[ DOC ] ML exclusion creation targeting all host groups (applied_gobally=True) needs ["all"] as fake group id

[59e5aaf4]

Documentation page topic

• https://www.falconpy.io/Service-Collections/Ml-Exclusions.html#createmlexclusionsv1

Describe the error or typo

/policy/entities/ml-exclusions/v1 says {'code': 400, 'message': "groups: The 'groups' field must not be empty."} when no group are passed.

By taking a peek at what happens in the web UI, I figured out that you need to send groups=["all"] so that the API sets applied_globally=True, and sets groups=[] under the hood.

Please document that behavior. I managed to use the API to create ML exclusions targeting all hosts by passing groups=["all"].

# Here, 'exclusion' is a dict equivalent to the blob sent back by the API when querying it.
group_list = exclusion['groups']
excluded_from = exclusion['excluded_from']
value = exclusion['value']
BODY = {
    "comment": "string",
    "excluded_from": excluded_from,
    "value": value,
}   
        
# "message": "groups: The 'groups' field must not be empty."
if len(group_list) == 0:
    # Found in the web UI lol
    BODY['groups'] = ['all']
else:   
    BODY['groups'] = group_list

self.logger.info(f'Creating ML Exclusion for {value} on groups {group_list}, excluded from {excluded_from}')
r = self.exec('createMLExclusionsV1',body = BODY)
if r['status_code'] != 201:
    raise Exception()

Documentation repository:

• GitHub Wiki
• falconpy.io
• Source code - docstring

Additional context
Add any other context about the problem here.