[ DOC ] ML exclusion creation targeting all host groups (applied_gobally=True) needs ["all"] as fake group id

[59e5aaf4]

Documentation page topic

• https://www.falconpy.io/Service-Collections/Ml-Exclusions.html#createmlexclusionsv1

Describe the error or typo

/policy/entities/ml-exclusions/v1 says {'code': 400, 'message': "groups: The 'groups' field must not be empty."} when no group are passed.

By taking a peek at what happens in the web UI, I figured out that you need to send groups=["all"] so that the API sets applied_globally=True, and sets groups=[] under the hood.

Please document that behavior. I managed to use the API to create ML exclusions targeting all hosts by passing groups=["all"].

# Here, 'exclusion' is a dict equivalent to the blob sent back by the API when querying it.
group_list = exclusion['groups']
excluded_from = exclusion['excluded_from']
value = exclusion['value']
BODY = {
    "comment": "string",
    "excluded_from": excluded_from,
    "value": value,
}   
        
# "message": "groups: The 'groups' field must not be empty."
if len(group_list) == 0:
    # Found in the web UI lol
    BODY['groups'] = ['all']
else:   
    BODY['groups'] = group_list

self.logger.info(f'Creating ML Exclusion for {value} on groups {group_list}, excluded from {excluded_from}')
r = self.exec('createMLExclusionsV1',body = BODY)
if r['status_code'] != 201:
    raise Exception()

Documentation repository:

• GitHub Wiki
• falconpy.io
• Source code - docstring

Additional context
Add any other context about the problem here.

[jshcodes]

Hi @59e5aaf4 -

We've added code to set this as a default when groups is not provided to the Service Class method. We will also update the documentation to speak to this for our Uber Class users.

Thank you for reporting this! 🙇