Skip to main content

getCustomRulesList

This method retrieves the Custom Rules list for a specific company.

Parameters

Parameter

Type

Optional

Description

page

Number

No

The results page number. The default value is 1.

perPage

Number

No

The number of items displayed in a page. The upper limit is 100 items per page. Default value:30 items per page

companyId

String

No

The ID of the company for which to retrieve the list of custom Rules. The default value is the ID of the company linked to the user who generated the API key.

type

Number

No

The type of rule to return. Possible values: 1 - Detection, 2 - Exclusion

Return value

This method returns an Array containing information on the custom rules items. The returned object contains:

  • page - the current page displayed

  • pagesCount - the total number of available pages

  • perPage - the total number of returned items per page

  • items - the list of custom rules items items. Each entry in the list has the following fields:

    • id

    • owner

    • name

    • companyId

    • status

    • tags

    • settings - The rule settings. These are the available settings:

      • status

      • severity (if Detection Rule)

      • target (e.g process, connection, file)

      • criteria list, array of objects. Each object contains a field, a relation and a value.

        Note

        For more information on the possible values of criteria list objects, refer to Detections and exclusions.

Detections and exclusions

Detection (type =1)

Exclusion (type=2)

Display Name

target

Field

Relation

Validator

Yes

Yes

Name

process

Process.Name

is | contains | any

string

Yes

Yes

Path

process

Process.Path

is | contains | any

string

Yes

Yes

Full Path Name

process

Process.FullPathName

is | contains | any

string

Yes

Yes

Command Line

process

Process.CommandLine

is | contains | any

string

Yes

Yes

Parent Name

process

Process.Parent.Name

is | contains | any

string

Yes

Yes

Parent Path

process

Process.Parent.Path

is | contains | any

string

Yes

Yes

Paret Full Path Name

process

Process.Parent.FullPathName

is | contains | any

string

Yes

Yes

Parent Command Line

process

Process.Parent.CommandLine

is | contains | any

string

No

Yes

User

process

Process.User

is | contains | any

string

No

Yes

MD5

process

Process.MD5

is | contains | any

string

No

Yes

SHA256

process

Process.SHA2

is | contains | any

string

Yes

Yes

Name

file

File.Name

is | contains | any

string

Yes

Yes

Path

file

File.Path

is | contains | any

string

Yes

Yes

Full Path Name

file

File.FullPathName

is | contains | any

string

Yes

Yes

Creation Process Name

file

File.CreatedBy.Name

is | contains | any

string

Yes

Yes

Creation Process Path

file

File.CreatedBy.Path

is | contains | any

string

Yes

Yes

Creation Process Full Path Name

file

File.CreatedBy.FullPathName

is | contains | any

string

Yes

Yes

Creation Process Command Line

file

File.CreatedBy.CommandLine

is | contains | any

string

No

Yes

Operation

file

File.Operation

is | contains | any

string

No

Yes

MD5

file

File.MD5

is | contains | any

string

No

Yes

SHA256

file

File.SHA256

is | contains | any

string

No

Yes

Url

file

File.Url

is | contains | any

string

No

Yes

Creation process user

file

File.CreatedBy.User

is | contains | any

string

Yes

Yes

Source IP

connection

Connection.SourceIP

is | contains | any

valid IP

Yes

Yes

Destination IP

connection

Connection.DestinationIP

is | contains | any

valid IP

Yes

Yes

Source Port

connection

Connection.SourcePort

is | contains | any

integer between 0 and 65,535

Yes

Yes

Destination Port

connection

Connection.DestinationPort

is | contains | any

integer between 0 and 65,535

Yes

Yes

Creation Process Name

connection

Connection.Process.Name

is | contains | any

string

Yes

Yes

Creation Process Path

connection

Connection.Process.Path

is | contains | any

string

Yes

Yes

Creation Process Full Path Name

connection

Connection.Process.FullPathName

is | contains | any

string

Yes

Yes

Creation Process Command Line

connection

Connection.Process.CommandLine

is | contains | any

string

No

Yes

Creation process user

connection

Connection.Process.User

is | contains | any

string

No

Yes

Protocol

connection

Connection.Protocol

is | contains | any

string

No

Yes

Url

connection

Connection.URL

is | contains | any

string

No

Yes

HTTP user

connection

Connection.HTTPUser

is | contains | any

string

No

Yes

HTTP downloaded file

connection

Connection.HTTPDownloadedFile

is | contains | any

string

No

Yes

HTTP uploaded file

connection

Connection.HTTPUploadedFile

is | contains | any

string

No

Yes

FTP user

connection

Connection.FTPUser

is | contains | any

string

No

Yes

SMB domain

connection

Connection.SMBDomain

is | contains | any

string

No

Yes

SMB share path

connection

Connection.SMBSharePath

is | contains | any

string

No

Yes

SMB user

connection

Connection.SMBUser

is | contains | any

string

No

Yes

SSH user

connection

Connection.SSHUser

is | contains | any

string

No

Yes

WMI exec query

connection

Connection.WMIExecQuery

is | contains | any

string

No

Yes

Telnet user

connection

Connection.TelnetUser

is | contains | any

string

No

Yes

File remote operation

connection

Connection.FileRemoteOperation

is | contains | any

string

No

Yes

File remote path

connection

Connection.FileRemotePath

is | contains | any

string

No

Yes

File name

connection

Connection.File.Name

is | contains | any

string

No

Yes

Email subject

connection

Connection.Email.Subject

is | contains | any

string

No

Yes

Application name

connection

Connection.Application.Name

is | contains | any

string

No

Yes

Key vault name

connection

Connection.KeyVault.Name

is | contains | any

string

No

Yes

Role name

connection

Connection.Role.Name

is | contains | any

string

No

Yes

Policy name

connection

Connection.Policy.Name

is | contains | any

string

No

Yes

Sharing link name

connection

Connection.SharingLink.Name

is | contains | any

string

No

Yes

Flow name

connection

Connection.Flow.Name

is | contains | any

string

No

Yes

URL name

connection

Connection.Url.Name

is | contains | any

string

No

Yes

SSH key name

connection

Connection.SshKey.Name

is | contains | any

string

No

Yes

Launch template name

connection

Connection.LaunchTemplate.Name

is | contains | any

string

No

Yes

Service principal name

connection

Connection.ServicePrincipal.Name

is | contains | any

string

No

Yes

User group name

connection

Connection.UserGroup.Name

is | contains | any

string

No

Yes

Automation account name

connection

Connection.AutomationAccount.Name

is | contains | any

string

No

Yes

Automation account hook name

connection

Connection.AutomationAccountHook.Name

is | contains | any

string

No

Yes

Api name

connection

Connection.Api.Name

is | contains | any

string

No

Yes

Certificate authority name

connection

Connection.CertificateAuthority.Name

is | contains | any

string

No

Yes

Bucket name

connection

Connection.Bucket.Name

is | contains | any

string

No

Yes

Source user

connection

Connection.SourceUser

is | contains | any

string

No

Yes

Destination user

connection

Connection.DestinationUser

is | contains | any

string

Yes

No

Key

registry

Registry.Key

is | contains | any

string

Yes

No

Value

registry

Registry.Value

is | contains | any

string

Yes

No

Creation Process Name

registry

Registry.CreatedBy.Name

is | contains | any

string

Yes

No

Creation Process Path

registry

Registry.CreatedBy.Path

is | contains | any

string

Yes

No

Creation Process Full Path Name

registry

Registry.CreatedBy.FullPathName

is | contains | any

string

Yes

No

Creation Process Command Line

registry

Registry.CreatedBy.CommandLine

is | contains | any

string

Yes

No

Name

user connection

UserLogin.Name

is | contains | any

string

Yes

No

Source user

user connection

UserLogin.SourceUser

is | contains | any

string

Yes

No

Destination user

user connection

UserLogin.DestinationUser

is | contains | any

string

Yes

No

Domain

user connection

UserLogin.Domain

is | contains | any

string

Yes

No

File name

user connection

UserLogin.File.Name

is | contains | any

string

Yes

No

Email subject

user connection

UserLogin.Email.Subject

is | contains | any

string

Yes

No

Application name

user connection

UserLogin.Application.Name

is | contains | any

string

Yes

No

Key vault name

user connection

UserLogin.KeyVault.Name

is | contains | any

string

Yes

No

Role name

user connection

UserLogin.Role.Name

is | contains | any

string

Yes

No

Policy name

user connection

UserLogin.Policy.Name

is | contains | any

string

Yes

No

Sharing link name

user connection

UserLogin.SharingLink.Name

is | contains | any

string

Yes

No

Flow name

user connection

UserLogin.Flow.Name

is | contains | any

string

Yes

No

URL name

user connection

UserLogin.Url.Name

is | contains | any

string

Yes

No

SSH key name

user connection

UserLogin.SshKey.Name

is | contains | any

string

Yes

No

Launch template name

user connection

UserLogin.LaunchTemplate.Name

is | contains | any

string

Yes

No

Service principal name

user connection

UserLogin.ServicePrincipal.Name

is | contains | any

string

Yes

No

User group name

user connection

UserLogin.UserGroup.Name

is | contains | any

string

Yes

No

Automation account name

user connection

UserLogin.AutomationAccount.Name

is | contains | any

string

Yes

No

Automation account hook name

user connection

UserLogin.AutomationAccountHook.Name

is | contains | any

string

Yes

No

Api name

user connection

UserLogin.Api.Name

is | contains | any

string

Yes

No

Certificate authority name

user connection

UserLogin.CertificateAuthority.Name

is | contains | any

string

Yes

No

Bucket name

user connection

UserLogin.Bucket.Name

is | contains | any

string

Yes

No

Source IP

user connection

UserLogin.SourceIP

is | contains | any

valid IP

Yes

No

Destination IP

user connection

UserLogin.DestinationIP

is | contains | any

valid IP

Yes

No

Subject

email

Email.Subject

is | contains | any

string

Yes

No

Sender

email

Email.Sender

is | contains | any

string

Yes

No

Receiver

email

Email.Receivers

is | contains | any

string

Yes

No

Url

email

Email.Url

is | contains | any

string

Yes

No

Name

application

Application.Name

is | contains | any

string

Yes

No

Id

application

Application.Id

is | contains | any

string

Yes

No

Application address

application

Application.Address

is | contains | any

string

Yes

No

Source user

application

Application.SourceUser

is | contains | any

string

Yes

No

Destination user

application

Application.DestinationUser

is | contains | any

string

Yes

No

Source IP

application

Application.SourceIP

is | contains | any

valid IP

Yes

No

Destination IP

application

Application.DestinationIP

is | contains | any

valid IP

Yes

No

Name

key vault

KeyVault.Name

is | contains | any

string

Yes

No

Source user

key vault

KeyVault.SourceUser

is | contains | any

string

Yes

No

Destination user

key vault

KeyVault.DestinationUser

is | contains | any

string

Yes

No

Source IP

key vault

KeyVault.SourceIP

is | contains | any

valid IP

Yes

No

Destination IP

key vault

KeyVault.DestinationIP

is | contains | any

valid IP

Yes

No

Name

role

Role.Name

is | contains | any

string

Yes

No

Id

role

Role.Id

is | contains | any

string

Yes

No

Source user

role

Role.SourceUser

is | contains | any

string

Yes

No

Destination user

role

Role.DestinationUser

is | contains | any

string

Yes

No

Source IP

role

Role.SourceIP

is | contains | any

valid IP

Yes

No

Destination IP

role

Role.DestinationIP

is | contains | any

valid IP

Yes

No

Name

policy

Policy.Name

is | contains | any

string

Yes

No

Id

policy

Policy.Id

is | contains | any

string

Yes

No

Resource policy type

policy

Policy.ResourcePolicyType

is | contains | any

string

Yes

No

Source user

policy

Policy.SourceUser

is | contains | any

string

Yes

No

Destination user

policy

Policy.DestinationUser

is | contains | any

string

Yes

No

Source IP

policy

Policy.SourceIP

is | contains | any

valid IP

Yes

No

Destination IP

policy

Policy.DestinationIP

is | contains | any

valid IP

Yes

No

Name

sharing link

SharingLink.Name

is | contains | any

string

Yes

No

Url

sharing link

SharingLink.Url

is | contains | any

string

Yes

No

Source user

sharing link

SharingLink.SourceUser

is | contains | any

string

Yes

No

Destination user

sharing link

SharingLink.DestinationUser

is | contains | any

string

Yes

No

Source IP

sharing link

SharingLink.SourceIP

is | contains | any

valid IP

Yes

No

Destination IP

sharing link

SharingLink.DestinationIP

is | contains | any

valid IP

Yes

No

Name

flow

Flow.Name

is | contains | any

string

Yes

No

Id

flow

Flow.Id

is | contains | any

string

Yes

No

Url

flow

Flow.Url

is | contains | any

string

Yes

No

Source user

flow

Flow.SourceUser

is | contains | any

string

Yes

No

Destination user

flow

Flow.DestinationUser

is | contains | any

string

Yes

No

Source IP

flow

Flow.SourceIP

is | contains | any

valid IP

Yes

No

Destination IP

flow

Flow.DestinationIP

is | contains | any

valid IP

Yes

No

Name

flow

Url.Name

is | contains | any

string

Yes

No

Url

url

Url.Url

is | contains | any

string

Yes

No

Source user

url

Url.SourceUser

is | contains | any

string

Yes

No

Destination user

url

Url.DestinationUser

is | contains | any

string

Yes

No

Source IP

url

Url.SourceIP

is | contains | any

valid IP

Yes

No

Destination IP

url

Url.DestinationIP

is | contains | any

valid IP

Yes

No

Name

SSH key

SshKey.Name

is | contains | any

string

Yes

No

SSH public key

SSH key

SshKey.PublicKey

is | contains | any

string

Yes

No

Source user

SSH key

SshKey.SourceUser

is | contains | any

string

Yes

No

Destination user

SSH key

SshKey.DestinationUser

is | contains | any

string

Yes

No

Source IP

SSH key

SshKey.SourceIP

is | contains | any

valid IP

Yes

No

Destination IP

SSH key

SshKey.DestinationIP

is | contains | any

valid IP

Yes

No

Name

launch template

LaunchTemplate.Name

is | contains | any

string

Yes

No

Id

launch template

LaunchTemplate.Id

is | contains | any

string

Yes

No

Source user

launch template

LaunchTemplate.SourceUser

is | contains | any

string

Yes

No

Destination user

launch template

LaunchTemplate.DestinationUser

is | contains | any

string

Yes

No

Source IP

launch template

LaunchTemplate.SourceIP

is | contains | any

valid IP

Yes

No

Destination IP

launch template

LaunchTemplate.DestinationIP

is | contains | any

valid IP

Yes

No

Name

service principal

ServicePrincipal.Name

is | contains | any

is | contains | any

Yes

No

Id

service principal

ServicePrincipal.Id

is | contains | any

string

Yes

No

Source user

service principal

ServicePrincipal.SourceUser

is | contains | any

string

Yes

No

Destination user

service principal

ServicePrincipal.DestinationUser

is | contains | any

string

Yes

No

Source IP

service principal

ServicePrincipal.SourceIP

is | contains | any

valid IP

Yes

No

Destination IP

service principal

ServicePrincipal.DestinationIP

is | contains | any

valid IP

Yes

No

Name

user group

UserGroup.Name

is | contains | any

string

Yes

No

Id

user group

UserGroup.Id

is | contains | any

string

Yes

No

Source user

user group

UserGroup.SourceUser

is | contains | any

string

Yes

No

Destination user

user group

UserGroup.DestinationUser

is | contains | any

string

Yes

No

Source IP

user group

UserGroup.SourceIP

is | contains | any

valid IP

Yes

No

Destination IP

user group

UserGroup.DestinationIP

is | contains | any

valid IP

Yes

No

Name

automation account

AutomationAccount.Name

is | contains | any

string

Yes

No

Id

automation account

AutomationAccount.Id

is | contains | any

string

Yes

No

Source user

automation account

AutomationAccount.SourceUser

is | contains | any

string

Yes

No

Destination user

automation account

AutomationAccount.DestinationUser

is | contains | any

string

Yes

No

Source IP

automation account

AutomationAccount.SourceIP

is | contains | any

valid IP

Yes

No

Destination IP

automation account

AutomationAccount.DestinationIP

is | contains | any

valid IP

Yes

No

Name

automation account

AutomationAccountHook.Name

is | contains | any

string

Yes

No

Id

automation account

AutomationAccountHook.Id

is | contains | any

string

Yes

No

Source user

automation account

AutomationAccountHook.SourceUser

is | contains | any

string

Yes

No

Destination user

automation account

AutomationAccountHook.DestinationUser

is | contains | any

string

Yes

No

Source IP

automation account

AutomationAccountHook.SourceIP

is | contains | any

valid IP

Yes

No

Destination IP

automation account

AutomationAccountHook.DestinationIP

is | contains | any

valid IP

Yes

No

Name

API

Api.Name

is | contains | any

string

Yes

No

Id

API

Api.Id

is | contains | any

string

Yes

No

Destination user

API

Api.DestinationUser

is | contains | any

string

Yes

No

Source IP

API

Api.SourceIP

is | contains | any

valid IP

Yes

No

Destination IP

API

Api.DestinationIP

is | contains | any

valid IP

Yes

No

Name

certificate authority

CertificateAuthority.Name

is | contains | any

string

Yes

No

Source user

certificate authority

CertificateAuthority.SourceUser

is | contains | any

string

Yes

No

Destination user

certificate authority

CertificateAuthority.DestinationUser

is | contains | any

string

Yes

No

Source IP

certificate authority

CertificateAuthority.SourceIP

is | contains | any

valid IP

Yes

No

Destination IP

certificate authority

CertificateAuthority.DestinationIP

is | contains | any

valid IP

Yes

No

Name

bucket

Bucket.Name

is | contains | any

string

Yes

No

Source user

bucket

Bucket.SourceUser

is | contains | any

string

Yes

No

Destination user

bucket

Bucket.DestinationUser

is | contains | any

string

Yes

No

Source IP

bucket

Bucket.SourceIP

is | contains | any

valid IP

Yes

No

Destination IP

bucket

Bucket.DestinationIP

is | contains | any

valid IP

Note

The any operator implies an array.

Example

Request:

  {
   "params": {
        "companyId": "61827b8036492c2fc0718722",
        "type": 1,
        "page": 1,
        "perPage": 100
       },
   "jsonrpc": "2.0",
   "method": "getCustomRulesList",
   "id": "0df7568c-59c1-48e0-a31b-18d83e6d9810"
  }

Response:

  {
   "id": "0df7568c-59c1-48e0-a31b-18d83e6d9810",
   "jsonrpc": "2.0",
   "result": {
    "total": 1,
    "page": 1,
    "perPage": 100,
    "pagesCount": 1,
    "items": [
     {
      "id": "6188dfc42a1a0155e84afa57",
      "name": "testApi1111",
      "ownerId": "6082afe13cf8082cab49cacb",
      "description": "description test api",
      "companyId": "61827b8036492c2fc0718722",
      "status": 0,
      "tags": [
       "test",
       "api",
       "demo"
      ],
      "settings": {
       "status": 0,
       "target": "connection",
       "criteriaList": [
        {
         "field": "Connection.DestinationPort",
         "relation": "is",
         "value": [
          "25691"
         ]
        },
        {
         "field": "Connection.Process.Name",
         "relation": "contains",
         "value": [
          "./network1"
         ],
         "operator": "AND"
        },
        {
         "field": "Connection.SourcePort",
         "relation": "any",
         "value": [
          "22",
          "23",
          "24"
         ],
         "operator": "AND"
        }
       ],
       "severity": 1
      }
     }
    ]
   }
  }
In this section: