getMonitoredRules
This method displays all the monitored PHASR rules across all behavioral categories for a specific company.
Parameters
Parameter | Description | Included in request | Type | Values |
|---|---|---|---|---|
| The ID of the company you want to retrieve the monitored rules for. | Mandatory | String | The user making the request must have Network administrator rights for The company the ID belongs to. Default value: The ID of the company associated with the API key used for the request. |
| Determines what type of rules are returned by the method. | Optional | Array of integers | Possible values:
|
General parameters
These are common parameters, available across all public API methods.
Parameter | Description | Included in request | Type | Values |
|---|---|---|---|---|
| This parameter adds an identifier to the request, linking it to its corresponding response. The target replies with the same value in the response, allowing easy call tracking. | Mandatory | String | No additional requirements |
| The name of the method you are using to send the request. | Mandatory | String | Must be a valid method name. |
| The version of JSON-RPC used by the request and the response. | Mandatory | Integer | Possible values:
|
| An object containing the configuration of the request. | Mandatory | Object | No additional requirements. |
Under the | ||||
| The results page number. | Optional | Integer | Default value: |
| The number of results displayed per page. | Optional | Integer | The upper limit is 300 items per page. Default value: |
Return value
Attribute | Type | Descripton |
|---|---|---|
| Integer | The page number currently being displayed. |
| Integer | The number of results displayed per page. |
| Integer | The total number of pages included in the response. |
| Integer | The total number of behavioral profiles included in the response. |
Objects
items
Attribute | Type | Description |
|---|---|---|
| Integer | The ID of the rule. |
| String | The type of the rule. |
| String | The name of the rule. |
| String | A short description of the rules and the conditions for the trigger. |
| Integer | The timestamp for when the rule was last triggered, in Unix epoch format. |
| Integer | The timestamp for when the rule was last updated, in Unix epoch format. |
| Integer | The number of recommendations generated as a result of triggering the rule. |
| Integer | The number of times the rule was triggered. |
| Integer | The number of profiles that exhibited signs of using the tool or technique targeted by the rule. |
| Integer | The number of profiles that did not exhibit any signs of using the tool or technique targeted by the rule. |
| Integer | The number of profiles where the recommendations created as a result of triggering this rule were automatically. This PHASR setting is called Autopilot. |
| Integer | The number of profiles where the recommendations created as a result of triggering this rule were applied after being manually approved. This PHASR setting is called Direct control. |
Example
Request:
{
"params": {
"companyId": "68306c15c9b5cb3e920ffe22",
"categories": [1, 3, 5],
"page": 29,
"perPage": 3
},
"jsonrpc": "2.0",
"method": "getMonitoredRules",
"id": "d4d50719-3215-455a-a329-086fe77f6d72"
}Response:
{
"id": "d4d50719-3215-455a-a329-086fe77f6d72",
"jsonrpc": "2.0",
"result": [
"page": 29,
"perPage": 3,
"pagesCount": 32,
"total": 95,
"items": [
{
"ruleId": 787,
"category": "TamperingTool",
"name": "AuotitGenericUsage",
"description": "AutoIt is a scripting language for automating the Windows GUI and general scripting. The \"autoit.exe\" is typically the executable used to run scripts written in AutoIt language.\nMalware can use AutoIt to create scripts that automate malicious activities, such as downloading and executing other malware, keylogging, or altering system settings without user consent.",
"lastTriggered": 1748247681,
"latestUpdate": 1748250401,
"recommendations": 1,
"ruleTriggers": 0,
"profilesUsingSuchTools": 10,
"profilesNotUsingSuchTools": 7,
"restrictedProfilesByAutopilot": 10,
"restrictedProfilesByDirectControl": 6
},
{
"ruleId": 695,
"category": "HackTool",
"name": "KmspicoGenericUsage",
"description": "KMSPico is a tool designed to activate Microsoft products such as Windows and Office without a legitimate license by emulating a Key Management Service (KMS) server.\nMalware can use KMSPico to bypass software activation measures, allowing unauthorized access to software features, and potentially including malicious payloads to compromise the system.",
"lastTriggered": null,
"latestUpdate": null,
"recommendations": 1,
"ruleTriggers": 0,
"profilesUsingSuchTools": 8,
"profilesNotUsingSuchTools": 8,
"restrictedProfilesByAutopilot": 9,
"restrictedProfilesByDirectControl": 6
},
{
"ruleId": 696,
"category": "HackTool",
"name": "WindowsActivatorGenericUsage",
"description": "The term \"activator\" in a Windows binary name typically refers to a tool used to bypass software activation mechanisms, often for pirated software. An activator can modify system files or registry entries to trick software into recognizing the installation as legally activated.\nMalware can use activators to disable legitimate software protections, enabling the spread of pirated software. Additionally, malicious actors may disguise malware as activators or bundle malware with them, resulting in unauthorized system access, data theft, or installation of additional malicious software.",
"lastTriggered": null,
"latestUpdate": null,
"recommendations": 1,
"ruleTriggers": 0,
"profilesUsingSuchTools": 8,
"profilesNotUsingSuchTools": 6,
"restrictedProfilesByAutopilot": 8,
"restrictedProfilesByDirectControl": 10
}
]
]
}