REST API Rules

URL api/v1/rules support the following HTTP verbs:

POST—Creates a new rule

HTTP request:

Request header: Authorization token

Request body: The new rule's XML

Response: 201 HTTP Code and HTTP Location header contains the URL to GET request with ID to newly created rule (for example, HTTP://<<SERVER_NAME>>/api/v1/rules/121 where 121 is the new rule's ID). Response body returns JSON with a newly created rules object. This JSON is identical to the response to GET.

Invalid rules are not saved.

GET—Lists rules

HTTP request:

Request header: Authorization token

Request body: None

Similar to API for getting detections GET supports $top, $skip, $count and $orderBy in the URL.

Request body: None

Response: JSON object fields: Value and count (only if $count is present in the query). The value field contains:

GET—Gets a single rule

HTTP request:

URL query:

Request header: Authorization token

Request body: None

Response: In addition to the expected fields, the response should contain a “rule” field with the rule’s XML.

PUT—Edits rule body

HTTP request:

URL query:

Request header: Authorization token

Request body: The rule's new XML.

Response: Returns an updated object from requests. Similar to POST, returns a GET response.

DELETE—Deletes a rule

HTTP request:

URL query:

Request header: Authorization token

Request body: None

Response body: None

PATCH—Updates specific rule

HTTP request:

URL query:

JSON request body:

Request header: Authorization token

Response body: None

Enables/disables a specific rule

If successful, returns a 204 code

All requests require an authorization token in the header.

˄˅