get
/public_api/appsec/v1/rules
Application Security rules are designed to detect security threats within your application security environment. Application Security rules identify and flag issues based on predefined criteria.
Get a list of all the Application Security rules. We recommend you use the parameters to filter the rules since there are many of them.
Required license: Cortex XSIAM Premium. In Cortex XSIAM Enterprise and Cortex NG SIEM, requires the Cortex Cloud Posture Management add-on. Not supported in XSIAM Enterprise Plus.
Request headers
Authorization
String
required
{api_key}
{api_key}
Example:
UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP
x-xdr-auth-id
String
required
{api_key_id}
{api_key_id}
Example:
241
get-scanner-rule-id Boolean
Example:
true
Query parameters
enabled
Boolean
Whether the rule is enabled
Whether the rule is enabled
Example:
true
isCustom Boolean
Example:
true
scanners
array[Scanner]
Type of security scanner used to detect findings of this rule
Type of security scanner used to detect findings of this rule
severities
array[Severity]
The priority level assigned to findings identified by the rule
The priority level assigned to findings identified by the rule
frameworks
array[FrameworkName]
The framework or language that the Application Security rule applies to (for example, GitHub, Terraform, JavaScript)
The framework or language that the Application Security rule applies to (for example, GitHub, Terraform, JavaScript)
labels
array[String]
Labels assigned to the rule
Labels assigned to the rule
categories array[String]
subCategories array[String]
cloudProviders array[String]
Allowed values:
ALIBABA_CLOUD
AWS
AZURE
GCP
IBM
ORACLE
OTHER
offset Double
double
Example:
1.2
Default:
0
limit Double
double
Example:
1.2
Default:
100
sortBy String
Allowed values:
created_at
name
labels
Example:
sortBy_example
Default:
name
sortOrder
SortDirection
Sort direction
Sort direction
Example:
8.14
CLIENT REQUEST
curl -X 'GET'
-H
'Accept: application/json'
-H
'Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP '
-H
'x-xdr-auth-id: 241'
-H
'get-scanner-rule-id: true'
'https://api-yourfqdn/public_api/appsec/v1/rules?enabled=true&isCustom=true&scanners=&severities=&frameworks=&labels=&categories=&subCategories=&cloudProviders=&offset=1.2&limit=1.2&sortBy=sortBy_example&sortOrder=8.14'
import http.client
conn = http.client.HTTPSConnection("api-yourfqdn")
headers = {
'Authorization': "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ",
'x-xdr-auth-id': "241",
'get-scanner-rule-id': "SOME_BOOLEAN_VALUE"
}
conn.request("GET", "/public_api/appsec/v1/rules?enabled=SOME_BOOLEAN_VALUE&isCustom=SOME_BOOLEAN_VALUE&scanners=SOME_ARRAY_VALUE&severities=SOME_ARRAY_VALUE&frameworks=SOME_ARRAY_VALUE&labels=SOME_ARRAY_VALUE&categories=SOME_ARRAY_VALUE&subCategories=SOME_ARRAY_VALUE&cloudProviders=SOME_ARRAY_VALUE&offset=SOME_NUMBER_VALUE&limit=SOME_NUMBER_VALUE&sortBy=SOME_STRING_VALUE&sortOrder=SOME_INTEGER_VALUE", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://api-yourfqdn/public_api/appsec/v1/rules?enabled=SOME_BOOLEAN_VALUE&isCustom=SOME_BOOLEAN_VALUE&scanners=SOME_ARRAY_VALUE&severities=SOME_ARRAY_VALUE&frameworks=SOME_ARRAY_VALUE&labels=SOME_ARRAY_VALUE&categories=SOME_ARRAY_VALUE&subCategories=SOME_ARRAY_VALUE&cloudProviders=SOME_ARRAY_VALUE&offset=SOME_NUMBER_VALUE&limit=SOME_NUMBER_VALUE&sortBy=SOME_STRING_VALUE&sortOrder=SOME_INTEGER_VALUE")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Get.new(url)
request["Authorization"] = 'UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP '
request["x-xdr-auth-id"] = '241'
request["get-scanner-rule-id"] = 'SOME_BOOLEAN_VALUE'
response = http.request(request)
puts response.read_bodyconst data = null;
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
console.log(this.responseText);
}
});
xhr.open("GET", "https://api-yourfqdn/public_api/appsec/v1/rules?enabled=SOME_BOOLEAN_VALUE&isCustom=SOME_BOOLEAN_VALUE&scanners=SOME_ARRAY_VALUE&severities=SOME_ARRAY_VALUE&frameworks=SOME_ARRAY_VALUE&labels=SOME_ARRAY_VALUE&categories=SOME_ARRAY_VALUE&subCategories=SOME_ARRAY_VALUE&cloudProviders=SOME_ARRAY_VALUE&offset=SOME_NUMBER_VALUE&limit=SOME_NUMBER_VALUE&sortBy=SOME_STRING_VALUE&sortOrder=SOME_INTEGER_VALUE");
xhr.setRequestHeader("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ");
xhr.setRequestHeader("x-xdr-auth-id", "241");
xhr.setRequestHeader("get-scanner-rule-id", "SOME_BOOLEAN_VALUE");
xhr.send(data);HttpResponse<String> response = Unirest.get("https://api-yourfqdn/public_api/appsec/v1/rules?enabled=SOME_BOOLEAN_VALUE&isCustom=SOME_BOOLEAN_VALUE&scanners=SOME_ARRAY_VALUE&severities=SOME_ARRAY_VALUE&frameworks=SOME_ARRAY_VALUE&labels=SOME_ARRAY_VALUE&categories=SOME_ARRAY_VALUE&subCategories=SOME_ARRAY_VALUE&cloudProviders=SOME_ARRAY_VALUE&offset=SOME_NUMBER_VALUE&limit=SOME_NUMBER_VALUE&sortBy=SOME_STRING_VALUE&sortOrder=SOME_INTEGER_VALUE")
.header("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ")
.header("x-xdr-auth-id", "241")
.header("get-scanner-rule-id", "SOME_BOOLEAN_VALUE")
.asString();import Foundation
let headers = [
"Authorization": "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ",
"x-xdr-auth-id": "241",
"get-scanner-rule-id": "SOME_BOOLEAN_VALUE"
]
let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/appsec/v1/rules?enabled=SOME_BOOLEAN_VALUE&isCustom=SOME_BOOLEAN_VALUE&scanners=SOME_ARRAY_VALUE&severities=SOME_ARRAY_VALUE&frameworks=SOME_ARRAY_VALUE&labels=SOME_ARRAY_VALUE&categories=SOME_ARRAY_VALUE&subCategories=SOME_ARRAY_VALUE&cloudProviders=SOME_ARRAY_VALUE&offset=SOME_NUMBER_VALUE&limit=SOME_NUMBER_VALUE&sortBy=SOME_STRING_VALUE&sortOrder=SOME_INTEGER_VALUE")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "GET"
request.allHTTPHeaderFields = headers
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api-yourfqdn/public_api/appsec/v1/rules?enabled=SOME_BOOLEAN_VALUE&isCustom=SOME_BOOLEAN_VALUE&scanners=SOME_ARRAY_VALUE&severities=SOME_ARRAY_VALUE&frameworks=SOME_ARRAY_VALUE&labels=SOME_ARRAY_VALUE&categories=SOME_ARRAY_VALUE&subCategories=SOME_ARRAY_VALUE&cloudProviders=SOME_ARRAY_VALUE&offset=SOME_NUMBER_VALUE&limit=SOME_NUMBER_VALUE&sortBy=SOME_STRING_VALUE&sortOrder=SOME_INTEGER_VALUE",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "GET",
CURLOPT_HTTPHEADER => [
"Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ",
"get-scanner-rule-id: SOME_BOOLEAN_VALUE",
"x-xdr-auth-id: 241"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}CURL *hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "GET");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/appsec/v1/rules?enabled=SOME_BOOLEAN_VALUE&isCustom=SOME_BOOLEAN_VALUE&scanners=SOME_ARRAY_VALUE&severities=SOME_ARRAY_VALUE&frameworks=SOME_ARRAY_VALUE&labels=SOME_ARRAY_VALUE&categories=SOME_ARRAY_VALUE&subCategories=SOME_ARRAY_VALUE&cloudProviders=SOME_ARRAY_VALUE&offset=SOME_NUMBER_VALUE&limit=SOME_NUMBER_VALUE&sortBy=SOME_STRING_VALUE&sortOrder=SOME_INTEGER_VALUE");
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ");
headers = curl_slist_append(headers, "x-xdr-auth-id: 241");
headers = curl_slist_append(headers, "get-scanner-rule-id: SOME_BOOLEAN_VALUE");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
CURLcode ret = curl_easy_perform(hnd);var client = new RestClient("https://api-yourfqdn/public_api/appsec/v1/rules?enabled=SOME_BOOLEAN_VALUE&isCustom=SOME_BOOLEAN_VALUE&scanners=SOME_ARRAY_VALUE&severities=SOME_ARRAY_VALUE&frameworks=SOME_ARRAY_VALUE&labels=SOME_ARRAY_VALUE&categories=SOME_ARRAY_VALUE&subCategories=SOME_ARRAY_VALUE&cloudProviders=SOME_ARRAY_VALUE&offset=SOME_NUMBER_VALUE&limit=SOME_NUMBER_VALUE&sortBy=SOME_STRING_VALUE&sortOrder=SOME_INTEGER_VALUE");
var request = new RestRequest(Method.GET);
request.AddHeader("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ");
request.AddHeader("x-xdr-auth-id", "241");
request.AddHeader("get-scanner-rule-id", "SOME_BOOLEAN_VALUE");
IRestResponse response = client.Execute(request);Responses
Ok
Body
application/json
offsetnumberdouble
rulesarray
[categorystring
cloudProviderstring (Enum)
createdAtstringdate-time
descriptionstring
detectionMethodstring
docLinkstring
domainstring
findingTypeIdnumberdouble
frameworksarray
idstring
isCustomboolean
isEnabledboolean
labelsarray[string]
namestring
ownerstring
scannerstring (Enum)
severitystring (Enum)
subCategorystring
updatedAtstringdate-time
findingCategorystring (Enum)
findingDocsstring
mitreTacticsarray[string]
mitreTechniquesarray[string]
shortDescriptionstring
]
categorystringCustom rule IaC category.
Custom rule IaC category.
cloudProviderstring (Enum)
Allowed values:"ALIBABA_CLOUD""AWS""Azure""GCP""IBM""ORACLE""OTHER"
createdAtstringdate-timeThe timestamp when the AppSec rule was created.
The timestamp when the AppSec rule was created.
descriptionstringThe rule description.
The rule description.
detectionMethodstringsecurity scanner used to detect findings of this rule.
security scanner used to detect findings of this rule.
Example:
"IaC Security"docLinkstringA link to the Cortex documentation.
A link to the Cortex documentation.
domainstringThe domain associated with the rule.
The domain associated with the rule.
Example:
"POSTURE"findingTypeIdnumberdoubleThe finding type ID.
The finding type ID.
Example:
30040031frameworksarray
[frameworkDetailsobject
definitionstring
definition_linkstring
namestring (Enum)
remediation_descriptionstring
remediation_idsarray[string]
resource_typesarray[string]
]
frameworkDetailsobject
definitionstringThe rule definition.
The rule definition.
definition_linkstringhttp link to the definition documentation.
http link to the definition documentation.
namestring (Enum)Name of the configured frameworks.
Name of the configured frameworks.
Allowed values:"ARM""BICEP""CLOUDFORMATION""KUBERNETES""TERRAFORM"
remediation_descriptionstringThe remediation steps that will appear on the Appsec rule's findings.
The remediation steps that will appear on the Appsec rule's findings.
remediation_idsarray[string]The IDs of related remediation resources.
The IDs of related remediation resources.
resource_typesarray[string]The resource types associated with the rule.
The resource types associated with the rule.
idstringAppsec rule ID.
Appsec rule ID.
isCustombooleanIndicates whether the rule is custom.
Indicates whether the rule is custom.
isEnabledbooleanIndicates whether the rule is enabled.
Indicates whether the rule is enabled.
labelsarray[string]Labels assigned to the rule.
Labels assigned to the rule.
namestringName of the Appsec rule.
Name of the Appsec rule.
ownerstringOwner of the rule.
Owner of the rule.
Example:
"CAS"scannerstring (Enum)
Allowed values:"CICD""IAC""SCA""SECRETS"
severitystring (Enum)Severity
Severity
Allowed values:"CRITICAL""HIGH""INFO""LOW""MEDIUM"
subCategorystringCustom rule subcategory.
Custom rule subcategory.
Example:
"STORAGE_BUCKETS"updatedAtstringdate-timeThe timestamp when the AppSec rule was updated.
The timestamp when the AppSec rule was updated.
findingCategorystring (Enum)
Allowed values:"Code""Configuration""Data""Vulnerability"
findingDocsstring
Example:
"Custom IaC rule for Public Exposure Storage Buckets"mitreTacticsarray[string]The associated MITRE ATT&CK tactics.
The associated MITRE ATT&CK tactics.
mitreTechniquesarray[string]The associated MITRE ATT&CK techniques.
The associated MITRE ATT&CK techniques.
shortDescriptionstring
RESPONSE
{
"offset": 0.1,
"rules": [
{
"category": "example",
"cloudProvider": "ALIBABA_CLOUD",
"createdAt": "2020-01-01T12:00:00Z",
"description": "example",
"detectionMethod": "IaC Security",
"docLink": "example",
"domain": "POSTURE",
"findingTypeId": 30040031,
"frameworks": [
{
"frameworkDetails": {
"definition": "example",
"definition_link": "example",
"name": "ARM",
"remediation_description": "example",
"remediation_ids": [
"example"
],
"resource_types": [
"example"
]
}
}
],
"id": "example",
"isCustom": false,
"isEnabled": false,
"labels": [
"example"
],
"name": "example",
"owner": "CAS",
"scanner": "CICD",
"severity": "CRITICAL",
"subCategory": "STORAGE_BUCKETS",
"updatedAt": "2020-01-01T12:00:00Z",
"findingCategory": "Code",
"findingDocs": "Custom IaC rule for Public Exposure Storage Buckets",
"mitreTactics": [
"example"
],
"mitreTechniques": [
"example"
],
"shortDescription": "example"
}
]
}