example:400
err_msgstring

Human-readable error message.

Example:"A mandatory parameter is missing."
err_extraobject

Additional context about the error (field names, IDs, invalid values, etc.). Shape varies by error type.

Free-Form object
RESPONSE
{ "reply": { "err_code": 400, "err_msg": "A mandatory parameter is missing.", "err_extra": {} } }