Skip to main content

createCustomRule

Method to create a custom rule.

Parameters

Parameter

Type

Optional

Description

type

Number

Yes

The type of rule to create. Possible values: 1 - Detection, 2 - Exclusion

companyId

String

Yes

The company Id where the attached rule should be created. The default value is the ID of the company linked to the user who generated the API key.

name

String

No

The name of the rule to be created.

description

String

Yes

The description of the rule.

tags

Array

Yes

The list of associated tags. The tag list is an array of strings.

settings

Array

No

The rule settings. These are the available settings:

  • status

  • severity (if Detection Rule)

  • target (e.g process, connection, file)

  • criteria list, array of objects. Each object contains a field, a relation and a value.

Note

For more information on the possible values of criteria list objects, refer to Detections and exclusions

returnRuleId

Boolean

Yes

Indicates if the request will return the ID of the new rule. Possible values:

  • true, will return the ID of the newly created rule, if the request is successful.

  • false, will not return the ID of the newly created rule. Instead, it will return a Boolean value.

Default value: False.

Detections and exclusions

Detection (type =1)

Exclusion (type=2)

Display Name

target

Field

Relation

Validator

Yes

Yes

Name

process

Process.Name

is |contains| any

string

Yes

Yes

Path

process

Process.Path

is |contains| any

string

Yes

Yes

Full Path Name

process

Process.FullPathName

is |contains| any

string

Yes

Yes

Command Line

process

Process.CommandLine

is |contains| any

string

Yes

Yes

Parent Name

process

Process.Parent.Name

is |contains| any

string

Yes

Yes

Parent Path

process

Process.Parent.Path

is |contains| any

string

Yes

Yes

Paret Full Path Name

process

Process.Parent.FullPathName

is |contains| any

string

Yes

Yes

Parent Command Line

process

Process.Parent.CommandLine

is |contains| any

string

Yes

Yes

Name

file

File.Name

is |contains| any

string

Yes

Yes

Path

file

File.Path

is |contains| any

string

Yes

Yes

Full Path Name

file

File.FullPathName

is |contains| any

string

Yes

Yes

Creation Process Name

file

File.CreatedBy.Name

is |contains| any

string

Yes

Yes

Creation Process Path

file

File.CreatedBy.Path

is |contains| any

string

Yes

Yes

Creation Process Full Path Name

file

File.CreatedBy.FullPathName

is |contains| any

string

Yes

Yes

Creation Process Command Line

file

File.CreatedBy.CommandLine

is |contains| any

string

Yes

Yes

Source IP

connection

Connection.SourceIP

is |contains| any

valid IP

Yes

Yes

Destination IP

connection

Connection.DestinationIP

is |contains| any

valid IP

Yes

Yes

Source Port

connection

Connection.SourcePort

is |contains| any

integer between 0 and 65,535

Yes

Yes

Destination Port

connection

Connection.DestinationPort

is |contains| any

integer between 0 and 65,535

Yes

Yes

Creation Process Name

connection

Connection.Process.Name

is |contains| any

string

Yes

Yes

Creation Process Path

connection

Connection.Process.Path

is |contains| any

string

Yes

Yes

Creation Process Full Path Name

connection

Connection.Process.FullPathName

is |contains| any

string

Yes

Yes

Creation Process Command Line

connection

Connection.Process.CommandLine

is |contains| any

string

Yes

No

Key

registry

Registry.Key

is |contains| any

string

Yes

No

Value

registry

Registry.Value

is |contains| any

string

Yes

No

Creation Process Name

registry

Registry.CreatedBy.Name

is |contains| any

string

Yes

No

Creation Process Path

registry

Registry.CreatedBy.Path

is |contains| any

string

Yes

No

Creation Process Full Path Name

registry

Registry.CreatedBy.FullPathName

is |contains| any

string

Yes

No

Creation Process Command Line

registry

Registry.CreatedBy.CommandLine

is |contains| any

string

Note

The any operator implies an array.

Return value

This method returns the ID of the newly created rule or a boolean value which is true if the creation of the custom rule was successful.

Example

Request:

  {
   "params": {
        "companyId": "61827b8036492c2fc0718722",
        "type": 1,
        "name": "Detection Rule via API",
        "description": "description test api",
        "tags": [
           "test",
           "api",     
           "demo"
        ],
        "settings": {
         "status": 0,
         "severity": 1,
         "target": "connection",
         "criteriaList": [
          {
               "field": "Connection.DestinationPort",
               "relation": "is",
               "value": [
               "25691"
           ]
          },
          {
               "field": "Connection.Process.Name",
               "relation": "contains",
               "value": "./network1"
          },
          {
               "field": "Connection.SourcePort",
               "relation": "any",
               "value": [
                "22",
                "23",
                "24"
           ]
          }
         ]
        },
	"returnRuleId": true
       },
   "jsonrpc": "2.0",
   "method": "createCustomRule",
   "id": "0df7568c-59c1-48e0-a31b-18d83e6d9810"
  }   

Response:

  {
   "id": "0df7568c-59c1-48e0-a31b-18d83e6d9810",
   "jsonrpc": "2.0",
   "result": 6372b7a3897aaa77ee021642
  }