Get All Attack Surface Rules

Cortex Xpanse REST API

post /public_api/v1/get_attack_surface_rules

Required License: **Cortex Xpanse Expander**

Get all or a subset of attack surface rules.

CURL
curl -X POST \ -H "Accept: application/json" \ -H "Content-Type: application/json" -H "x-xdr-auth-id: xXdrAuthId_example" -H "authorization: authorization_example" \ "https://api-yourfqdn/public_api/v1/get_attack_surface_rules" \ -d '{ "request_data" : { "search_from" : 0, "filters" : [ { "field" : "field", "value" : [ "value", "value" ], "operator" : "in" }, { "field" : "field", "value" : [ "value", "value" ], "operator" : "in" } ], "sort" : { "field" : "field", "keyword" : "keyword" }, "search_to" : 6 } }'
Request headers
x-xdr-auth-id
required
String
api_key_id
Example: xXdrAuthId_example
authorization
required
String
api_key
Example: authorization_example
Request
Body
optional
Example: {"request_data":{"filters":[{"field":"string","operator":"string","value":["string"]}],"sort":{"field":"string","keyword":"string"},"search_from":0,"search_to":0}}
request_data
optional

(Required) A dictionary containing the API request fields.

An empty dictionary returns all results.

filters
optional
Array

Provides an array of filtered fields. Each JSON object can contain the following keywords:

  • field
  • operators
  • value
field
optional
String

Identifies the alert field the filter is matching. Filters are based on the following keywords:

  • enabled_status
  • category
  • priority
  • attack_surface_rule_id
  • asm_alert_categories
operator
optional
String (Enum)

String that identifies the comparison operator you want to use for this filter.

  • in
Allowed values:
in
value
optional
Array of strings
Value that this filter must match. The contents of this field will differ depending on the alert field that you specified for this filter
sort
optional
Identifies the sort order for the result set. By default, the sort is defined as created, DESC.
field
optional
String

One of the following values:

  • attack_surface_rule_name
  • category
  • attack_surface_rule_id
  • created
  • modified
  • modified_by
  • priority
  • enabled_status
keyword
optional
String
Can either be ASC (ascending order) or DESC (descending order).
search_from
optional
Integer
An integer representing the starting offset within the query result set from which you want attack surface rules returned
search_to
optional
Integer

An integer representing the end offset within the result set after which you do not want attack surface rules returned.

Attack surface rules in the alerts list that are indexed higher than this value are not returned in the final results set. Defaults to 100, which returns all alerts to the end of the list.

Responses

OK

Body
reply
optional
total_count
optional
Integer
result_count
optional
Integer
attack_surface_rules
optional
Array
attack_surface_rule_name
optional
String
enabled_status
optional
String
priority
optional
String
description
optional
String
attack_surface_rule_id
optional
String
category
optional
String
knowledge_base_link
optional
Object
created
optional
Integer
modified
optional
Integer
modified_by
optional
Object
remediation_guidance
optional
Object
asm_alert_categories
optional
Array of strings

Bad Request. Got an invalid JSON.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
err_extra
optional
String
Additional information describing the error.

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
err_extra
optional
String
Additional information describing the error.

Unauthorized access. User does not have the required license type to run this API.

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
Defines a filter used to filter objects in a GET request
field
required
String

String that identifies the incident field the filter is matching. Filters are based on the following keywords:

  • modification_time: Time the incident has been modified.
  • creation_time: Incident's creation time.
  • incident_id_list: List of incident IDs.
  • description: Incident description.
  • alert_sources: Source which detected the alert.
  • status: Represents the status of the incident.
  • starred: Represents if the incident has been starred or not.
operator
required
String (Enum)

String that identifies the comparison operator you want to use for this filter. Valid keywords and values are: in

  • incident_id_list, alert_sources, description — Array of strings contains
  • description — String gte / lte
  • modification_time, creation_time — Integer in timestamp epoch milliseconds eq / neq
  • status
Allowed values:
in
contains
gte
lte
eq
neq
value
required
String (Enum)

Value that this filter must match. The contents of this field will differ depending on the incident field that you specified for this filter:

  • modification_time, creation_time - Integer representing the number of milliseconds after the Unix epoch, UTC timezone.
  • incident_id_list - Array of strings. Each item in the list must be an incident ID.
  • description - Array of strings.
  • alert_sources - Array of strings.
  • status - Single value, can be one of the following: new, under_investigation, resolved_true_positive, resolved_known_issue,resolved_duplicate_incident, resolved_false_positive, resolved_auto_resolve
  • starred - Boolean value: true or false.
Allowed values:
new
under_investigation
resolved_true_positive
resolved_known_issue
resolved_duplicate_incident
resolved_false_positive
resolved_auto_resolve

Internal server error. A unified status for API communication type errors. For example, test@test.com is not a valid email address.