Skip to main content

createCustomRule

Method to create a custom rule.

Parameters

Parameter

Description

Included in request

Type

Value requirements

type

The type of the rule to be created: detection or exclusion.

Optional

Integer

Possible values:

  • 1 - Detection

  • 2 - Exclusion

Default value: 2.

subtype

Specifies whether the rule is YARA-based or Basic.

Optional

Integer

Possible values:

  • 0 - Basic

  • 1 - YARA

Default value: 0.

name

The name of the rule to be created.

Mandatory

String

This parameter cannot begin with a whitespace character, cannot include the characters <, >, ', or ", and must be no longer than 128 characters.

Also, it cannot be duplicated within your company.

description

The description of the rule.

Optional

String

This parameter cannot begin with a whitespace character, cannot include the characters <, >, ', or ", and must be no longer than 1024 characters.

tags

The list of associated rule tags.

Optional

Array of Strings

Each string must:

  • Not contain <, >, ', or "

  • Be at least 2 characters long and no longer than 128 characters

  • Not start with a whitespace character

  • Be unique in the array

settings

The settings associated with the rule.

Mandatory

Object

Refer to settings.

returnRuleId

Indicates if the request will return the ID of the new rule.

Optional

Boolean

Possible values:

  • true, will return the ID of the newly created rule, if the request is successful.

  • false, will not return the ID of the newly created rule. Instead, it will return a Boolean value.

Default value: false.

General parameters

These are common parameters, available across all public API methods:

Parameter

Description

Included in request

Type

Value requirements

id

This parameter adds an identifier to the request, linking it to its corresponding response.

The target replies with the same value in the response, allowing easy call tracking.

Mandatory

String

No additional requirements.

method

The name of the method you are using to send the request.

Mandatory

String

Must be a valid method name.

jsonrpc

The version of JSON-RPC used by the request and the response.

Mandatory

String

The only possible value is 2.0.

params

An object containing the configuration of the request.

Mandatory

Object

No additional requirements.

Objects

settings

Name

Description

Included in request

Type

Value requirements

status

Indicates if the rule is active or has On-access scanning enabled.

Optional

Integer

Possible values for Basic rules:

  • 0 - The rule is inactive.

  • 1 - The rule is active.

Possible values for YARA rules:

  • 0 - On-access scanning is disabled for the rule.

  • 1 - On-access scanning is enabled for the rule.

Default value for YARA and Basic rules: 1.

severity

Indicates the severity of the alerts that will be generated.

Mandatory for detection rules

Not applicable to exclusion rules.

Integer

Possible values:

  • 1 - Low

  • 2 - Medium

  • 3 - High

target

Indicates the type of the target entity.

Mandatory for Basic rules

Not applicable to YARA rules

String

Possible values for custom exclusion and detection rules:

  • process

  • file

    Important

    Requires at least one of the following license types:

    • A license with EDR

    • A license that provides at least one of these sensors:

      • The Azure AD sensor

      • The Google Cloud Platform sensor

      • The Office 365 sensor

      • The Google Workspace sensor

      • The AWS sensor

  • connection

  • registry

    Important

    Requires a license with EDR.

  • user connection

  • email

    Important

    Requires at least one of the following license types:

    • A license with EDR

    • A license that provides at least one of these sensors:

      • The Azure AD sensor

      • The Office 365 sensor

      • The Google Workspace sensor

  • application

    Important

    Requires a license that provides at least one of these sensors:

    • The Azure AD sensor

    • The Office 365 sensor

  • key vault

    Important

    Requires a license providing the Azure Cloud sensor.

  • role

    Important

    Requires a license that provides at least one of these sensors:

    • The Atlassian Cloud sensor

    • The Azure AD sensor

    • The Azure Cloud sensor

    • The Google Workspace sensor

    • The Google Cloud Platform sensor

    • The AWS sensor

  • policy

    Important

    Requires a license that provides at least one of these sensors:

    • The Azure AD sensor

    • The AWS sensor

    • The Google Cloud Platform sensor

    • The Office 365 sensor

  • sharing link

    Important

    Requires a license providing the Office 365 sensor.

  • url

    Important

    Requires a license that provides at least one of these sensors:

    • The Office 365 sensor

    • The Google Workspace sensor

  • ssh key

    Important

    Requires a license providing the AWS sensor.

  • launch template

    Important

    Requires a license providing the AWS sensor.

  • service principal

    Important

    Requires a license that provides at least one of these sensors:

    • The Google Workspace sensor

    • The Google Cloud Platform sensor

    • The Azure AD sensor

  • user group

    Important

    Requires a license that provides at least one of these sensors:

    • The Azure AD sensor

    • The Atlassian Cloud sensor

    • The Google Workspace sensor

    • The AWS sensor

  • automation account

    Important

    Requires a license providing the Azure Cloud sensor.

  • automation account hook

    Important

    Requires a license providing the Azure Cloud sensor.

  • certificate authority

    Important

    Requires a license that provides at least one of these sensors:

    • The Azure AD sensor

    • The AWS sensor

  • api

  • bucket

    Important

    Requires a license providing the AWS sensor.

  • jira project

    Important

    Requires a license providing the Atlassian Cloud sensor.

  • confluence page

    Important

    Requires a license providing the Atlassian Cloud sensor.

Possible values available only for custom exclusion rules:

  • flow

    Important

    Requires a license providing the Office 365 sensor.

  • bitbucket repository

    Important

    Requires the Atlassian Cloud sensor.

criteriaList

Defines the rule by listing the exclusion or detection sub-rules that the specified target must match.

Important

This parameter does not include definitions related to the detection field. They must be configured under the filters parameter.

Mandatory for Basic rules

Not applicable to YARA rules

Array of Objects

Each object contains the following settings:

  • field (String) - The entity attribute (criterion) to which the condition applies.

  • relation (String) - The required relationship between the field and the value for the condition to be met.

  • value - A custom value against which the value of the field parameter is compared.

Note

For information on the possible values of criteriaList objects, refer to Detection and exclusion criteria.

filters

Contains the exclusion or detection sub-rules related to the detection field.

Optional for Basic rules

Not applicable to YARA rules

Array of Objects

Important

It is an array containing a single object, as only one detection filter can be used per rule.

The object within the array contains the following settings:

  • field (String) - The entity attribute (criterion) to which the condition applies. The filters parameter accepts only the detection field value.

  • value - The value that the detection field (Alert name) must match.

Note

For information on the detection field, refer to Detection and exclusion criteria.

yaraQuery

Defines the YARA rule query.

Mandatory for YARA rules

Not applicable to Basic rules

String

This value must follow YARA syntax rules.

Tip

While whitespace and indentation are ignored during rule validation, the original yaraQuery formatting provided in the API request is preserved and displayed as-is in GravityZone Control Center.

For readability, we recommend using properly formatted and indented YARA syntax in yaraQuery.

For example, to display the following formatted rule in the UI:

rule Demo_Spaced {
    meta:
        author = "api"
        description = "indent test"

    strings:
        $mz = { 4D 5A }

    condition:
        $mz
}

The yaraQuery string should be: rule Demo_Spaced {\n    meta:\n        author = \"api\"\n        description = \"indent test\"\n\n    strings:\n        $mz = { 4D 5A }\n\n    condition:\n        $mz\n}.

automaticActions

Indicates the automatic response actions and their enablement status for EDR incidents generated by this rule.

Important

  • Automatic actions are available only for EDR custom detection rules.

  • Bitdefender EDR subscriptions and GravityZone EDR Cloud licenses do not support automatic actions.

Optional for EDR detection rules, including YARA rules

Not applicable to exclusion rules or XDR detection rules

Array of Objects

Each object contains the following settings:

  • type (Integer) - The type of automatic action assigned to the rule.

    Possible values:

    • 1 - Isolate

    • 2 - Collect investigation package

    • 3 - Add to Sandbox

      Important

      For Basic rules, this type is available only under one of the following conditions:

      • target is process or file

      • target is connection and criteriaList contains an Object whose field has one of the following values:

        • Connection.Process.Name

        • Connection.Process.Path

        • Connection.Process.FullPathName

        • Connection.Process.CommandLine

      • target is registry and criteriaList contains an Object whose field has one of the following values:

        • Registry.CreatedBy.Name

        • Registry.CreatedBy.Path

        • Registry.CreatedBy.FullPathName

        • Registry.CreatedBy.CommandLine

    • 4 - Kill process

      Important

      For Basic rules, this type is available only under one of the following conditions:

      • The rule is YARA-based

      • The rule is Basic and one of the following conditions is met:

        • Connection.Process.Name

        • Connection.Process.Path

        • Connection.Process.FullPathName

        • Connection.Process.CommandLine

      • target is registry and criteriaList contains an Object whose field has one of the following values:

        • Registry.CreatedBy.Name

        • Registry.CreatedBy.Path

        • Registry.CreatedBy.FullPathName

        • Registry.CreatedBy.CommandLine

      • target is file and criteriaList contains an Object whose field has one of the following values:

        • File.CreatedBy.Name

        • File.CreatedBy.Path

        • File.CreatedBy.FullPathName

        • File.CreatedBy.CommandLine

    • 5 - Antimalware scan

    • 6 - Quarantine

      Important

      For Basic rules, this type is available only under one of the following conditions:

      • target is process or file

      • target is connection and criteriaList contains an Object whose field has one of the following values:

        • Connection.Process.Name

        • Connection.Process.Path

        • Connection.Process.FullPathName

        • Connection.Process.CommandLine

      • target is registry and criteriaList contains an Object whose field has one of the following values:

        • Registry.CreatedBy.Name

        • Registry.CreatedBy.Path

        • Registry.CreatedBy.FullPathName

        • Registry.CreatedBy.CommandLine

    • 7 - Risk scan

  • enabled (Boolean) - When true, the action specified by type is enabled for incidents generated by this rule.

  • settings (Object) - Allows further customization of the automatic action for specific action types.

    Fields and possible values for each action type:

    • If type is 4 and the rule is Basic:

      • includeParent (Boolean) - If true, the action also applies to the parent of the targeted process.

      • includeChildren (Boolean) - If true, the action also applies to the children of the targeted process.

    • If type is 5, the automatic action also has a type (Integer) field under settings, taking one of these values:

      • 1 - Quick scan

      • 2 - Full scan

    • If type is 6 and one of the following conditions is met, then these fields are available:

      • includeParent (Boolean) - If true, the action also applies to the parent of the targeted process.

      • includeChildren (Boolean) - If true, the action also applies to the children of the targeted process.

      Conditions:

      • The rule is YARA-based

      • The rule is Basic and one of the following conditions is met:

        • The rule is YARA-based

        • The rule is Basic and one of the following conditions is met:

          • Connection.Process.Name

          • Connection.Process.Path

          • Connection.Process.FullPathName

          • Connection.Process.CommandLine

        • target is registry and criteriaList contains an Object whose field has one of the following values:

          • Registry.CreatedBy.Name

          • Registry.CreatedBy.Path

          • Registry.CreatedBy.FullPathName

          • Registry.CreatedBy.CommandLine

        • target is file and criteriaList contains an Object whose field has one of the following values:

          • File.CreatedBy.Name

          • File.CreatedBy.Path

          • File.CreatedBy.FullPathName

          • File.CreatedBy.CommandLine

Return value

This method returns either the ID of the newly created rule (String) or a Boolean value which is true if the creation of the custom rule was successful.

Example

Request:

Creating a Basic rule:

{
     "params": {
         "type": 1,
         "name": "Detection Rule via API",
         "description": "Detection Rule via API Description",
         "settings": {
             "status": 0,
             "severity": 1,
             "target": "file",
             "automaticActions": [
                 {
                     "type": 1,
                     "enabled": true
                 }  
             ],
             "criteriaList": [
                 {
                     "field": "File.Name",
                     "relation": "is",
                     "value": "abcd"
                 }
             ],
             "filters": [
                 {
                     "field": "detection",
                     "value": "test-api"
                 }
             ]
         },
         "returnRuleId": true
    },
    "jsonrpc": "2.0",
    "method": "createCustomRule",
    "id": "0df7568c-59c1-48e0-a31b-18d83e6d9810"
}

Creating a YARA rule:

{
    "jsonrpc": "2.0",
    "method": "createCustomRule",
    "params": {
        "type": 1,
        "subtype": 1,
        "name": "YARA Detection Rule via API",
        "description": "YARA detection",
        "tags": [
            "API",
            "yara"
        ],
        "settings": {
            "status": 1,
            "severity": 2,
            "yaraQuery": "rule demo { condition: true }",
            "automaticActions": [
                {
                    "type": 5,
                    "enabled": true,
                    "settings": {
                        "type": 2
                    }
                }
            ]
        },
        "returnRuleId": true
    },
    "id": "0df7568c-59c1-48e0-a31b-18d83e6d9810"
}

Response:

{
    "id": "0df7568c-59c1-48e0-a31b-18d83e6d9810",
    "jsonrpc": "2.0",
    "result": "6372b7a3897aaa77ee021642"
}
In this section: