--- title: Create a WAF exclusion filter description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > API Reference > Application Security --- # Create a WAF exclusion filter{% #create-a-waf-exclusion-filter %} Copy pageCopied {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------------ | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/remote_config/products/asm/waf/exclusion_filters | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/remote_config/products/asm/waf/exclusion_filters | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/remote_config/products/asm/waf/exclusion_filters | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/remote_config/products/asm/waf/exclusion_filters | | us2.ddog-gov.com | POST https://api.us2.ddog-gov.com/api/v2/remote_config/products/asm/waf/exclusion_filters | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/remote_config/products/asm/waf/exclusion_filters | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/remote_config/products/asm/waf/exclusion_filters | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/remote_config/products/asm/waf/exclusion_filters | ### Overview Create a new WAF exclusion filter with the given parameters. A request matched by an exclusion filter will be ignored by the Application Security WAF product. Go to [https://app.datadoghq.com/security/appsec/passlist](https://app.datadoghq.com/security/appsec/passlist) to review existing exclusion filters (also called passlist entries). This endpoint requires the `appsec_protect_write` permission. ### Request #### Body Data (required) The definition of the new WAF exclusion filter. {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | ----------------------------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | object | Object for creating a single WAF exclusion filter. | | data | attributes [*required*] | object | Attributes for creating a WAF exclusion filter. | | attributes | description [*required*] | string | A description for the exclusion filter. | | attributes | enabled [*required*] | boolean | Indicates whether the exclusion filter is enabled. | | attributes | ip_list | [string] | The client IP addresses matched by the exclusion filter (CIDR notation is supported). | | attributes | on_match | enum | The action taken when the exclusion filter matches. When set to `monitor`, security traces are emitted but the requests are not blocked. By default, security traces are not emitted and the requests are not blocked. Allowed enum values: `monitor` | | attributes | parameters | [string] | A list of parameters matched by the exclusion filter in the HTTP query string and HTTP request body. Nested parameters can be matched by joining fields with a dot character. | | attributes | path_glob | string | The HTTP path glob expression matched by the exclusion filter. | | attributes | rules_target | [object] | The WAF rules targeted by the exclusion filter. | | rules_target | rule_id | string | Target a single WAF rule based on its identifier. | | rules_target | tags | object | Target multiple WAF rules based on their tags. | | tags | category | string | The category of the targeted WAF rules. | | tags | type | string | The type of the targeted WAF rules. | | attributes | scope | [object] | The services where the exclusion filter is deployed. | | scope | env | string | Deploy on this environment. | | scope | service | string | Deploy on this service. | | data | type [*required*] | enum | Type of the resource. The value should always be `exclusion_filter`. Allowed enum values: `exclusion_filter` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "description": "Exclude false positives on a path", "enabled": true, "parameters": [ "list.search.query" ], "path_glob": "/accounts/*", "rules_target": [ { "tags": { "category": "attack_attempt", "type": "lfi" } } ], "scope": [ { "env": "www", "service": "prod" } ] }, "type": "exclusion_filter" } } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Response object for a single WAF exclusion filter. | Parent field | Field | Type | Description | | ------------ | ---------------- | --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | object | A JSON:API resource for an WAF exclusion filter. | | data | attributes | object | Attributes describing a WAF exclusion filter. | | attributes | description | string | A description for the exclusion filter. | | attributes | enabled | boolean | Indicates whether the exclusion filter is enabled. | | attributes | event_query | string | The event query matched by the legacy exclusion filter. Cannot be created nor updated. | | attributes | ip_list | [string] | The client IP addresses matched by the exclusion filter (CIDR notation is supported). | | attributes | metadata | object | Extra information about the exclusion filter. | | metadata | added_at | date-time | The creation date of the exclusion filter. | | metadata | added_by | string | The handle of the user who created the exclusion filter. | | metadata | added_by_name | string | The name of the user who created the exclusion filter. | | metadata | modified_at | date-time | The last modification date of the exclusion filter. | | metadata | modified_by | string | The handle of the user who last modified the exclusion filter. | | metadata | modified_by_name | string | The name of the user who last modified the exclusion filter. | | attributes | on_match | enum | The action taken when the exclusion filter matches. When set to `monitor`, security traces are emitted but the requests are not blocked. By default, security traces are not emitted and the requests are not blocked. Allowed enum values: `monitor` | | attributes | parameters | [string] | A list of parameters matched by the exclusion filter in the HTTP query string and HTTP request body. Nested parameters can be matched by joining fields with a dot character. | | attributes | path_glob | string | The HTTP path glob expression matched by the exclusion filter. | | attributes | rules_target | [object] | The WAF rules targeted by the exclusion filter. | | rules_target | rule_id | string | Target a single WAF rule based on its identifier. | | rules_target | tags | object | Target multiple WAF rules based on their tags. | | tags | category | string | The category of the targeted WAF rules. | | tags | type | string | The type of the targeted WAF rules. | | attributes | scope | [object] | The services where the exclusion filter is deployed. | | scope | env | string | Deploy on this environment. | | scope | service | string | Deploy on this service. | | attributes | search_query | string | Generated event search query for traces matching the exclusion filter. | | data | id | string | The identifier of the WAF exclusion filter. | | data | type | enum | Type of the resource. The value should always be `exclusion_filter`. Allowed enum values: `exclusion_filter` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "description": "Exclude false positives on a path", "enabled": true, "event_query": "string", "ip_list": [ "198.51.100.72" ], "metadata": { "added_at": "2019-09-19T10:00:00.000Z", "added_by": "string", "added_by_name": "string", "modified_at": "2019-09-19T10:00:00.000Z", "modified_by": "string", "modified_by_name": "string" }, "on_match": "string", "parameters": [ "list.search.query" ], "path_glob": "/accounts/*", "rules_target": [ { "rule_id": "dog-913-009", "tags": { "category": "attack_attempt", "type": "lfi" } } ], "scope": [ { "env": "www", "service": "prod" } ], "search_query": "string" }, "id": "3dd-0uc-h1s", "type": "exclusion_filter" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="409" %} Concurrent Modification {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \## default # \# Curl command curl -X POST "https://api.datadoghq.com/api/v2/remote_config/products/asm/waf/exclusion_filters" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "description": "Exclude false positives on a path", "enabled": true, "ip_list": [ "198.51.100.72" ], "on_match": "monitor", "parameters": [ "list.search.query" ], "path_glob": "/accounts/*", "rules_target": [ { "rule_id": "dog-913-009", "tags": { "category": "attack_attempt", "type": "lfi" } } ], "scope": [ { "env": "www", "service": "prod" } ] }, "type": "exclusion_filter" } } EOF ##### ```go // Create a WAF exclusion filter returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.ApplicationSecurityWafExclusionFilterCreateRequest{ Data: datadogV2.ApplicationSecurityWafExclusionFilterCreateData{ Attributes: datadogV2.ApplicationSecurityWafExclusionFilterCreateAttributes{ Description: "Exclude false positives on a path", Enabled: true, Parameters: []string{ "list.search.query", }, PathGlob: datadog.PtrString("/accounts/*"), RulesTarget: []datadogV2.ApplicationSecurityWafExclusionFilterRulesTarget{ { Tags: &datadogV2.ApplicationSecurityWafExclusionFilterRulesTargetTags{ Category: datadog.PtrString("attack_attempt"), Type: datadog.PtrString("lfi"), }, }, }, Scope: []datadogV2.ApplicationSecurityWafExclusionFilterScope{ { Env: datadog.PtrString("www"), Service: datadog.PtrString("prod"), }, }, }, Type: datadogV2.APPLICATIONSECURITYWAFEXCLUSIONFILTERTYPE_EXCLUSION_FILTER, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewApplicationSecurityApi(apiClient) resp, r, err := api.CreateApplicationSecurityWafExclusionFilter(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `ApplicationSecurityApi.CreateApplicationSecurityWafExclusionFilter`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `ApplicationSecurityApi.CreateApplicationSecurityWafExclusionFilter`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Create a WAF exclusion filter returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.ApplicationSecurityApi; import com.datadog.api.client.v2.model.ApplicationSecurityWafExclusionFilterCreateAttributes; import com.datadog.api.client.v2.model.ApplicationSecurityWafExclusionFilterCreateData; import com.datadog.api.client.v2.model.ApplicationSecurityWafExclusionFilterCreateRequest; import com.datadog.api.client.v2.model.ApplicationSecurityWafExclusionFilterResponse; import com.datadog.api.client.v2.model.ApplicationSecurityWafExclusionFilterRulesTarget; import com.datadog.api.client.v2.model.ApplicationSecurityWafExclusionFilterRulesTargetTags; import com.datadog.api.client.v2.model.ApplicationSecurityWafExclusionFilterScope; import com.datadog.api.client.v2.model.ApplicationSecurityWafExclusionFilterType; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); ApplicationSecurityApi apiInstance = new ApplicationSecurityApi(defaultClient); ApplicationSecurityWafExclusionFilterCreateRequest body = new ApplicationSecurityWafExclusionFilterCreateRequest() .data( new ApplicationSecurityWafExclusionFilterCreateData() .attributes( new ApplicationSecurityWafExclusionFilterCreateAttributes() .description("Exclude false positives on a path") .enabled(true) .parameters(Collections.singletonList("list.search.query")) .pathGlob("/accounts/*") .rulesTarget( Collections.singletonList( new ApplicationSecurityWafExclusionFilterRulesTarget() .tags( new ApplicationSecurityWafExclusionFilterRulesTargetTags() .category("attack_attempt") .type("lfi")))) .scope( Collections.singletonList( new ApplicationSecurityWafExclusionFilterScope() .env("www") .service("prod")))) .type(ApplicationSecurityWafExclusionFilterType.EXCLUSION_FILTER)); try { ApplicationSecurityWafExclusionFilterResponse result = apiInstance.createApplicationSecurityWafExclusionFilter(body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling" + " ApplicationSecurityApi#createApplicationSecurityWafExclusionFilter"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Create a WAF exclusion filter returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.application_security_api import ApplicationSecurityApi from datadog_api_client.v2.model.application_security_waf_exclusion_filter_create_attributes import ( ApplicationSecurityWafExclusionFilterCreateAttributes, ) from datadog_api_client.v2.model.application_security_waf_exclusion_filter_create_data import ( ApplicationSecurityWafExclusionFilterCreateData, ) from datadog_api_client.v2.model.application_security_waf_exclusion_filter_create_request import ( ApplicationSecurityWafExclusionFilterCreateRequest, ) from datadog_api_client.v2.model.application_security_waf_exclusion_filter_rules_target import ( ApplicationSecurityWafExclusionFilterRulesTarget, ) from datadog_api_client.v2.model.application_security_waf_exclusion_filter_rules_target_tags import ( ApplicationSecurityWafExclusionFilterRulesTargetTags, ) from datadog_api_client.v2.model.application_security_waf_exclusion_filter_scope import ( ApplicationSecurityWafExclusionFilterScope, ) from datadog_api_client.v2.model.application_security_waf_exclusion_filter_type import ( ApplicationSecurityWafExclusionFilterType, ) body = ApplicationSecurityWafExclusionFilterCreateRequest( data=ApplicationSecurityWafExclusionFilterCreateData( attributes=ApplicationSecurityWafExclusionFilterCreateAttributes( description="Exclude false positives on a path", enabled=True, parameters=[ "list.search.query", ], path_glob="/accounts/*", rules_target=[ ApplicationSecurityWafExclusionFilterRulesTarget( tags=ApplicationSecurityWafExclusionFilterRulesTargetTags( category="attack_attempt", type="lfi", ), ), ], scope=[ ApplicationSecurityWafExclusionFilterScope( env="www", service="prod", ), ], ), type=ApplicationSecurityWafExclusionFilterType.EXCLUSION_FILTER, ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = ApplicationSecurityApi(api_client) response = api_instance.create_application_security_waf_exclusion_filter(body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Create a WAF exclusion filter returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::ApplicationSecurityAPI.new body = DatadogAPIClient::V2::ApplicationSecurityWafExclusionFilterCreateRequest.new({ data: DatadogAPIClient::V2::ApplicationSecurityWafExclusionFilterCreateData.new({ attributes: DatadogAPIClient::V2::ApplicationSecurityWafExclusionFilterCreateAttributes.new({ description: "Exclude false positives on a path", enabled: true, parameters: [ "list.search.query", ], path_glob: "/accounts/*", rules_target: [ DatadogAPIClient::V2::ApplicationSecurityWafExclusionFilterRulesTarget.new({ tags: DatadogAPIClient::V2::ApplicationSecurityWafExclusionFilterRulesTargetTags.new({ category: "attack_attempt", type: "lfi", }), }), ], scope: [ DatadogAPIClient::V2::ApplicationSecurityWafExclusionFilterScope.new({ env: "www", service: "prod", }), ], }), type: DatadogAPIClient::V2::ApplicationSecurityWafExclusionFilterType::EXCLUSION_FILTER, }), }) p api_instance.create_application_security_waf_exclusion_filter(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Create a WAF exclusion filter returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_application_security::ApplicationSecurityAPI; use datadog_api_client::datadogV2::model::ApplicationSecurityWafExclusionFilterCreateAttributes; use datadog_api_client::datadogV2::model::ApplicationSecurityWafExclusionFilterCreateData; use datadog_api_client::datadogV2::model::ApplicationSecurityWafExclusionFilterCreateRequest; use datadog_api_client::datadogV2::model::ApplicationSecurityWafExclusionFilterRulesTarget; use datadog_api_client::datadogV2::model::ApplicationSecurityWafExclusionFilterRulesTargetTags; use datadog_api_client::datadogV2::model::ApplicationSecurityWafExclusionFilterScope; use datadog_api_client::datadogV2::model::ApplicationSecurityWafExclusionFilterType; use std::collections::BTreeMap; #[tokio::main] async fn main() { let body = ApplicationSecurityWafExclusionFilterCreateRequest::new( ApplicationSecurityWafExclusionFilterCreateData::new( ApplicationSecurityWafExclusionFilterCreateAttributes::new( "Exclude false positives on a path".to_string(), true, ) .parameters(vec!["list.search.query".to_string()]) .path_glob("/accounts/*".to_string()) .rules_target(vec![ApplicationSecurityWafExclusionFilterRulesTarget::new( ) .tags( ApplicationSecurityWafExclusionFilterRulesTargetTags::new() .category("attack_attempt".to_string()) .type_("lfi".to_string()) .additional_properties(BTreeMap::from([])), )]) .scope(vec![ApplicationSecurityWafExclusionFilterScope::new() .env("www".to_string()) .service("prod".to_string())]), ApplicationSecurityWafExclusionFilterType::EXCLUSION_FILTER, ), ); let configuration = datadog::Configuration::new(); let api = ApplicationSecurityAPI::with_config(configuration); let resp = api .create_application_security_waf_exclusion_filter(body) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Create a WAF exclusion filter returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.ApplicationSecurityApi(configuration); const params: v2.ApplicationSecurityApiCreateApplicationSecurityWafExclusionFilterRequest = { body: { data: { attributes: { description: "Exclude false positives on a path", enabled: true, parameters: ["list.search.query"], pathGlob: "/accounts/*", rulesTarget: [ { tags: { category: "attack_attempt", type: "lfi", }, }, ], scope: [ { env: "www", service: "prod", }, ], }, type: "exclusion_filter", }, }, }; apiInstance .createApplicationSecurityWafExclusionFilter(params) .then((data: v2.ApplicationSecurityWafExclusionFilterResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %}