Modify an AppSec rule

patch /public_api/appsec/v1/rules/{ruleId}

Modify an existing Application Security rule. If it's an out-of-the-box rule, the only modification you can make is to add labels. For custom rules, you can modify all of the fields.

Note: To customize an out-of-the-box rule, you can create a custom rule by cloning the existing one. This allows you to make changes to the original rule according to your requirements.

Required license: Cortex XSIAM Premium. In Cortex XSIAM Enterprise and Cortex NG SIEM, requires the Cortex Cloud Posture Management add-on. Not supported in XSIAM Enterprise Plus.

Path parameters

ruleId String required

Example: ruleId_example

Request headers

Authorization String required

{api_key}

Example:

UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP

x-xdr-auth-id String required

{api_key_id}

Example: 241

CLIENT REQUEST

          curl -X 'PATCH'

        -H
        'Accept: application/json'
      
        -H
        'Content-Type: application/json'
      
          -H
          'Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP '
          -H
          'x-xdr-auth-id: 241'
      
      'https://api-yourfqdn/public_api/appsec/v1/rules/{ruleId}'
    
      -d
      ''

import http.client

conn = http.client.HTTPSConnection("api-yourfqdn")

payload = "{\"labels\":[\"string\"]}"

headers = {
    'Authorization': "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ",
    'x-xdr-auth-id': "241",
    'content-type': "application/json"
    }

conn.request("PATCH", "/public_api/appsec/v1/rules/%7BruleId%7D", payload, headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))

require 'uri'
require 'net/http'
require 'openssl'

url = URI("https://api-yourfqdn/public_api/appsec/v1/rules/%7BruleId%7D")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Patch.new(url)
request["Authorization"] = 'UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP '
request["x-xdr-auth-id"] = '241'
request["content-type"] = 'application/json'
request.body = "{\"labels\":[\"string\"]}"

response = http.request(request)
puts response.read_body

const data = JSON.stringify({
  "labels": [
    "string"
  ]
});

const xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener("readystatechange", function () {
  if (this.readyState === this.DONE) {
    console.log(this.responseText);
  }
});

xhr.open("PATCH", "https://api-yourfqdn/public_api/appsec/v1/rules/%7BruleId%7D");
xhr.setRequestHeader("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ");
xhr.setRequestHeader("x-xdr-auth-id", "241");
xhr.setRequestHeader("content-type", "application/json");

xhr.send(data);

HttpResponse<String> response = Unirest.patch("https://api-yourfqdn/public_api/appsec/v1/rules/%7BruleId%7D")
  .header("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ")
  .header("x-xdr-auth-id", "241")
  .header("content-type", "application/json")
  .body("{\"labels\":[\"string\"]}")
  .asString();

import Foundation

let headers = [
  "Authorization": "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ",
  "x-xdr-auth-id": "241",
  "content-type": "application/json"
]
let parameters = ["labels": ["string"]] as [String : Any]

let postData = JSONSerialization.data(withJSONObject: parameters, options: [])

let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/appsec/v1/rules/%7BruleId%7D")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "PATCH"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    print(error)
  } else {
    let httpResponse = response as? HTTPURLResponse
    print(httpResponse)
  }
})

dataTask.resume()

<?php

$curl = curl_init();

curl_setopt_array($curl, [
  CURLOPT_URL => "https://api-yourfqdn/public_api/appsec/v1/rules/%7BruleId%7D",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "PATCH",
  CURLOPT_POSTFIELDS => "{\"labels\":[\"string\"]}",
  CURLOPT_HTTPHEADER => [
    "Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ",
    "content-type: application/json",
    "x-xdr-auth-id: 241"
  ],
]);

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}

CURL *hnd = curl_easy_init();

curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "PATCH");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/appsec/v1/rules/%7BruleId%7D");

struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ");
headers = curl_slist_append(headers, "x-xdr-auth-id: 241");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);

curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"labels\":[\"string\"]}");

CURLcode ret = curl_easy_perform(hnd);

var client = new RestClient("https://api-yourfqdn/public_api/appsec/v1/rules/%7BruleId%7D");
var request = new RestRequest(Method.PATCH);
request.AddHeader("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ");
request.AddHeader("x-xdr-auth-id", "241");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"labels\":[\"string\"]}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);

Body parameters

required

application/json

Any of

labelsarray[string]required

List of rule labels

namestringrequired

A unique name for the Appsec rule.

descriptionstring

Description of the rule

severitystring (Enum)required

Severity

Allowed values:"CRITICAL""HIGH""INFO""LOW""MEDIUM"

labelsarray[string]

Labels to be assigned to the rule

scannerobjectrequired

The type of security scanner used to detect findings of this rule. Choose any one of the scanners. Allowed Values: IAC or SECRETS.

Any of

namestring (Enum)required

Name of the configured frameworks.

Allowed values:"ARM""BICEP""CLOUDFORMATION""KUBERNETES""TERRAFORM"

categorystring (Enum)

Custom rule IaC category

Allowed values:"AI_ML""COMPUTE""IAM""KUBERNETES""LOGGING""MONITORING""NETWORKING""PUBLIC""STORAGE"

subCategoryobject

string (Enum)

Custom rule subcategory

Allowed values:"GUARDRAILS""RISKY_MODELS""PUBLIC_EXPOSURE""PERMISSIONS""ENCRYPTION""RETENTION""FORMATS""DISABLED_OR_MISSING""UNDER_USE""NETWORK_POLICIES""ACCESS_CONTROL""LOGGING_AND_MONITORING""RESOURCE_MANAGEMENT""NATIVE_SECURITY_CONTROLS""MANAGEMENT_SERVICES_EXPOSURE""OVERPROVISIONED""STARTUP_SCRIPT_LEAKS""DEFAULT_CREDENTIALS_OR_AUTH""UNSANCTIONED_RESOURCE_OR_TYPE""BACKUPS""VERSIONING""REPLICATION""ALERTING""REDUNDANCY""ADMIN_INTERFACES""DATABASE_ENDPOINTS""STORAGE_BUCKETS""APIS""SENSITIVE_PORTS""LOAD_BALANCING""INGRESS_CONTROLS""EGRESS_CONTROLS""ENCRYPTION_AND_PROTOCOLS""VPC_VCN_VNET""FLOW_LOGS""TAGS_AND_METADATA""RESOURCE_HEALTH""PERFORMANCE_MONITORING""ALERTING_AND_NOTIFICATIONS""UNINTEGRATED""STORAGE""OVERLY_PERMISSIVE""UNUSED""CREDENTIAL_EXPOSURE""MFA""ROLE_SEPARATION""SHARED""EXPIRED_KEY_CONTROLS""AUTHENTICATION_POLICIES"

cspmRuleIdstring

The unique identifier of the Cloud Security rule to which the custom Application Security rule will be mapped.

Example:"ff6a26a5-f036-4d3a-a650-d5de1d568bab"

definitionstringrequired

The rule definition

Example:

"definition:\\n  cond_type: attribute\\n  resource_types:\\n    - aws_s3_bucket_public_access_block\\n  attribute: block_public_acls\\n  operator: equals\\n  value: false"

definitionLinkstring

http link to the definition documentation.

remediationDescriptionstring

The remediation steps that will appear on the Appsec rule's findings.

Example:"Set block_public_acls to true in aws_s3_bucket_public_access_block resource"

categorystring (Enum)

Custom rule secret category

Allowed values:"API_KEYS""DATABASE_CREDENTIALS""ENCRYPTION_KEYS""CLOUD_SERVICE_PROVIDER_KEYS""SSH_KEYS""ENVIRONMENT_VARIABLES""SENSITIVE_TOKENS""THIRD_PARTY_SERVICES"

definitionstringrequired

The rule definition

Example:"definition:\\n cond_type: secrets\\n value: AIza[0-9A-Za-z-_]{35}"

definitionLinkstring

http link to the documentation.

remediationDescriptionstring

The remediation steps that will appear on the Appsec rule's findings.

Example:"Revoke the GCP API key immediately through the Google Cloud Console."

REQUEST
{
  "labels": [
    "Custom-Rule"
  ],
  "name": "example",
  "description": "example",
  "severity": "CRITICAL",
  "scanner": {
    "name": "ARM",
    "category": "API_KEYS",
    "subCategory": "GUARDRAILS",
    "cspmRuleId": "ff6a26a5-f036-4d3a-a650-d5de1d568bab",
    "definition": "definition:\\n  cond_type: secrets\\n  value: AIza[0-9A-Za-z-_]{35}",
    "definitionLink": "example",
    "remediationDescription": "Revoke the GCP API key immediately through the Google Cloud Console."
  }
}

Responses

Body

application/json

Updated details of the modified Application Security rule

ruleobject

Details of the Application Security rule

categorystring

Custom rule IaC category.

cloudProviderstring (Enum)

Allowed values:"ALIBABA_CLOUD""AWS""Azure""GCP""IBM""ORACLE""OTHER"

createdAtstringdate-time

The timestamp when the AppSec rule was created.

descriptionstring

The rule description.

detectionMethodstring

security scanner used to detect findings of this rule.

Example:"IaC Security"

docLinkstring

A link to the Cortex documentation.

domainstring

The domain associated with the rule.

Example:"POSTURE"

findingTypeIdnumberdouble

The finding type ID.

Example:30040031

frameworksarray

[

frameworkDetailsobject

definitionstring

The rule definition.

definition_linkstring

http link to the definition documentation.

namestring (Enum)

Name of the configured frameworks.

Allowed values:"ARM""BICEP""CLOUDFORMATION""KUBERNETES""TERRAFORM"

remediation_descriptionstring

The remediation steps that will appear on the Appsec rule's findings.

remediation_idsarray[string]

The IDs of related remediation resources.

resource_typesarray[string]

The resource types associated with the rule.

]

idstring

Appsec rule ID.

isCustomboolean

Indicates whether the rule is custom.

isEnabledboolean

Indicates whether the rule is enabled.

labelsarray[string]

Labels assigned to the rule.

namestring

Name of the Appsec rule.

ownerstring

Owner of the rule.

Example:"CAS"

scannerstring (Enum)

Allowed values:"CICD""IAC""SCA""SECRETS"

severitystring (Enum)

Severity

Allowed values:"CRITICAL""HIGH""INFO""LOW""MEDIUM"

subCategorystring

Custom rule subcategory.

Example:"STORAGE_BUCKETS"

updatedAtstringdate-time

The timestamp when the AppSec rule was updated.

findingCategorystring (Enum)

Allowed values:"Code""Configuration""Data""Vulnerability"

findingDocsstring

Example:"Custom IaC rule for Public Exposure Storage Buckets"

mitreTacticsarray[string]

The associated MITRE ATT&CK tactics.

mitreTechniquesarray[string]

The associated MITRE ATT&CK techniques.

shortDescriptionstring

RESPONSE
{
  "rule": {
    "category": "example",
    "cloudProvider": "ALIBABA_CLOUD",
    "createdAt": "2020-01-01T12:00:00Z",
    "description": "example",
    "detectionMethod": "IaC Security",
    "docLink": "example",
    "domain": "POSTURE",
    "findingTypeId": 30040031,
    "frameworks": [
      {
        "frameworkDetails": {
          "definition": "example",
          "definition_link": "example",
          "name": "ARM",
          "remediation_description": "example",
          "remediation_ids": [
            "example"
          ],
          "resource_types": [
            "example"
          ]
        }
      }
    ],
    "id": "example",
    "isCustom": false,
    "isEnabled": false,
    "labels": [
      "example"
    ],
    "name": "example",
    "owner": "CAS",
    "scanner": "CICD",
    "severity": "CRITICAL",
    "subCategory": "STORAGE_BUCKETS",
    "updatedAt": "2020-01-01T12:00:00Z",
    "findingCategory": "Code",
    "findingDocs": "Custom IaC rule for Public Exposure Storage Buckets",
    "mitreTactics": [
      "example"
    ],
    "mitreTechniques": [
      "example"
    ],
    "shortDescription": "example"
  }
}