REST API Rules

URL api/v1/rules support the following HTTP verbs:

POST - Creates a new rule

 

HTTP request: POST api/v1/rules

Request header: Authorization token

Request body: XML of the new rule

Response: 201 HTTP Code and HTTP Location header contains URL to GET request with ID to newly created rule (e.g HTTP://<<SERVER_NAME>>/api/v1/rules/121 where 121 is rule Id of the new rule). Response body returns JSON with newly created rules object. This JSON is identical to the response to GET.

Invalid rules are not saved.

 

GET - Lists rules

HTTP request: GET api/v1/rules

Request header: Authorization token

Request body: none

Similarly as API for getting detections supports $top, $skip, $count, $orderBy in the URL.

Request body: none

Response: JSON object fields: value and count (only if $count is present in the URL query. The value field contains an array of objects with the following fields:

id

name

enabled

severity

severityScore

 

GET – Gets a single rule

 

HTTP request: GET api/v1/rules/{id}

URL query:

$idType—if $idType=uuid {id} in URL is interpreted as uuid of a rule

Request header: Authorization token

Request body: none

Response: Apart from fields returned by the rules listing, the response should contain a “rule” field with XML of the rule.

 

PUT - Edits rule body

 

HTTP request: PUT api/v1/rules/{id}

URL query:

$idType—if $idType=uuid {id} in URL is interpreted as uuid of a rule

Request header: Authorization token

Request body: new XML of the rule

Response: returns updated object from requests. Similar to the POST, it returns a GET response.

 

DELETE - Deletes a rule

 

HTTP request: DELETE api/v1/rules/{id}

URL query:

$idType—if $idType=uuid {id} in URL is interpreted as uuid of a rule

Request header: Authorization token

Request body: none

Response body: none

 

PATCH - Updates particular rule

 

HTTP request: PATCH api/v1/rules/{ruleId}

URL query:

$idType—if $idType=uuid {id} in URL is interpreted as uuid of a rule

JSON request body:

enabled (bool) – value true (1) to enable, false (0) to disable

Request header: Authorization token

Response body: none

Enables/disables particular rule.

If successful, returns 204 code.

 

All requests require an authorization token in the header.