Skip to main content

getCustomRulesList

This method retrieves the Custom Rules list for a specific company.

Parameters

Parameter

Type

Optional

Description

page

Number

No

The results page number. The default value is 1.

perPage

Number

No

The number of items displayed in a page. The upper limit is 100 items per page. Default value:30 items per page

companyId

String

No

The ID of the company for which to retrieve the list of custom Rules. The default value is the ID of the company linked to the user who generated the API key.

type

Number

No

The type of rule to return. Possible values: 1 - Detection, 2 - Exclusion

Return value

This method returns an Array containing information on the custom rules items. The returned object contains:

  • page - the current page displayed

  • pagesCount - the total number of available pages

  • perPage - the total number of returned items per page

  • items - the list of custom rules items items. Each entry in the list has the following fields:

    • id

    • owner

    • name

    • companyId

    • status

    • tags

    • settings - The rule settings. These are the available settings:

      • status

      • severity (if Detection Rule)

      • target (e.g process, connection, file)

      • criteria list, array of objects. Each object contains a field, a relation and a value.

        Note

        For more information on the possible values of criteria list objects, refer to Detections and exclusions.

Detections and exclusions

Detection (type =1)

Exclusion (type=2)

Display Name

target

Field

Relation

Validator

Yes

Yes

Name

process

Process.Name

is |contains| any

string

Yes

Yes

Path

process

Process.Path

is |contains| any

string

Yes

Yes

Full Path Name

process

Process.FullPathName

is |contains| any

string

Yes

Yes

Command Line

process

Process.CommandLine

is |contains| any

string

Yes

Yes

Parent Name

process

Process.Parent.Name

is |contains| any

string

Yes

Yes

Parent Path

process

Process.Parent.Path

is |contains| any

string

Yes

Yes

Paret Full Path Name

process

Process.Parent.FullPathName

is |contains| any

string

Yes

Yes

Parent Command Line

process

Process.Parent.CommandLine

is |contains| any

string

Yes

Yes

Name

file

File.Name

is |contains| any

string

Yes

Yes

Path

file

File.Path

is |contains| any

string

Yes

Yes

Full Path Name

file

File.FullPathName

is |contains| any

string

Yes

Yes

Creation Process Name

file

File.CreatedBy.Name

is |contains| any

string

Yes

Yes

Creation Process Path

file

File.CreatedBy.Path

is |contains| any

string

Yes

Yes

Creation Process Full Path Name

file

File.CreatedBy.FullPathName

is |contains| any

string

Yes

Yes

Creation Process Command Line

file

File.CreatedBy.CommandLine

is |contains| any

string

Yes

Yes

Source IP

connection

Connection.SourceIP

is |contains| any

valid IP

Yes

Yes

Destination IP

connection

Connection.DestinationIP

is |contains| any

valid IP

Yes

Yes

Source Port

connection

Connection.SourcePort

is |contains| any

integer between 0 and 65,535

Yes

Yes

Destination Port

connection

Connection.DestinationPort

is |contains| any

integer between 0 and 65,535

Yes

Yes

Creation Process Name

connection

Connection.Process.Name

is |contains| any

string

Yes

Yes

Creation Process Path

connection

Connection.Process.Path

is |contains| any

string

Yes

Yes

Creation Process Full Path Name

connection

Connection.Process.FullPathName

is |contains| any

string

Yes

Yes

Creation Process Command Line

connection

Connection.Process.CommandLine

is |contains| any

string

Yes

No

Key

registry

Registry.Key

is |contains| any

string

Yes

No

Value

registry

Registry.Value

is |contains| any

string

Yes

No

Creation Process Name

registry

Registry.CreatedBy.Name

is |contains| any

string

Yes

No

Creation Process Path

registry

Registry.CreatedBy.Path

is |contains| any

string

Yes

No

Creation Process Full Path Name

registry

Registry.CreatedBy.FullPathName

is |contains| any

string

Yes

No

Creation Process Command Line

registry

Registry.CreatedBy.CommandLine

is |contains| any

string

Note

The any operator implies an array.

Example

Request:

  {
   "params": {
        "companyId": "61827b8036492c2fc0718722",
        "type": 1,
        "page": 1,
        "perPage": 100
       },
   "jsonrpc": "2.0",
   "method": "getCustomRulesList",
   "id": "0df7568c-59c1-48e0-a31b-18d83e6d9810"
  }   

Response:

  {
   "id": "0df7568c-59c1-48e0-a31b-18d83e6d9810",
   "jsonrpc": "2.0",
   "result": {
    "total": 1,
    "page": 1,
    "perPage": 100,
    "pagesCount": 1,
    "items": [
     {
      "id": "6188dfc42a1a0155e84afa57",
      "name": "testApi1111",
      "ownerId": "6082afe13cf8082cab49cacb",
      "description": "description test api",
      "companyId": "61827b8036492c2fc0718722",
      "status": 0,
      "tags": [
       "test",
       "api",
       "demo"
      ],
      "settings": {
       "status": 0,
       "target": "connection",
       "criteriaList": [
        {
         "field": "Connection.DestinationPort",
         "relation": "is",
         "value": [
          "25691"
         ]
        },
        {
         "field": "Connection.Process.Name",
         "relation": "contains",
         "value": [
          "./network1"
         ],
         "operator": "AND"
        },
        {
         "field": "Connection.SourcePort",
         "relation": "any",
         "value": [
          "22",
          "23",
          "24"
         ],
         "operator": "AND"
        }
       ],
       "severity": 1
      }
     }
    ]
   }
  }