REST API Exclusions

POST – Creates a new exclusion

 

HTTP request: POST api/v1/exclusions

JSON request body:

body (string)—XML of a new exclusion

autoResolve (bool)—whether to resolve a detection automatically or not

name (string)—a name of an exclusion

ruleIds (array)—an array of rule ids (integers); can be used simultaneously with ruleUuids

ruleUuids (array)—an array of rule ids (uuids as strings); can be used simultaneously with ruleIds

note (optional, string)—stores up to 2048 characters in the note section

JSON response body:

when successful—201 HTTP Code and HTTP Location. The header contains the URL for GET request with ID to newly created exclusion. Response body returns JSON with newly created exclusion object

when failure—404 HTTP Code with body explaining the reason

Invalid exclusions are not stored.

 

GET – List exclusions

 

HTTP request: GET api/v1/exclusions

URL query:

Similar as API for getting detections, supports: $top, $skip, $count, $orderBy

Request body: none

JSON response body: value and count (only if $count is present in the URL query. The value field contains an array of objects with the following fields:

id

uuid

name

enabled

note

 

GET – Gets a single exclusion

 

HTTP request: GET api/v1/exclusions/{exclusionId}

URL query:

$idType—if $idType=uuid {id} in URL is interpreted as uuid of a rule

Request body: none

JSON response body: Apart from fields returned by the exclusions listing, the response will contain, among all else, “exclusion” field with XML:

body (xml)

id

uuid

name

enabled

note

ruleIds (integers)

ruleUuids (uuids as strings)

 

PUT – Edits exclusion body

 

HTTP request: PUT api/v1/exclusions/{exclusionId}

URL query:

$idType—if $idType=uuid {id} in URL is interpreted as uuid of a rule

JSON Request body: same as for POST new exclusion.

JSON response body: returns updated object from requests. Similar to a POST, returns GET response.

 

DELETE – Deletes an exclusion

 

HTTP request: DELETE api/v1/exclusions/{exclusionId}

URL query:

$idType—if $idType=uuid {id} in URL is interpreted as uuid of a rule

Request body: none

Response body: none

 

GET – Get exclusions associated with a rule

 

HTTP request: GET api/v1/exclusions/rule/{ruleId}

URL query:

$idType—if $idType=uuid {id} in URL is interpreted as uuid of a rule

Request body: none

JSON response body: Same as for GET – List exclusions. Returns array of exclusions associated with a rule.

Example:

example

Example

https://192.168.197.200/api/v1/executables/066F8964A44161825BE6F4E10B05CD66F3C115FC/block?$idType=sha1 which is eq with https://192.168.197.200/api/v1/executables/1605/block (so id = sha1 or ID of module in database)