Global Allowlist
  • 19 Mar 2024
  • 7 Minutes to read
  • Dark
    Light
  • PDF

Global Allowlist

  • Dark
    Light
  • PDF

Article Summary

About this Article
This article provides information related to Global Allowlist - how to access and modify the Allowlist using APIs


[Version 3.0.0 and Above] 

Global Allowlist consists of executables that are allowed across all host profiles. This eliminates the need for repetitive allowlisting of these executables by the user, each time a new profile is created or if the executable occurs in many profiles.

If an executable is added/removed from the global allowlist, the change is applied to all the profiles that contains the executable. Users can use the existing allowlisting functionality at the profile level, to override this value for just that profile.

The below actions can be performed on the Global Allowlist using APIs:

  1. Add/Remove executables from Global Allowlist
  2. Get/Retrieve the Global Allowlist values


Header:

Content-type: application/json

Authorization: Bearer <token>


Add/Remove from Global Allowlist

To add/remove executables from the Global Allowlist using the checksum values, utilize the below API . Only a CMS user having access to Host Profiles can utilize this API. The modifications are applied immediately across all hosts.

Accepted Parameters:

  1. allowlist - (Required) To indicate addition or removal of the checksum values. Allowed values - true (for addition), false (for removal)
  2. checksums - (Required) List of comma-separated checksum values that require addition or removal. Ensure that the specified checksum is a part of (minimum) one profile. A maximum of 100 checksum values can be provided per request

Request Type: POST

URL: https://<CMS_IP_Address>/services/pm/files/global-allowlist

JSON:

{
"allowlist" : "<true|false>",
"checksums" : [
    "<Checksum_Value1>",
    "<Checksum_Value2>",
  ]
}

Response Code:

200 - Success

Sample Response:

{

    "code": 200,

    "messages": [

        "Edit successful."

    ],

    "status": "SUCCESSFUL",

    "item": {

        "checksumsNotPresent": [

            "00cf0f655f2acd3500447e772682127e",

            "a9c950535b866ebd0758daaf52d7f46b"

        ]

    },

    "elapsedTime": "2ms",

    "timestamp": 1699254040730

}


Global Allowlist Addition:

When checksum values are added to the Global Allowlist:

  1. Overrides the allowlist preference of the executable at the profile-level 
  2. Related incidents are auto-acknowledged


Global Allowlist Removal:

When checksum values are removed to the Global Allowlist:

  1. Overrides the allowlist preference of the executable at the profile-level
  2. There are no changes to the related incidents that were previously auto-acknowledged


Get/Retrieve all the Global Allowlist Values

The below API URL provides all the values/entries in the Global Allowlist

Accepted Parameters:

  1. allowlist - (Required) To indicate retrieval of allowlisted values. Allowed values - true (to get only allowlisted values), false (to get both allowed and not allowed values)
  2. page - (Required - Integer) Defines the page number
  3. size - (Required - Integer) Defines the number of entries per page. Default value is 20. The maximum allowed value is 1000

Request Type: GET

URL: https://<CMS_IP_Address>/services/pm/files?allowlist=true&page=<Page_Number>&size=<SizeperPage>

Response Code:

200 - Success

Sample Response:

{

    "code": 200,

    "messages": [

        "File Details successfully fetched."

    ],

    "status": "SUCCESSFUL",

    "items": [

        {

            "id": "6555e4c9be4d32271bdf6dd6",

            "firstSeenPath": "/usr/bin/c773e383b7d548a197a6d1502b99d110.so",

            "firstSeenName": "c773e383b7d548a197a6d1502b99d110",

            "lastSeen": 1700127934301,

            "osPlatform": "LINUX",

            "selected": false,

            "globalPackageSelected": false,

            "threatVerificationDetail": {

                "status": "UNKNOWN",

                "threatScore": 0,

                "message": null,

                "verificationAttempts": 0

            },

            "entityType": "LIBRARY",

            "auditField": {

                "createdBy": "SYSTEM",

                "createdOn": 1700127933578

            },

            "checksum": "db77e3bfeb11493db2fdb76679f413dc",

            "source": "SCAN"

        }

    ],

    "page": 1,

    "total": 1,

    "size": 20,

    "lastPage": true,

    "elapsedTime": "4.581s",    

    "timestamp": 1700190906994

}


Get/Retrieve selected Global Allowlist Values

The below API URL provides values/entries in the Global Allowlist based on the provided criteria

Accepted Parameters:

  1. data - (Required) Specifies if data is required. Allowed values - true, false
  2. count - (Required) Specifies if only count value is required. Allowed values - true, false

Request Type: POST

URL: https://<CMS_IP_Address>/services/pm/files/search?data=<true|false>&count=<true|false>

JSON:

{

    "expression": {

        "relation": "AND",

        "criteriaList": [

            {

                "operator": "IN",

                "ignoreCase": false,

                "field": "entityType",

                "value": null,

                "values": [

                    "PROCESS",

                    "LIBRARY"

                ],

                "oid": false

            },

            {

                "operator": "EQ",

                "ignoreCase": false,

                "field": "selected",

                "value": false,

                "values": null,

                "oid": false

            },

            {

                "operator": "EQ",

                "ignoreCase": false,

                "field": "checksum",

                "value": "601b3e7d67d4ca75c59b59186fe8efad",

                "values": null,

                "oid": false

            },

            {

                "operator": "IN",

                "ignoreCase": false,

                "field": "osPlatform",

                "value": "null",

                "values": [

                    "LINUX"

                ],

                "oid": false

            },

            {

                "operator": "IN",

                "ignoreCase": false,

                "field": "source",

                "value": "null",

                "values": [

                    "SCAN"

                ],

                "oid": false

            },

            {

                "operator": "IN",

                "ignoreCase": false,

                "field": "threatVerificationDetail.status",

                "value": null,

                "values": [

                    "UNKNOWN"

                ],

                "oid": false

            },

            {

                "operator": "EQ",

                "ignoreCase": false,

                "field": "securityDetails.certificates.publisher",

                "value": "abc.py",

                "values": null,

                "oid": false

            }

        ],

        "expressionList": []

    },

    "sort": {

        "sortItems": [

            {

                "key": "firstSeenName",

                "direction": "DESC"

            }

        ]

    },

    "page": {

        "page": "1",

        "size": "20"

    },

    "collation": null

}

Response Code:

200 - Success

Sample Response:

{

    "code": 200,

    "messages": [

        "File Details successfully fetched."

    ],

    "status": "SUCCESSFUL",

    "items": [

        {

            "id": "6555e4c9be4d32271bdf6dd6",

            "firstSeenPath": "/usr/bin/c773e383b7d548a197a6d1502b99d110.so",

            "firstSeenName": "c773e383b7d548a197a6d1502b99d110",

            "lastSeen": 1700127934301,

            "osPlatform": "LINUX",

            "selected": false,

            "globalPackageSelected": false,

            "threatVerificationDetail": {

                "status": "UNKNOWN",

                "threatScore": 0,

                "message": null,

                "verificationAttempts": 0

            },

            "entityType": "LIBRARY",

            "auditField": {

                "createdBy": "SYSTEM",

                "createdOn": 1700127933578

            },

            "checksum": "db77e3bfeb11493db2fdb76679f413dc",

            "source": "SCAN"

        }

    ],

    "page": 1,

    "total": 1,

    "size": 20,

    "lastPage": true,

    "elapsedTime": "4.581s",    

    "timestamp": 1700190906994

}



Was this article helpful?