Skip to main content

createCustomRule

Method to create a custom rule.

Parameters

Parameter	Type	Optional	Description
`type`	Number	Yes	The type of rule to create. Possible values: `1` - Detection, `2` - Exclusion
`companyId`	String	Yes	The company Id where the attached rule should be created. The default value is the ID of the company linked to the user who generated the API key.
`name`	String	No	The name of the rule to be created.
`description`	String	Yes	The description of the rule.
`tags`	Array	Yes	The list of associated tags. The tag list is an array of strings.
`settings`	Array	No	The rule settings. These are the available settings: `status` `severity` (if Detection Rule) `target` (e.g process, connection, file) `criteria list`, array of objects. Each object contains a `field`, a `relation` and a `value`. Note For more information on the possible values of `criteria list` objects, refer to Detections and exclusions
`returnRuleId`	Boolean	Yes	Indicates if the request will return the ID of the new rule. Possible values: `true`, will return the ID of the newly created rule, if the request is successful. `false`, will not return the ID of the newly created rule. Instead, it will return a Boolean value. Default value: `False`.

Detections and exclusions

Detection (type =1)	Exclusion (type=2)	Display Name	target	Field	Relation	Validator
Yes	Yes	Name	process	Process.Name	is \|contains\| any	string
Yes	Yes	Path	process	Process.Path	is \|contains\| any	string
Yes	Yes	Full Path Name	process	Process.FullPathName	is \|contains\| any	string
Yes	Yes	Command Line	process	Process.CommandLine	is \|contains\| any	string
Yes	Yes	Parent Name	process	Process.Parent.Name	is \|contains\| any	string
Yes	Yes	Parent Path	process	Process.Parent.Path	is \|contains\| any	string
Yes	Yes	Paret Full Path Name	process	Process.Parent.FullPathName	is \|contains\| any	string
Yes	Yes	Parent Command Line	process	Process.Parent.CommandLine	is \|contains\| any	string
Yes	Yes	Name	file	File.Name	is \|contains\| any	string
Yes	Yes	Path	file	File.Path	is \|contains\| any	string
Yes	Yes	Full Path Name	file	File.FullPathName	is \|contains\| any	string
Yes	Yes	Creation Process Name	file	File.CreatedBy.Name	is \|contains\| any	string
Yes	Yes	Creation Process Path	file	File.CreatedBy.Path	is \|contains\| any	string
Yes	Yes	Creation Process Full Path Name	file	File.CreatedBy.FullPathName	is \|contains\| any	string
Yes	Yes	Creation Process Command Line	file	File.CreatedBy.CommandLine	is \|contains\| any	string
Yes	Yes	Source IP	connection	Connection.SourceIP	is \|contains\| any	valid IP
Yes	Yes	Destination IP	connection	Connection.DestinationIP	is \|contains\| any	valid IP
Yes	Yes	Source Port	connection	Connection.SourcePort	is \|contains\| any	integer between 0 and 65,535
Yes	Yes	Destination Port	connection	Connection.DestinationPort	is \|contains\| any	integer between 0 and 65,535
Yes	Yes	Creation Process Name	connection	Connection.Process.Name	is \|contains\| any	string
Yes	Yes	Creation Process Path	connection	Connection.Process.Path	is \|contains\| any	string
Yes	Yes	Creation Process Full Path Name	connection	Connection.Process.FullPathName	is \|contains\| any	string
Yes	Yes	Creation Process Command Line	connection	Connection.Process.CommandLine	is \|contains\| any	string
Yes	No	Key	registry	Registry.Key	is \|contains\| any	string
Yes	No	Value	registry	Registry.Value	is \|contains\| any	string
Yes	No	Creation Process Name	registry	Registry.CreatedBy.Name	is \|contains\| any	string
Yes	No	Creation Process Path	registry	Registry.CreatedBy.Path	is \|contains\| any	string
Yes	No	Creation Process Full Path Name	registry	Registry.CreatedBy.FullPathName	is \|contains\| any	string
Yes	No	Creation Process Command Line	registry	Registry.CreatedBy.CommandLine	is \|contains\| any	string

Note

The any operator implies an array.

Return value

This method returns the ID of the newly created rule or a boolean value which is true if the creation of the custom rule was successful.

Example

Request:

  {
   "params": {
        "companyId": "61827b8036492c2fc0718722",
        "type": 1,
        "name": "Detection Rule via API",
        "description": "description test api",
        "tags": [
           "test",
           "api",     
           "demo"
        ],
        "settings": {
         "status": 0,
         "severity": 1,
         "target": "connection",
         "criteriaList": [
          {
               "field": "Connection.DestinationPort",
               "relation": "is",
               "value": [
               "25691"
           ]
          },
          {
               "field": "Connection.Process.Name",
               "relation": "contains",
               "value": "./network1"
          },
          {
               "field": "Connection.SourcePort",
               "relation": "any",
               "value": [
                "22",
                "23",
                "24"
           ]
          }
         ]
        },
	"returnRuleId": true
       },
   "jsonrpc": "2.0",
   "method": "createCustomRule",
   "id": "0df7568c-59c1-48e0-a31b-18d83e6d9810"
  }

Response:

  {
   "id": "0df7568c-59c1-48e0-a31b-18d83e6d9810",
   "jsonrpc": "2.0",
   "result": 6372b7a3897aaa77ee021642
  }

Was this helpful?

Would you like to provide feedback? Just click here to suggest edits.