REST API Rules
URL api/v1/rules support the following HTTP verbs:
POST—Creates a new rule
HTTP request:
POST api/v1/rules |
Request header: Authorization token
Request body: The new rule's XML
Response: 201 HTTP Code and HTTP Location header contains the URL to GET request with ID to newly created rule (for example, HTTP://<<SERVER_NAME>>/api/v1/rules/121 where 121 is the new rule's ID). Response body returns JSON with a newly created rules object. This JSON is identical to the response to GET.
Invalid rules are not saved.
GET—Lists rules
HTTP request:
GET api/v1/rules |
Request header: Authorization token
Request body: None
Similar to API for getting detections GET supports $top, $skip, $count and $orderBy in the URL.
Request body: None
Response: JSON object fields: Value and count (only if $count is present in the query). The value field contains:
id name enabled severity severityScore |
GET—Gets a single rule
HTTP request:
GET api/v1/rules/{id} |
URL query:
$idType |
if $idType=uuid {id} in URL is interpreted as a rule’s uuid |
Request header: Authorization token
Request body: None
Response: In addition to the expected fields, the response should contain a “rule” field with the rule’s XML.
PUT—Edits rule body
HTTP request:
PUT api/v1/rules/{id} |
URL query:
$idType |
if $idType=uuid {id} in URL is interpreted as a rule’s uuid |
Request header: Authorization token
Request body: The rule's new XML.
Response: Returns an updated object from requests. Similar to POST, returns a GET response.
DELETE—Deletes a rule
HTTP request:
DELETE api/v1/rules/{id} |
URL query:
$idType |
if $idType=uuid {id} in URL is interpreted as a rule’s uuid |
Request header: Authorization token
Request body: None
Response body: None
PATCH—Updates specific rule
HTTP request:
PATCH api/v1/rules/{ruleId} |
URL query:
$idType |
if $idType=uuid {id} in URL is interpreted as rule's uuid. |
JSON request body:
enabled |
(bool) value true (1) to enable, false (0) to disable |
Request header: Authorization token
Response body: None
Enables/disables a specific rule
If successful, returns a 204 code
All requests require an authorization token in the header.