REST API Rules

URL api/v1/rules support the following HTTP verbs:

POST - Creates a new rule

HTTP request:

Request header: Authorization token

Request body: The new rule's XML

Response: 201 HTTP Code and HTTP Location header contains URL to GET request with ID to newly created rule (for example, HTTP://<<SERVER_NAME>>/api/v1/rules/121 where 121 is the new rule's ID). Response body returns JSON with newly created rules object. This JSON is identical to the response to GET.

Invalid rules are not saved.

GET - Lists rules

HTTP request:

Request header: Authorization token

Request body: none

Similarly to how API gets detections supports $top, $skip, $count, $orderBy in the URL.

Request body: none

Response: JSON object fields: value and count (only if $count is present in the URL query). The value field contains an array of objects with the following fields:

GET - Gets a single rule

HTTP request:

URL query:

Request header: Authorization token

Request body: none

Response: Besides fields returned by the rules listing, the response should have a “rule” field with rule's XML.

PUT - Edits rule body

HTTP request:

URL query:

Request header: Authorization token

Request body: The rule's new XML.

Response: Returns an updated object from requests. Similar to POST, returns a GET response.

DELETE - Deletes a rule

HTTP request:

URL query:

Request header: Authorization token

Request body: none

Response body: none

PATCH - Updates specific rule

HTTP request:

URL query:

JSON request body:

Request header: Authorization token

Response body: none

Enables/disables a specific rule

If successful, returns a 204 code

All requests require an authorization token in the header.