Contents x
    Global Allowlist
    • 19 Mar 2024
    • 7 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Global Allowlist

    • Updated on 19 Mar 2024
    • 7 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    About this Article
    This article provides information related to Global Allowlist - how to access and modify the Allowlist using APIs


    [Version 3.0.0 and Above] 

    Global Allowlist consists of executables that are allowed across all host profiles. This eliminates the need for repetitive allowlisting of these executables by the user, each time a new profile is created or if the executable occurs in many profiles.

    If an executable is added/removed from the global allowlist, the change is applied to all the profiles that contains the executable. Users can use the existing allowlisting functionality at the profile level, to override this value for just that profile.

    The below actions can be performed on the Global Allowlist using APIs:

    1. Add/Remove executables from Global Allowlist
    2. Get/Retrieve the Global Allowlist values


    Header:

    Content-type: application/json

    Authorization: Bearer <token>


    Add/Remove from Global Allowlist

    To add/remove executables from the Global Allowlist using the checksum values, utilize the below API . Only a CMS user having access to Host Profiles can utilize this API. The modifications are applied immediately across all hosts.

    Accepted Parameters:

    1. allowlist - (Required) To indicate addition or removal of the checksum values. Allowed values - true (for addition), false (for removal)
    2. checksums - (Required) List of comma-separated checksum values that require addition or removal. Ensure that the specified checksum is a part of (minimum) one profile. A maximum of 100 checksum values can be provided per request

    Request Type: POST

    URL: https://<CMS_IP_Address>/services/pm/files/global-allowlist

    JSON:

    {
    "allowlist" : "<true|false>",
    "checksums" : [
        "<Checksum_Value1>",
        "<Checksum_Value2>",
      ]
    }

    Response Code:

    200 - Success

    Sample Response:

    {

        "code": 200,

        "messages": [

            "Edit successful."

        ],

        "status": "SUCCESSFUL",

        "item": {

            "checksumsNotPresent": [

                "00cf0f655f2acd3500447e772682127e",

                "a9c950535b866ebd0758daaf52d7f46b"

            ]

        },

        "elapsedTime": "2ms",

        "timestamp": 1699254040730

    }


    Global Allowlist Addition:

    When checksum values are added to the Global Allowlist:

    1. Overrides the allowlist preference of the executable at the profile-level 
    2. Related incidents are auto-acknowledged


    Global Allowlist Removal:

    When checksum values are removed to the Global Allowlist:

    1. Overrides the allowlist preference of the executable at the profile-level
    2. There are no changes to the related incidents that were previously auto-acknowledged


    Get/Retrieve all the Global Allowlist Values

    The below API URL provides all the values/entries in the Global Allowlist

    Accepted Parameters:

    1. allowlist - (Required) To indicate retrieval of allowlisted values. Allowed values - true (to get only allowlisted values), false (to get both allowed and not allowed values)
    2. page - (Required - Integer) Defines the page number
    3. size - (Required - Integer) Defines the number of entries per page. Default value is 20. The maximum allowed value is 1000

    Request Type: GET

    URL: https://<CMS_IP_Address>/services/pm/files?allowlist=true&page=<Page_Number>&size=<SizeperPage>

    Response Code:

    200 - Success

    Sample Response:

    {

        "code": 200,

        "messages": [

            "File Details successfully fetched."

        ],

        "status": "SUCCESSFUL",

        "items": [

            {

                "id": "6555e4c9be4d32271bdf6dd6",

                "firstSeenPath": "/usr/bin/c773e383b7d548a197a6d1502b99d110.so",

                "firstSeenName": "c773e383b7d548a197a6d1502b99d110",

                "lastSeen": 1700127934301,

                "osPlatform": "LINUX",

                "selected": false,

                "globalPackageSelected": false,

                "threatVerificationDetail": {

                    "status": "UNKNOWN",

                    "threatScore": 0,

                    "message": null,

                    "verificationAttempts": 0

                },

                "entityType": "LIBRARY",

                "auditField": {

                    "createdBy": "SYSTEM",

                    "createdOn": 1700127933578

                },

                "checksum": "db77e3bfeb11493db2fdb76679f413dc",

                "source": "SCAN"

            }

        ],

        "page": 1,

        "total": 1,

        "size": 20,

        "lastPage": true,

        "elapsedTime": "4.581s",    

        "timestamp": 1700190906994

    }


    Get/Retrieve selected Global Allowlist Values

    The below API URL provides values/entries in the Global Allowlist based on the provided criteria

    Accepted Parameters:

    1. data - (Required) Specifies if data is required. Allowed values - true, false
    2. count - (Required) Specifies if only count value is required. Allowed values - true, false

    Request Type: POST

    URL: https://<CMS_IP_Address>/services/pm/files/search?data=<true|false>&count=<true|false>

    JSON:

    {

        "expression": {

            "relation": "AND",

            "criteriaList": [

                {

                    "operator": "IN",

                    "ignoreCase": false,

                    "field": "entityType",

                    "value": null,

                    "values": [

                        "PROCESS",

                        "LIBRARY"

                    ],

                    "oid": false

                },

                {

                    "operator": "EQ",

                    "ignoreCase": false,

                    "field": "selected",

                    "value": false,

                    "values": null,

                    "oid": false

                },

                {

                    "operator": "EQ",

                    "ignoreCase": false,

                    "field": "checksum",

                    "value": "601b3e7d67d4ca75c59b59186fe8efad",

                    "values": null,

                    "oid": false

                },

                {

                    "operator": "IN",

                    "ignoreCase": false,

                    "field": "osPlatform",

                    "value": "null",

                    "values": [

                        "LINUX"

                    ],

                    "oid": false

                },

                {

                    "operator": "IN",

                    "ignoreCase": false,

                    "field": "source",

                    "value": "null",

                    "values": [

                        "SCAN"

                    ],

                    "oid": false

                },

                {

                    "operator": "IN",

                    "ignoreCase": false,

                    "field": "threatVerificationDetail.status",

                    "value": null,

                    "values": [

                        "UNKNOWN"

                    ],

                    "oid": false

                },

                {

                    "operator": "EQ",

                    "ignoreCase": false,

                    "field": "securityDetails.certificates.publisher",

                    "value": "abc.py",

                    "values": null,

                    "oid": false

                }

            ],

            "expressionList": []

        },

        "sort": {

            "sortItems": [

                {

                    "key": "firstSeenName",

                    "direction": "DESC"

                }

            ]

        },

        "page": {

            "page": "1",

            "size": "20"

        },

        "collation": null

    }

    Response Code:

    200 - Success

    Sample Response:

    {

        "code": 200,

        "messages": [

            "File Details successfully fetched."

        ],

        "status": "SUCCESSFUL",

        "items": [

            {

                "id": "6555e4c9be4d32271bdf6dd6",

                "firstSeenPath": "/usr/bin/c773e383b7d548a197a6d1502b99d110.so",

                "firstSeenName": "c773e383b7d548a197a6d1502b99d110",

                "lastSeen": 1700127934301,

                "osPlatform": "LINUX",

                "selected": false,

                "globalPackageSelected": false,

                "threatVerificationDetail": {

                    "status": "UNKNOWN",

                    "threatScore": 0,

                    "message": null,

                    "verificationAttempts": 0

                },

                "entityType": "LIBRARY",

                "auditField": {

                    "createdBy": "SYSTEM",

                    "createdOn": 1700127933578

                },

                "checksum": "db77e3bfeb11493db2fdb76679f413dc",

                "source": "SCAN"

            }

        ],

        "page": 1,

        "total": 1,

        "size": 20,

        "lastPage": true,

        "elapsedTime": "4.581s",    

        "timestamp": 1700190906994

    }


    Was this article helpful?
    What's Next